{"id":12121,"date":"2016-05-17T07:00:40","date_gmt":"2016-05-17T11:00:40","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/?p=12121"},"modified":"2017-09-24T10:49:37","modified_gmt":"2017-09-24T14:49:37","slug":"invisible-skimmer-at-atm","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/invisible-skimmer-at-atm\/12121\/","title":{"rendered":"Invisible skimmers at the ATMs"},"content":{"rendered":"<p>If you are aware of what ATM skimmers are \u2014 and in if you\u2019re not, <a href=\"https:\/\/www.kaspersky.com.au\/blog\/skimmers-part-one\/7223\/\" target=\"_blank\" rel=\"noopener\">you should read this post<\/a> first \u2014 you probably know how to act in order to keep your bank card safe. You need to watch for any suspicious attachments to an ATM and avoid using machines that look fishy. But what if there\u2019s no attachments at all, what if the skimmer is completely invisible?<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2016\/05\/06022224\/atm-infector-fb.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2016\/05\/06022224\/atm-infector-fb.png\" alt=\"Invisible skimmers at the ATMs\" width=\"1280\" height=\"1280\" class=\"aligncenter size-full wp-image-12122\"><\/a><\/p>\n<p><i>Is that even possible?<\/i><\/p>\n<p>I\u2019m afraid, the answer is yes. In fact, that is exactly the case with <a href=\"https:\/\/securelist.com\/blog\/research\/74772\/atm-infector\/\" target=\"_blank\" rel=\"noopener\">ATM Infector cybercriminal group<\/a> discovered by our Global Research and Analysis Team (GReAT) together with our Penetration Testing Team. Members of this Russian-speaking cyber gang are able to turn an ATM itself into a skimmer.<\/p>\n<h3>Double jackpot<\/h3>\n<p>It looks like even cybercriminals love the idea of sharing economy: why attach additional skimmer devices to the ATM if all the hardware they need is already there? All they have to do is infect an ATM with special malware called Skimer and then they can use ATM\u2019s own card reader and pin pad to steal all necessary bank card credentials.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Now you know how they do their criminal business on ATMs and will never fall for the trick: <a href=\"https:\/\/t.co\/y58IvQSBQw\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/y58IvQSBQw<\/a> <a href=\"http:\/\/t.co\/Dj8otixjg3\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/Dj8otixjg3<\/a><\/p>\n<p>\u2014 Eugene Kaspersky (@e_kaspersky) <a href=\"https:\/\/twitter.com\/e_kaspersky\/status\/558295295402844160?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">January 22, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>And that\u2019s not it when it comes to sharing; if they have infected an ATM, they can go one step further and control not only the pin pad and card reader devices, but also the cash dispenser. So not only they can steal cards credentials, but they also can send a command to spit out all the money ATM has inside its cash deposit unit.<\/p>\n<p>Criminals behind this cyber campaign are hiding their tracks very carefully. In fact, that\u2019s why they use these double tactics. While they surely could cash out at any moment by ordering all the ATMs they have infected to eject money, it would definitely raise suspicion and probably lead to large investigation. That\u2019s why they prefer to keep malware in the ATM unnoticed and silently collect skimmed card data, leaving the second option \u2014 instant cash out \u2014 for the future.<\/p>\n<h3>How the culprits behind ATM Infector operate<\/h3>\n<p>As we told you in a <a href=\"https:\/\/www.kaspersky.com.au\/blog\/atm-jackpotting-explained\/11323\/\" target=\"_blank\" rel=\"noopener\">recent blog post<\/a>, while ATMs protection looks very impressive from the physical point of view, many of these armored machines are more vulnerable in cyberspace. In this particular case criminals infect ATMs either through physical access or via the bank\u2019s internal network.<\/p>\n<p>After installing itself into the system, Skimer malware infects the very computerized core of an ATM, giving criminals full control over the infected ATMs and turning them into skimmers. After that the malware is lying low until criminals decide to use the infected teller machine.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">7 reasons why it\u2019s oh so easy for bad guys to hack an <a href=\"https:\/\/twitter.com\/hashtag\/ATM?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#ATM<\/a> <a href=\"https:\/\/t.co\/7H7znX1REt\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/7H7znX1REt<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/security?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#security<\/a> <a href=\"https:\/\/t.co\/SPNqm7vXJk\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/SPNqm7vXJk<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/699986331527684096?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 17, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>To wake up the malware in an ATM, the culprit inserts a specially crafted card with certain records on its magnetic strip. After reading the records, Skimer malware can either execute the hardcoded command or answer commands through a special menu activated by the card.<\/p>\n<p>If the criminal ejects the card and in less than 60 seconds inputs the right session key using the pin pad, the Skimer\u2019s graphic interface appears on the display. With the help of this menu, the criminal can activate 21 different commands, including:<\/p>\n<ul>\n<li>dispensing money (40 bills from the specified cassette);<\/li>\n<li>collecting the details of inserted cards;<\/li>\n<li>self-deleting;<\/li>\n<li>updating (from the updated malware code embedded on the card\u2019s chip);<\/li>\n<li>saving the file with cards and PINs data on the chip of the same card;<\/li>\n<li>or printing the card details it has collected onto the ATM\u2019s receipts.<\/li>\n<\/ul>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/hOcFy02c7x0?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<h3>How to protect<\/h3>\n<p>In their <a href=\"https:\/\/securelist.com\/blog\/research\/74772\/atm-infector\/\" target=\"_blank\" rel=\"noopener\">blogpost on Securelist<\/a>, our experts provide recommendations for banks what files they should be searching for in their systems. The full report on the ATM Infector campaign has previously been shared with a closed audience consisting of law enforcement agencies, CERTs, financial institutions and Kaspersky Lab threat intelligence customers.<\/p>\n<p>As for common folk like you and me things are pretty much scary with ATM Infector: there is no way one can define if ATM is infected or not without scanning its computer stuffing, since on the surface it looks and operates completely normally.<\/p>\n<p>Banks usually consider PIN input as a proof that either the transaction was carried out by the owner of the card or the owner himself is responsible for the fact the PIN was compromised. It would be hard to argue bank\u2019s decision and it\u2019s very likely they will never give your money back.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Criminal business on <a href=\"https:\/\/twitter.com\/hashtag\/ATMs?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#ATMs<\/a>, part 2: <a href=\"https:\/\/t.co\/qCWhTm2ALD\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/qCWhTm2ALD<\/a> <a href=\"http:\/\/t.co\/46zP035BBE\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/46zP035BBE<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/561223684514672640?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">January 30, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>All in all, you can\u2019t secure your card 100% from an ATM Infector, but still you have a couple of tips that will help you keep at least the major part of your money.<\/p>\n<p>1. Despite the fact you can\u2019t identify infected ATMs, you can minimize the risk by using less suspiciously located machines. The best option is to use ATMs in bank\u2019s offices \u2014 it\u2019s more difficult for culprits to infect them and they are probably being inspected by bank\u2019s tech team more frequently.<\/p>\n<p>2. Check all the card charges constantly. The best way to do it is to use SMS notifications: if your bank offers such service, using it is a must.<\/p>\n<p>3. If you see a transaction you\u2019ve never made \u2014 call your bank immediately and block the compromised card. Really, do this <b>IMMEDIATELY.<\/b> The faster you react, the <a href=\"https:\/\/www.kaspersky.com.au\/blog\/5-lessons-i-learned-from-my-credit-card-hack\/6646\/\" target=\"_blank\" rel=\"noopener\">more likely<\/a> you will save at least a good part of your money.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Criminals behind the ATM Infector campaign are turning ATMs into invisible skimmers.<\/p>\n","protected":false},"author":421,"featured_media":12123,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2646,9],"tags":[401,1617,93,1575,36,818,1573,1618,921,1619],"class_list":{"0":"post-12121","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"category-tips","10":"tag-atm","11":"tag-atm-infector","12":"tag-cybercriminals","13":"tag-financial-data","14":"tag-malware-2","15":"tag-money","16":"tag-plastic-cards","17":"tag-skimer","18":"tag-skimmers","19":"tag-stealing"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/invisible-skimmer-at-atm\/12121\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/invisible-skimmer-at-atm\/7151\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/invisible-skimmer-at-atm\/7145\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/invisible-skimmer-at-atm\/8339\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/invisible-skimmer-at-atm\/8189\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/invisible-skimmer-at-atm\/11940\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/invisible-skimmer-at-atm\/2100\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/invisible-skimmer-at-atm\/12121\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/invisible-skimmer-at-atm\/5675\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/invisible-skimmer-at-atm\/6285\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/invisible-skimmer-at-atm\/7698\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/invisible-skimmer-at-atm\/11451\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/invisible-skimmer-at-atm\/11940\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/invisible-skimmer-at-atm\/12121\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/atm\/","name":"atm"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/12121","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/421"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=12121"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/12121\/revisions"}],"predecessor-version":[{"id":18082,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/12121\/revisions\/18082"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/12123"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=12121"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=12121"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=12121"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}