ATM is a New Skimmer: Crooks Bring ATMs on Their Side

Criminal group returns with advanced threat to banks and consumers around the world

Woburn, MA – May 17, 2016 – Kaspersky Lab has today announced research about a Russian-speaking Skimer group that forces ATMs to assist them in stealing users’ money. Researchers discovered that instead of installing skimmer devices onto an ATM, they could turn the whole ATM into a skimmer itself. Discovered in 2009, Skimer was the first malicious program to target ATMs, and now, the cybercriminals have resurfaced, reusing the malware as an advanced threat to banks and their customers around the globe.

During an incident response investigation, Kaspersky Lab experts discovered traces of an improved version of a Skimer malware on a bank’s ATM. It had been planted there and left inactive until the cybercriminals decided to send it one of over 21 commands. Upon further investigation, Kaspersky Lab unveiled the latest attack method of the Skimer cybercriminal group.

The Skimer group begins its operations by getting access to the ATM system – either through physical access, or via the bank’s internal network. Then, after successfully installing Backdoor.Win32.Skimer into the system, it infects the core of an ATM, which is the executable responsible for the machine’s interactions with the banking infrastructure, cash processing and credit cards. By doing this, they successfully turn the whole ATM into a skimmer. Allowing them to withdraw all the funds in the ATM or grab the data from cards used at the ATM, including customers’ bank account numbers and PIN codes.

Unlike in cases with a skimmer device, the Skimer malware is undetectable to the common ATM user since there is no physical sign of the ATM being tampered with.

With the Skimer malware, if the criminal group decides to make a direct money withdrawal from the ATM money cassettes, their criminal activity will be revealed instantly after the first encashment. Therefore, the Skimer criminals often do not act immediately, instead choosing to let the malware operate on the infected ATM, skimming data from cards for several months, without undertaking any activity.

When the cybercriminals decide to wake up the malware, they insert a particular card, which has certain records on the magnetic strip. After reading the records, Skimer can either execute the hardcoded command, or request commands through a special menu activated by the card. The Skimer’s graphic interface appears on the display only after the card is ejected and if the criminal inserts the right session key from the pin pad into a special form in less than 60 seconds.

With the help of this menu, the criminal can activate 21 different commands, such as dispensing money (40 bills from the specified cassette), collecting details of inserted cards, self-deleting, updating (from the updated malware code embedded on the card’s chip), etc. Also, when collecting card details, Skimer can save the file with dumps and PINs on the chip of the same card, or it can print the card details it has collected onto the ATM’s receipts.

In the majority of cases, criminals choose to wait and collect the data of skimmed cards in order to create copies of these cards later. With these copies they go to a different, non-infected ATM and casually withdraw money from the customers’ accounts. This way, criminals can ensure that the infected ATMs will not be discovered and they can access cash easily and without risk.

Veteran Thief

Skimer was distributed extensively between 2010 and 2013. Its appearance resulted in a drastic increase in the number of attacks against ATMs, with up to nine different malware families identified by Kaspersky Lab. This includes the Tyupkin family, discovered in March 2014, which became the most popular and widespread. Kaspersky Lab now identifies 49 modifications of the Skimer malware, with 37 of these modifications targeting the ATMs by one of the major manufacturers. The most recent version was discovered at the beginning of May 2016.

With the help of samples submitted to VirusTotal, Kaspersky Lab determined there is a wide geographical distribution of potentially infected ATMs. The latest 20 samples of the Skimer family were uploaded from more than 10 locations around the globe: UAE, France, USA, Russia, Macao, China, Philippines, Spain, Germany, Georgia, Poland, Brazil, Czech Republic.

Technical Countermeasures

To prevent this threat, Kaspersky Lab recommends undertaking regular AV scans, accompanied by the use of whitelisting technologies, a good device management policy, full disk encryption, protecting ATM’s BIOS with a password, allowing only HDD booting and isolating the ATM network from any other internal bank network.

“There is one important additional countermeasure applicable in this particular case. Backdoor.Win32.Skimer checks the information (nine particular numbers) hardcoded on the card’s magnetic strip in order to identify whether it should be activated,” said Sergey Golovanov, principal security researcher at Kaspersky Lab. “We have discovered the hardcoded numbers used by the malware, and we share them freely with banks. After the banks have those numbers they can proactively search for them inside their processing systems, detect potentially infected ATMs and money mules, or block any attempts by attackers to activate the malware.”

Kaspersky Lab products detect this threat as Backdoor.Win32.Skimer. As this is still an ongoing investigation, the full report has been shared with a closed audience consisting of LEAs, CERTs, financial institutions and Kaspersky Lab threat intelligence service customers. To learn more about this threat and to obtain exclusive access to Kaspersky Lab's repository of all Intelligence Reports, please contact us at intelreports@kaspersky.com.

Read the blog post on the ATM Infector and a story about security issues of modern ATMs on Securelist.com

About Kaspersky Lab

Kaspersky Lab is a global cybersecurity company founded in 1997. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them.
Learn more at www.kaspersky.com.

For the latest in-depth information on security threat issues and trends, please visit:

Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter

Media Contact:
Sarah Kitsos
781.503.2615
sarah.kitsos@kaspersky.com