Menu
Stealthy malware Skimer helps hackers easily steal cash from ATMs

Stealthy malware Skimer helps hackers easily steal cash from ATMs

The malware can record the details of payment cards inserted into ATMs and can force them to dispense cash

Security researchers have found a new version of a malware program called Skimer that's designed to infect Windows-based ATMs and can be used to steal money and payment card details.

Skimer was initially discovered seven years ago, but it is still actively used by cybercriminals and has evolved over time. The latest modification, found by researchers from Kaspersky Lab at the beginning of May, uses new techniques to evade detection.

Upon installation, the malware checks if the file system is FAT32 or NTFS. If it's FAT32 it drops a malicious executable file in the C:\Windows\System32 directory, but if it's NTFS, it will write the file in the NTFS data stream corresponding to Microsoft's Extension for Financial Services (XFS) service.

This technique is most likely intended to make forensic analysis more difficult, the Kaspersky researchers said in a blog post.

The XFS service is only present on ATMs and provides a special API (application programming interface) that enables software to communicate with an ATM’s PIN pad. Microsoft doesn't provide any public documentation for this service, but cybercriminals might have found the necessary information to interact with it in a programmer’s reference manual from ATM manufacturer NCR that was leaked on a Chinese ebook site a few years ago.

The new Skimer version modifies the legitimate XFS executable SpiService.exe found on the ATM in order to load its own malicious component, called netmgr.dll. This allows the malware to interact with the PIN pad and card reader.

Skimer will only wake up when a payment card with special data written on its magnetic stripe is inserted into the ATM. Depending on the card's Track 2 data, the malware will either open its interface on the ATM screen, which requires authentication, or will automatically execute commands contained in the data.

After the attacker authenticates he can issue commands through the interface to dispense banknotes from the ATM's internal cassettes, to start collecting the details of cards inserted in the ATM, to update the malware or to uninstall it.

"One important detail to note about this case is the hardcoded information in the Track2 -- the malware waits for this to be inserted into the ATM in order to activate," the Kaspersky researchers said. "Banks may be able to proactively look for these card numbers inside their processing systems, and detect potentially infected ATMs, money mules, or block attempts to activate the malware."

Skimer is just one of several malware programs designed to infect ATMs that were discovered in recent years, suggesting that this method of attack is becoming increasingly popular among cybercriminals.

The way in which malware programs have been installed on ATMs in the past has varied. In some cases it was installed by insiders. In others it was installed by booting from a CD drive after opening the ATM's front case using special keys.

Attackers can also compromise ATMs if they're connected to the bank's internal network or by using stolen remote support credentials.

The Kaspersky researchers recommend regular antivirus scans, the use of whitelisting technologies, good device management policies, full disk encryption, securing the ATM BIOS with a password and only allowing HDD booting and isolating the ATMs from other internal bank networks.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments