Crooks can steal money from ATMs using special credit cards. Skimer, a malware family targeting ATMs, has received a major update the past few months, and security researchers from Kaspersky are reporting about new attacks spotted in the wild.
The malware was discovered in 2009, but the criminal group behind it continued to work on its code and used it in live attacks as recent as May 2016.
In its most recent versions, Skimer continues to target only Windows-based ATMs. During installation, the malware checks if the ATM is using FAT32 or NTFS, in order to install correctly.
Skimer works via special “credit cards” and codes
If it’s FAT32, the malware installs itself in “C:\Windows\System32” but if the system is NTFS, Skimer drops itself in the NTFS data stream corresponding to the local ATM XFS service executable file.
By jamming itself in the XFS data stream, the malware can read ATM-specific operations since the XFS service was specifically developed for ATM devices. Additionally, the malware also loads netmgr.dll, which it uses to power its malicious behavior.
Crooks need special cards to interact with Skimer, with special access codes encrypted in their magnetic script. These cards allow the criminals to pass a few commands to the malware by entering codes from the PIN pad.
The command codes range from instructions to dispense money to show installation details, and from updating the malware to self-delete operations. Another command can also print card details collected from other people that used the ATM.
Additionally, crooks can also embed commands in the card’s magnetic strip and automate operations just by entering the card in an ATM.
Banks can do little to stop attacks, but they can try
“Banks may be able to proactively look for these card numbers inside their processing systems, and detect potentially infected ATMs, money mules, or block attempts to activate the malware,” Kaspersky experts wrote today.
Kaspersky says that banks should scan their ATMs with powerful antivirus engines, protect the ATMs’ BIOS with a password, and isolate ATMs to their own network, away from other contamination sources.