If you are aware of what ATM skimmers are — and in if you’re not, you should read this post first — you probably know how to act in order to keep your bank card safe. You need to watch for any suspicious attachments to an ATM and avoid using machines that look fishy. But what if there’s no attachments at all, what if the skimmer is completely invisible?
Is that even possible?
I’m afraid, the answer is yes. In fact, that is exactly the case with ATM Infector cybercriminal group discovered by our Global Research and Analysis Team (GReAT) together with our Penetration Testing Team. Members of this Russian-speaking cyber gang are able to turn an ATM itself into a skimmer.
It looks like even cybercriminals love the idea of sharing economy: why attach additional skimmer devices to the ATM if all the hardware they need is already there? All they have to do is infect an ATM with special malware called Skimer and then they can use ATM’s own card reader and pin pad to steal all necessary bank card credentials.
— Eugene Kaspersky (@e_kaspersky) January 22, 2015
And that’s not it when it comes to sharing; if they have infected an ATM, they can go one step further and control not only the pin pad and card reader devices, but also the cash dispenser. So not only they can steal cards credentials, but they also can send a command to spit out all the money ATM has inside its cash deposit unit.
Criminals behind this cyber campaign are hiding their tracks very carefully. In fact, that’s why they use these double tactics. While they surely could cash out at any moment by ordering all the ATMs they have infected to eject money, it would definitely raise suspicion and probably lead to large investigation. That’s why they prefer to keep malware in the ATM unnoticed and silently collect skimmed card data, leaving the second option — instant cash out — for the future.
How the culprits behind ATM Infector operate
As we told you in a recent blog post, while ATMs protection looks very impressive from the physical point of view, many of these armored machines are more vulnerable in cyberspace. In this particular case criminals infect ATMs either through physical access or via the bank’s internal network.
After installing itself into the system, Skimer malware infects the very computerized core of an ATM, giving criminals full control over the infected ATMs and turning them into skimmers. After that the malware is lying low until criminals decide to use the infected teller machine.
— Kaspersky (@kaspersky) February 17, 2016
To wake up the malware in an ATM, the culprit inserts a specially crafted card with certain records on its magnetic strip. After reading the records, Skimer malware can either execute the hardcoded command or answer commands through a special menu activated by the card.
If the criminal ejects the card and in less than 60 seconds inputs the right session key using the pin pad, the Skimer’s graphic interface appears on the display. With the help of this menu, the criminal can activate 21 different commands, including:
- dispensing money (40 bills from the specified cassette);
- collecting the details of inserted cards;
- updating (from the updated malware code embedded on the card’s chip);
- saving the file with cards and PINs data on the chip of the same card;
- or printing the card details it has collected onto the ATM’s receipts.
How to protect
In their blogpost on Securelist, our experts provide recommendations for banks what files they should be searching for in their systems. The full report on the ATM Infector campaign has previously been shared with a closed audience consisting of law enforcement agencies, CERTs, financial institutions and Kaspersky Lab threat intelligence customers.
As for common folk like you and me things are pretty much scary with ATM Infector: there is no way one can define if ATM is infected or not without scanning its computer stuffing, since on the surface it looks and operates completely normally.
Banks usually consider PIN input as a proof that either the transaction was carried out by the owner of the card or the owner himself is responsible for the fact the PIN was compromised. It would be hard to argue bank’s decision and it’s very likely they will never give your money back.
— Kaspersky (@kaspersky) January 30, 2015
All in all, you can’t secure your card 100% from an ATM Infector, but still you have a couple of tips that will help you keep at least the major part of your money.
1. Despite the fact you can’t identify infected ATMs, you can minimize the risk by using less suspiciously located machines. The best option is to use ATMs in bank’s offices — it’s more difficult for culprits to infect them and they are probably being inspected by bank’s tech team more frequently.
2. Check all the card charges constantly. The best way to do it is to use SMS notifications: if your bank offers such service, using it is a must.
3. If you see a transaction you’ve never made — call your bank immediately and block the compromised card. Really, do this IMMEDIATELY. The faster you react, the more likely you will save at least a good part of your money.