{"id":7197,"date":"2016-05-17T07:28:51","date_gmt":"2016-05-17T11:28:51","guid":{"rendered":"https:\/\/kasperskydaily.com\/uk\/?p=7197"},"modified":"2019-11-22T10:10:26","modified_gmt":"2019-11-22T10:10:26","slug":"invisible-skimmers-at-the-atms","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/invisible-skimmers-at-the-atms\/7197\/","title":{"rendered":"Invisible Skimmers at the ATMs"},"content":{"rendered":"<p>If you are aware of what ATM skimmers are \u2014 and in if you\u2019re not, you should <a href=\"https:\/\/www.kaspersky.co.uk\/blog\/skimmers-part-one\/5345\/\" target=\"_blank\" rel=\"noopener\">read this post first<\/a>\u2014 you probably know how to act in order to keep your bank card safe. You need to watch for any suspicious attachments to an ATM and avoid using machines that look fishy. But what if there\u2019s no attachments at all, what if the skimmer is completely invisible?<\/p>\n<p><i>Is that even possible?<\/i><\/p>\n<p>I\u2019m afraid, the answer is yes. In fact, that is exactly the case with ATM Infector cyber-criminal group <a href=\"https:\/\/securelist.com\/blog\/research\/74772\/atm-infector\/\" target=\"_blank\" rel=\"noopener noreferrer\">discovered<\/a> by our Global Research and Analysis Team (GReAT) together with our Penetration Testing Team. Members of this Russian-speaking cyber gang are able to turn an ATM itself into a skimmer.<\/p>\n<h3>Double jackpot<\/h3>\n<p>It looks like even cyber-criminals love the idea of sharing economy: why attach additional skimmer devices to the ATM if all the hardware they need is already there? All they have to do is infect an ATM with special malware called Skimmer and then they can use ATM\u2019s own card reader and pin pad to steal all necessary bank card credentials.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Keep your credit card <a href=\"https:\/\/twitter.com\/hashtag\/secure?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#secure<\/a> from skimming- learn the hidden dangers of an ATM: <a href=\"http:\/\/t.co\/YKvTbzXm4R\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/YKvTbzXm4R<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/337941316686192642?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">May 24, 2013<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>And that\u2019s not it when it comes to sharing; if they have infected an ATM, they can go one step further and control not only the pin pad and card reader devices, but also the cash dispenser. So not only they can steal cards credentials, but they also can send a command to spit out all the money ATM has inside its cash deposit unit.<\/p>\n<p>Criminals behind this cyber campaign are hiding their tracks very carefully. In fact, that\u2019s why they use these double tactics. While they surely could cash out at any moment by ordering all the ATM\u2019s they have infected to eject money, it would definitely raise suspicion and probably lead to large investigation. That\u2019s why they prefer to keep malware in the ATM unnoticed and silently collect skimmed card data, leaving the second option \u2014 instant cash out \u2014 for the future.<\/p>\n<h3>How the culprits behind ATM Infector operate<\/h3>\n<p>As we told you in a <a href=\"https:\/\/www.kaspersky.co.uk\/blog\/atm-jackpotting-explained\/6777\/\" target=\"_blank\" rel=\"noopener\">recent blog post<\/a>, while ATM\u2019s protection looks very impressive from the physical point of view, many of these armoured machines are more vulnerable in cyberspace. In this particular case criminals infect ATM\u2019s either through physical access or via the bank\u2019s internal network.<\/p>\n<p>After installing itself into the system, Skimmer malware infects the very computerised core of an ATM, giving criminals full control over the infected ATM\u2019s and turning them into skimmers. After that the malware is lying low until criminals decide to use the infected teller machine.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">7 reasons why it\u2019s oh so easy for bad guys to hack an <a href=\"https:\/\/twitter.com\/hashtag\/ATM?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#ATM<\/a> <a href=\"https:\/\/t.co\/7H7znX1REt\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/7H7znX1REt<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/security?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#security<\/a> <a href=\"https:\/\/t.co\/SPNqm7vXJk\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/SPNqm7vXJk<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/699986331527684096?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 17, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>To wake up the malware in an ATM, the culprit inserts a specially crafted card with certain records on its magnetic strip. After reading the records, Skimmer malware can either execute the hard-coded command or answer commands through a special menu activated by the card.<\/p>\n<p>If the criminal ejects the card and in less than 60 seconds inputs the right session key using the pin pad, the Skimmer\u2019s graphic interface appears on the display. With the help of this menu, the criminal can activate 21 different commands, including:<br>\n\u2013 dispensing money (40 bills from the specified cassette);<br>\n\u2013 collecting the details of inserted cards;<br>\n\u2013 self-deleting;<br>\n\u2013 updating (from the updated malware code embedded on the card\u2019s chip);<br>\n\u2013 saving the file with cards and PIN\u2019s data on the chip of the same card;<br>\n\u2013 or printing the card details it has collected onto the ATM\u2019s receipts.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/hOcFy02c7x0?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<h3>How to protect<\/h3>\n<p>In their blogpost on Securelist, our experts provide recommendations for banks what files they should be searching for in their systems. The full report on the ATM Infector campaign has previously been shared with a closed audience consisting of law enforcement agencies, CERTs, financial institutions and Kaspersky Lab threat intelligence customers.<\/p>\n<p>As for common folk like you and me things are pretty much scary with ATM Infector: there is no way one can define if ATM is infected or not without scanning its computer stuffing, since on the surface it looks and operates completely normally.<\/p>\n<p>Banks usually consider PIN input as a proof that either the transaction was carried out by the owner of the card or the owner himself is responsible for the fact the PIN was compromised. It would be hard to argue bank\u2019s decision and it\u2019s very likely they will never give your money back.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Criminal business on <a href=\"https:\/\/twitter.com\/hashtag\/ATMs?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#ATMs<\/a>, part 2: <a href=\"https:\/\/t.co\/qCWhTm2ALD\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/qCWhTm2ALD<\/a> <a href=\"http:\/\/t.co\/46zP035BBE\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/46zP035BBE<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/561223684514672640?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">January 30, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>All in all, you can\u2019t secure your card 100% from an ATM Infector, but still you have a couple of tips that will help you keep at least the major part of your money.<\/p>\n<p>1. Despite the fact you can\u2019t identify infected ATM\u2019s, you can minimize the risk by using less suspiciously located machines. The best option is to use ATM\u2019s in bank\u2019s offices \u2014 it\u2019s more difficult for culprits to infect them and they are probably being inspected by bank\u2019s tech team more frequently.<\/p>\n<p>2. Check all the card charges constantly. The best way to do it is to use SMS notifications: if your bank offers such service, using it is a must.<\/p>\n<p>3. If you see a transaction you\u2019ve never made \u2014 call your bank immediately and block the compromised card. Really, do this <b>IMMEDIATELY.<\/b> The faster you react, the <a href=\"https:\/\/www.kaspersky.com\/blog\/5-lessons-i-learned-from-my-credit-card-hack\/6646\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">more likely<\/a> you will save at least a good part of your money.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Criminals behind the ATM Infector campaign are turning ATMs into invisible skimmers.<\/p>\n","protected":false},"author":421,"featured_media":7198,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2026,9],"tags":[401,1468,93,1437,36,794,1435,1469,883,1470],"class_list":{"0":"post-7197","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"category-tips","10":"tag-atm","11":"tag-atm-infector","12":"tag-cybercriminals","13":"tag-financial-data","14":"tag-malware-2","15":"tag-money","16":"tag-plastic-cards","17":"tag-skimer","18":"tag-skimmers","19":"tag-stealing"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/invisible-skimmers-at-the-atms\/7197\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/invisible-skimmers-at-the-atms\/6013\/"},{"hreflang":"zh","url":"https:\/\/www.kaspersky.com.cn\/blog\/invisible-skimmers-at-the-atms\/4294\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/atm\/","name":"atm"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/7197","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/421"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=7197"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/7197\/revisions"}],"predecessor-version":[{"id":17725,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/7197\/revisions\/17725"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/7198"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=7197"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=7197"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=7197"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}