Menu
Stealthy malware Skimer helps hackers easily steal cash from ATMs

Stealthy malware Skimer helps hackers easily steal cash from ATMs

The malware can record the details of payment cards inserted into ATMs and can force them to dispense cash

Security researchers have found a new version of a malware program called Skimer that's designed to infect Windows-based ATMs and can be used to steal money and payment card details.

Skimer was initially discovered seven years ago, but it is still actively used by cybercriminals and has evolved over time. The latest modification, found by researchers from Kaspersky Lab at the beginning of May, uses new techniques to evade detection.

Upon installation, the malware checks if the file system is FAT32 or NTFS. If it's FAT32 it drops a malicious executable file in the C:\Windows\System32 directory, but if it's NTFS, it will write the file in the NTFS data stream corresponding to Microsoft's Extension for Financial Services (XFS) service.

This technique is most likely intended to make forensic analysis more difficult, the Kaspersky researchers said in a blog post.

The XFS service is only present on ATMs and provides a special API (application programming interface) that enables software to communicate with an ATM’s PIN pad. Microsoft doesn't provide any public documentation for this service, but cybercriminals might have found the necessary information to interact with it in a programmer’s reference manual from ATM manufacturer NCR that was leaked on a Chinese ebook site a few years ago.

The new Skimer version modifies the legitimate XFS executable SpiService.exe found on the ATM in order to load its own malicious component, called netmgr.dll. This allows the malware to interact with the PIN pad and card reader.

Skimer will only wake up when a payment card with special data written on its magnetic stripe is inserted into the ATM. Depending on the card's Track 2 data, the malware will either open its interface on the ATM screen, which requires authentication, or will automatically execute commands contained in the data.

After the attacker authenticates he can issue commands through the interface to dispense banknotes from the ATM's internal cassettes, to start collecting the details of cards inserted in the ATM, to update the malware or to uninstall it.

"One important detail to note about this case is the hardcoded information in the Track2 -- the malware waits for this to be inserted into the ATM in order to activate," the Kaspersky researchers said. "Banks may be able to proactively look for these card numbers inside their processing systems, and detect potentially infected ATMs, money mules, or block attempts to activate the malware."

Skimer is just one of several malware programs designed to infect ATMs that were discovered in recent years, suggesting that this method of attack is becoming increasingly popular among cybercriminals.

The way in which malware programs have been installed on ATMs in the past has varied. In some cases it was installed by insiders. In others it was installed by booting from a CD drive after opening the ATM's front case using special keys.

Attackers can also compromise ATMs if they're connected to the bank's internal network or by using stolen remote support credentials.

The Kaspersky researchers recommend regular antivirus scans, the use of whitelisting technologies, good device management policies, full disk encryption, securing the ATM BIOS with a password and only allowing HDD booting and isolating the ATMs from other internal bank networks.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Slideshows

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise

Ingram Micro completed its nationwide roadshow in Auckland last month, kicking off its Innovation Hour series with Hewlett Packard Enterprise. Uncovering the latest in storage, networking and servers, the event outlined key market trends for resellers in 2016 and beyond.

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise
IN PICTURES: FireEye celebrates channel at 2016 Partner Conference

IN PICTURES: FireEye celebrates channel at 2016 Partner Conference

FireEye welcomed 143 channel partners and distributors to FireEye's 2016 annual Partner Conference, FireEye A/NZ Momentum - held at Establishment in Sydney. Delegates heard from senior trans-Tasman channel leaders, marketing and the product divisions in the morning, with FireEye customers, incident responders and threat intelligence analysts sharing knowledge during the afternoon.

IN PICTURES: FireEye celebrates channel at 2016 Partner Conference
​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​

​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​

With New Zealand businesses now open to innovation, the industry sits on the cusp of significant disruption in the data centre. Driven by software-defined networking, the future of the data centre is fast becoming reality, as the channel seeks to keep up, keep innovating and keep growing. APC by Schneider Electric, Lenovo and key partners outlined how the channel can capitalise at The Grill restaurant in Auckland.

​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​
Show Comments