Stealthy malware Skimer helps hackers easily steal cash from ATMs

The malware can record the details of payment cards inserted into ATMs and can force them to dispense cash

Security researchers have found a new version of a malware program called Skimer that's designed to infect Windows-based ATMs and can be used to steal money and payment card details.

Skimer was initially discovered seven years ago, but it is still actively used by cybercriminals and has evolved over time. The latest modification, found by researchers from Kaspersky Lab at the beginning of May, uses new techniques to evade detection.

Upon installation, the malware checks if the file system is FAT32 or NTFS. If it's FAT32 it drops a malicious executable file in the C:\Windows\System32 directory, but if it's NTFS, it will write the file in the NTFS data stream corresponding to Microsoft's Extension for Financial Services (XFS) service.

This technique is most likely intended to make forensic analysis more difficult, the Kaspersky researchers said in a blog post.

The XFS service is only present on ATMs and provides a special API (application programming interface) that enables software to communicate with an ATM’s PIN pad. Microsoft doesn't provide any public documentation for this service, but cybercriminals might have found the necessary information to interact with it in a programmer’s reference manual from ATM manufacturer NCR that was leaked on a Chinese ebook site a few years ago.

The new Skimer version modifies the legitimate XFS executable SpiService.exe found on the ATM in order to load its own malicious component, called netmgr.dll. This allows the malware to interact with the PIN pad and card reader.

Skimer will only wake up when a payment card with special data written on its magnetic stripe is inserted into the ATM. Depending on the card's Track 2 data, the malware will either open its interface on the ATM screen, which requires authentication, or will automatically execute commands contained in the data.

After the attacker authenticates he can issue commands through the interface to dispense banknotes from the ATM's internal cassettes, to start collecting the details of cards inserted in the ATM, to update the malware or to uninstall it.

"One important detail to note about this case is the hardcoded information in the Track2 -- the malware waits for this to be inserted into the ATM in order to activate," the Kaspersky researchers said. "Banks may be able to proactively look for these card numbers inside their processing systems, and detect potentially infected ATMs, money mules, or block attempts to activate the malware."

Skimer is just one of several malware programs designed to infect ATMs that were discovered in recent years, suggesting that this method of attack is becoming increasingly popular among cybercriminals.

The way in which malware programs have been installed on ATMs in the past has varied. In some cases it was installed by insiders. In others it was installed by booting from a CD drive after opening the ATM's front case using special keys.

Attackers can also compromise ATMs if they're connected to the bank's internal network or by using stolen remote support credentials.

The Kaspersky researchers recommend regular antivirus scans, the use of whitelisting technologies, good device management policies, full disk encryption, securing the ATM BIOS with a password and only allowing HDD booting and isolating the ATMs from other internal bank networks.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?