'Skimer' Stealing Money, Card Data From ATMs Around Globe

Researchers have discovered a new version of a malware sample designed to steal card data and money directly from ATMs.

Skimer malware first surfaced in 2009 and was associated with a wave of attacks against ATMs worldwide between 2010 and 2013, and the malware since been modified a total of 49 times, with 37 of those modifications targeted at ATMs from one specific vendor, according to findings from Kaspersky Lab.

Kaspersky researchers stumbled upon this latest version of Skimer earlier this month while investigating a security incident where the malware appeared to have been planted on an ATM system and left inactive by the attackers presumably for later activation.

Skimer attacks typically begin with the operators of the malware first installing it on an ATM system either through direct physical access or by remotely by gaining access to the system via the bank’s internal network. Upon execution, the malware infects and takes over the core ATM component that is responsible for interacting with the bank’s infrastructure and for processing transactions that are initiated at the machine, the Kaspersky Lab report said.

“Only ATMs based on the Windows platform are vulnerable to this malware,” says Sergey Golovanov, principal security researcher at Kaspersky Lab. “The version of the Windows operating system is not important to the cybercriminal. What matters is the version of the XFS service - a technology that was created to standardize ATM software so that it can work on any equipment regardless of the manufacturer."

Golovanov declined to discuss further specifics of the targets or the malware, citing the ongoing investigation.

Once installed on a system, Skimer can be used to quietly harvest data including PIN codes and bank account details from the magnetic stripes of cards used at the infected ATM system. Or, the malware can be used to get the ATM to dispense cash in response to specific commands.

Skimer remains inactive on the system until specifically activated by the attacker. In order to do this, the threat actors have to insert what Kaspersky Lab described as a "magic card" containing a specific activation code and hardcoded instructions into the infected ATM.

After activation, the malware first authenticates the attacker via a session key and then waits for further instructions. Skimer is programmed to respond to 21 different commands that the attacker can enter using the ATM’s keypad and the malware’s user interface.

The commands that the attacker can issue to Skimer on an infected ATM include those that cause it to dispense money or to collect data from inserted cards, or to update or self-delete itself. The malware is designed to save stolen files and data dumps either on the card that was used to activate it, or to print the data out on ATM receipts.

Kaspersky Lab did not have any formal estimate on the number of ATM systems that may have been compromised via the malware. But virus samples submitted to the VirusTotal scanning service shows that over the past two years, Skimer samples have been installed in ATMs in at least ten geographies around the world including the US, France, Russia, Spain, Germany, and the United Arab Emirates.

“From what we know currently, it looks like Skimer is capable of attacking a lot of ATMs around the world,” Golovanov says.

News about the new version of Skimer comes amid signs that attacks against ATMs are growing worldwide. In a report last month, security vendor Trend Micro noted a general increase in the availability of malware toolkits for attacking ATMs. The growing interest in ATMs is being driven by the continuing use of outdated operating systems, such as Windows XP, in many of them, according to the report.

“Another significant factor is the ATM vendors’ decision to employ middleware that provide Application Programming Interfaces (APIs) to communicate with the machine’s peripheral devices,” including the PIN pad and cash register, Trend Micro said. “In simple terms, if we think of a modern ATM as a MS Windows PC with a money box attached to it that’s controlled through software, it is easy to see how it becomes an attractive target for any malware writer.”

Related Stories: