Stealthy malware Skimer helps hackers easily steal cash from ATMs

The malware can record the details of payment cards inserted into ATMs and can force them to dispense cash

Security researchers have found a new version of a malware program called Skimer that's designed to infect Windows-based ATMs and can be used to steal money and payment card details.

Skimer was initially discovered seven years ago, but it is still actively used by cybercriminals and has evolved over time. The latest modification, found by researchers from Kaspersky Lab at the beginning of May, uses new techniques to evade detection.

Upon installation, the malware checks if the file system is FAT32 or NTFS. If it's FAT32 it drops a malicious executable file in the C:\Windows\System32 directory, but if it's NTFS, it will write the file in the NTFS data stream corresponding to Microsoft's Extension for Financial Services (XFS) service.

This technique is most likely intended to make forensic analysis more difficult, the Kaspersky researchers said in a blog post.

The XFS service is only present on ATMs and provides a special API (application programming interface) that enables software to communicate with an ATM’s PIN pad. Microsoft doesn't provide any public documentation for this service, but cybercriminals might have found the necessary information to interact with it in a programmer’s reference manual from ATM manufacturer NCR that was leaked on a Chinese ebook site a few years ago.

The new Skimer version modifies the legitimate XFS executable SpiService.exe found on the ATM in order to load its own malicious component, called netmgr.dll. This allows the malware to interact with the PIN pad and card reader.

Skimer will only wake up when a payment card with special data written on its magnetic stripe is inserted into the ATM. Depending on the card's Track 2 data, the malware will either open its interface on the ATM screen, which requires authentication, or will automatically execute commands contained in the data.

After the attacker authenticates he can issue commands through the interface to dispense banknotes from the ATM's internal cassettes, to start collecting the details of cards inserted in the ATM, to update the malware or to uninstall it.

"One important detail to note about this case is the hardcoded information in the Track2 -- the malware waits for this to be inserted into the ATM in order to activate," the Kaspersky researchers said. "Banks may be able to proactively look for these card numbers inside their processing systems, and detect potentially infected ATMs, money mules, or block attempts to activate the malware."

Skimer is just one of several malware programs designed to infect ATMs that were discovered in recent years, suggesting that this method of attack is becoming increasingly popular among cybercriminals.

The way in which malware programs have been installed on ATMs in the past has varied. In some cases it was installed by insiders. In others it was installed by booting from a CD drive after opening the ATM's front case using special keys.

Attackers can also compromise ATMs if they're connected to the bank's internal network or by using stolen remote support credentials.

The Kaspersky researchers recommend regular antivirus scans, the use of whitelisting technologies, good device management policies, full disk encryption, securing the ATM BIOS with a password and only allowing HDD booting and isolating the ATMs from other internal bank networks.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?