Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:20 AM
Connect Directly

'Skimer' Stealing Money, Card Data From ATMs Around Globe

Windows-based ATMs are vulnerable to this new variant of ATM malware, Kaspersky Lab says.

Researchers have discovered a new version of a malware sample designed to steal card data and money directly from ATMs.

Skimer malware first surfaced in 2009 and was associated with a wave of attacks against ATMs worldwide between 2010 and 2013, and the malware since been modified a total of 49 times, with 37 of those modifications targeted at ATMs from one specific vendor, according to findings from Kaspersky Lab.

Kaspersky researchers stumbled upon this latest version of Skimer earlier this month while investigating a security incident where the malware appeared to have been planted on an ATM system and left inactive by the attackers presumably for later activation.

Skimer attacks typically begin with the operators of the malware first installing it on an ATM system either through direct physical access or by remotely by gaining access to the system via the bank’s internal network. Upon execution, the malware infects and takes over the core ATM component that is responsible for interacting with the bank’s infrastructure and for processing transactions that are initiated at the machine, the Kaspersky Lab report said.

“Only ATMs based on the Windows platform are vulnerable to this malware,” says Sergey Golovanov, principal security researcher at Kaspersky Lab. “The version of the Windows operating system is not important to the cybercriminal. What matters is the version of the XFS service - a technology that was created to standardize ATM software so that it can work on any equipment regardless of the manufacturer."

Golovanov declined to discuss further specifics of the targets or the malware, citing the ongoing investigation.

Once installed on a system, Skimer can be used to quietly harvest data including PIN codes and bank account details from the magnetic stripes of cards used at the infected ATM system. Or, the malware can be used to get the ATM to dispense cash in response to specific commands.

Skimer remains inactive on the system until specifically activated by the attacker. In order to do this, the threat actors have to insert what Kaspersky Lab described as a "magic card" containing a specific activation code and hardcoded instructions into the infected ATM.

After activation, the malware first authenticates the attacker via a session key and then waits for further instructions. Skimer is programmed to respond to 21 different commands that the attacker can enter using the ATM’s keypad and the malware’s user interface.

The commands that the attacker can issue to Skimer on an infected ATM include those that cause it to dispense money or to collect data from inserted cards, or to update or self-delete itself. The malware is designed to save stolen files and data dumps either on the card that was used to activate it, or to print the data out on ATM receipts.

Kaspersky Lab did not have any formal estimate on the number of ATM systems that may have been compromised via the malware. But virus samples submitted to the VirusTotal scanning service shows that over the past two years, Skimer samples have been installed in ATMs in at least ten geographies around the world including the US, France, Russia, Spain, Germany, and the United Arab Emirates.

“From what we know currently, it looks like Skimer is capable of attacking a lot of ATMs around the world,” Golovanov says.

News about the new version of Skimer comes amid signs that attacks against ATMs are growing worldwide. In a report last month, security vendor Trend Micro noted a general increase in the availability of malware toolkits for attacking ATMs. The growing interest in ATMs is being driven by the continuing use of outdated operating systems, such as Windows XP, in many of them, according to the report.

“Another significant factor is the ATM vendors’ decision to employ middleware that provide Application Programming Interfaces (APIs) to communicate with the machine’s peripheral devices,” including the PIN pad and cash register, Trend Micro said. “In simple terms, if we think of a modern ATM as a MS Windows PC with a money box attached to it that’s controlled through software, it is easy to see how it becomes an attractive target for any malware writer.”

Related Stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.