In 2009, malware called “Skimer” surfaced and security firms took notice. Skimer is essentially malware that gives hackers full access to a cash machine without needing to install any physical hardware, like a card skimmer. According to a new investigation by Kaspersky Lab, the malware is not only seems in use, but it’s also become more powerful.
Kaspersky discovered the latest version of Skimer this month after investigating a break-in at a bank. While the bank found no evidence that it had been attacked, the security firm found that a new version of Skimer had been used and featured improvements that make it harder to detect. This is very scary, because the the Russian-based software makes it relatively easy for hackers to take complete control of any cash machine.
The hackers begin by installing a file called Backdoor.Win32.Skimer, malware that hides in the cash machine's code waiting for the hacker to open it with a particular card. Kaspersky explains what happens next:
The Skimer’s graphic interface appears on the display only after the card is ejected and if the criminal inserts the right session key from the pin pad into a special form in less than 60 seconds.
With the help of this menu, the criminal can activate 21 different commands, such as dispensing money (40 bills from the specified cassette), collecting details of inserted cards, self-deleting, updating (from the updated malware code embedded on the card’s chip), etc. Also, when collecting card details, Skimer can save the file with dumps and PINs on the chip of the same card, or it can print the card details it has collected onto the cash machine’s receipts.
Traditional skimmers are simply devices that can intercept a transaction, logging your data in the process. At cash machines, they can record your credit card numbers, and with the help of additional tech such as cameras or keypad overlays, can log your PIN codes as well. If you know where to look, you can find out if the cash machine has been tampered with, although the hardware has become increasingly sophisticated.
Skimer, on the other hand, is a bit trickier. It can gain access to cash machines either through physical access, like a traditional skimmer, or through a bank’s internal network. Kaspersky warns that cash machines that have been infected with Skimer are not easily distinguishable and are hard to spot, saying:
In the majority of cases, criminals choose to wait and collect the data of skimmed cards in order to create copies of these cards later. With these copies they go to a different, non-infected cash machine and casually withdraw money from the customers’ accounts. This way, criminals can ensure that the infected cash machines will not be discovered any time soon. And their access to cash is simple, and worryingly easy to manage.
You can watch the malware in action here.
Kaspersky suggests that banks conduct regular AV scans and use whitelisting technologies, full disk encryption, password protection of the cash machine BIOS, and isolating the cash machine network from any internal networks.
Companies and users who want to protect against the malware can find out more information on Securelist.com.