Zombies are already present in your ATM networks: Kaspersky Lab report
By Digital News Asia May 23, 2016
- When the ATM itself is a skimmer, crooks bring ATMs on their side
- They can withdraw all the money or grab the data from cards used at the ATM
THE Russian-speaking Skimer group has been getting ATMs (automated teller machines) to help them steal users’ money, according to Kaspersky Lab.
Discovered in 2009, Skimer was the first malicious programme to target ATMs. Seven years later, cybercriminals are reusing the malware but both the crooks and the programme have evolved, the company said in a statement.
This time, they pose an even more advanced threat to banks and their customers around the globe, it added.
The scenario begins simply: A bank discovers it has been attacked, but no money has been stolen, and nothing seems to have been modified in the bank’s system. The criminals have just left.
During an incident response investigation, Kaspersky Lab’s expert team discovered traces of an improved version of a Skimer malware on one of the bank’s ATMs. It was planted there and left inactivated until the cybercriminal send it a control.
The Skimer group starts its operations by getting access to the ATM system, either through physical access or via the bank’s internal network, Kaspersky Lab said.
After successfully installing Backdoor.Win32.Skimer into the system, it infects the core of an ATM, the executable responsible for the machine’s interactions with the banking infrastructure, cash processing and credit cards.
The criminals then have full control over the infected ATMs. But they tread carefully.
Instead of installing skimmer devices (a fraudulent lookalike card reader over the legitimate reader) to siphon card data, they turn the whole ATM into a skimmer.
With the ATM successfully infected with Backdoor.Win32.Skimer, criminals can withdraw all the funds in the ATM or grab the data from cards used at the ATM, including the customer’s bank account number and PIN (personal identification number) code.
There is no way for ordinary people to identify infected ATMs. They do not have any physical signs of being malicious, unlike in cases with a skimmer device when an advanced user can discover if it’s replacing a real card reader of a machine.
The Skimer group does not start acting immediately, but is very careful about hiding its tracks, according to Kaspersky Lab. The malware may operate on infected ATM for several months without undertaking any activity.
In order to wake it up, criminals insert a particular card, which has certain records on the magnetic strip. After reading the records, Skimer can either execute the hardcoded command or request commands through a special menu activated by the card.
The Skimer’s graphic interface appears on the display only after the card is ejected and if the criminal inserts the right session key from the PIN pad into a special form in less than 60 seconds.
With the help of this menu, the criminal can activate 21 different commands, such as dispensing money (40 bills from the specified cassette), collecting details of inserted cards, self-deleting, updating (from the updated malware code embedded on the card’s chip), etc.
Also, when collecting card details, Skimer can save the file with dumps and PINs on the chip of the same card, or it can print the card details it has collected onto the ATM’s receipts.
In the majority of cases, criminals choose to wait and collect the data of skimmed cards in order to create copies of these cards later. With these copies, they go to a different non-infected ATM and casually withdraw money from the customers’ accounts.
This way, criminals can ensure that the infected ATMs will not be discovered any time soon. And their access to cash is simple and worryingly easy to manage. For more, watch the video below:
Skimer was distributed extensively between 2010 and 2013, Kaspersky Lab said.
Its appearance resulted in a drastic increase in the number of attacks against ATMs, with up to nine different malware families identified by Kaspersky Lab. This includes the Tyupkin family, discovered in March 2014, which became the most popular and widespread.
However, it now looks as if Backdoor.Win32.Skimer is back in action. Kaspersky Lab said it has identified 49 modifications of this malware, with 37 of these modifications targeting the ATMs by just one of the major manufacturers.
The most recent version was discovered earlier this month.
The latest 20 samples of the Skimer family were uploaded from more than 10 locations around the globe: The United Arab Emirates, France, the United States, Russia, Macao, China, the Philippines, Spain, Germany, Georgia, Poland, Brazil and the Czech Republic.
To prevent this threat, Kaspersky Lab recommends undertaking regular AV (antivirus) scans, accompanied by the use of whitelisting technologies, a good device management policy, full disk encryption, protecting ATM´s BIOS (basic input/ output system) with a password, allowing only HDD (hard disk drive) booting and isolating the ATM network from any other internal bank network.
“There is one important additional countermeasure applicable in this particular case,” said Kaspersky Lab principal security researcher Sergey Golovanov.
“Backdoor.Win32.Skimer checks the information (nine particular numbers) hardcoded on the card’s magnetic strip in order to identify whether it should be activated. We have discovered the hardcoded numbers used by the malware, and share them freely with banks.
“After the banks have those numbers, they can proactively search for them inside their processing systems, detect potentially infected ATMs and money mules or block any attempt by attackers to activate the malware,” he added.
More technical information can be found on this Securelist.com blog post.
Why it’s so easy to make ATMs obey hacker commands
Akamai warns banks of new ‘crime kit’
ATM hack a global issue: Interpol and Kaspersky Lab
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.