2009 ATM malware ‘Skimer’ discovered again

Old-school ATM malware returns seven years later, more advanced than ever

Tags: Cyber crimeKaspersky Lab
  • E-Mail
2009 ATM malware ‘Skimer’ discovered again Skimer malware was first used by Russian cybercriminals who were able to turn ATMs into skimming devices
By  Aasha Bodhani Published  May 18, 2016

First discovered in 2009, Skimer malware was the first malicious program used to attack ATMs, now seven years later, it's come back with a vengeance.

Security experts from Kaspersky Lab have discovered traces of an evolved version of the Skimer malware, which has the potential to be an advanced threat to banks and customers worldwide, compared to 2009. Kaspersky Lab's researchers added that it was planted there and left inactivated until the cybercriminal plans to send it a command, this enables the criminals to hide their tracks.

The malware was first used by Russian cybercriminals who were able to turn ATMs into skimming devices. This works by the criminals gaining access physically or via the bank's internal network, they then install the Backdoor.Win32.Skimer malware which infects the core of the ATM, enabling the criminals to withdraw cash in the machine or steal person data, such as bank account numbers and PIN codes.

This type of process means criminals can tread carefully, instead of exposing themselves immediately with cash withdrawals, the malware can stay in the ATM for months and skim data from cards instead.  

Kaspersky Lab reveals how criminals can retrieve card data:

"In order to wake it up, criminals to insert a particular card, which has certain records on the magnetic strip. After reading the records, Skimer can either execute the hardcoded command, or request commands through a special menu activated by the card.

"The Skimer's graphic interface appears on the display only after the card is ejected and if the criminal inserts the right session key from the pin pad into a special form in less than 60 seconds.

"With the help of this menu, the criminal can activate 21 different commands, such as dispensing money (40 bills from the specified cassette), collecting details of inserted cards, self-deleting, updating (from the updated malware code embedded on the card's chip), etc. Also, when collecting card details, Skimer can save the file with dumps and PINs on the chip of the same card, or it can print the card details it has collected onto the ATM's receipts."

In the majority of cases, adds Kaspersky, criminals choose to wait and collect the data of skimmed cards in order to create counterfeits to make withdrawals from non-infected ATMs.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code