Invisible skimmers in ATMs


You probably know how to keep your bank card safe: you need to look for all suspicious extras at the ATM and avoid using those machines where you are concerned. But what if you don’t see anything suspicious because the skimmer is completely invisible?

Is it even possible?

I’m afraid so. The ATM Infector cybercriminal group was discovered by our Global Research and Analysis Team (GReAT) and the Penetration Testing Group. Members of a Russian-speaking cyber gang can turn an ATM into a skimmer.

Double jackpot

It seems cybercriminals love the sharing economy idea too: why add extra skimmers to an ATM if it already has all the hardware required to copy data? To steal all your bank card details, you only need to infect the ATM with a special program called Skimer, and then use the card reader and ATM keyboard.

But that’s not what I meant when I mentioned sharing: by infecting an ATM, criminals can take control not only of the keyboard and card reader, but also of the money dispenser. So they can both steal your card details and send an order to withdraw all the money inside the machine.

The criminals behind this cyber campaign are hiding their actions carefully, which is why they use double tactics. In theory, they could withdraw the money at any time by sending a command to all infected ATMs, but this would definitely seem suspicious and would trigger an investigation into the matter. Hence, hackers prefer the malware to go unnoticed in the ATM and silently gather scanned card details, leaving the money to be withdrawn for later.

How the scammers behind ATM Infector work

As we mentioned in the previous post , while the physical security of ATMs is impressive, many of these armored machines have software vulnerabilities. In this particular case, criminals infected ATMs both through physical access and from the bank’s internal network.

Once installed on the system, the Skimer malware would infect the electronics brain itself, giving criminals full control over infected ATMs and turning them into skimmers. Subsequently, the malware did not emerge until the criminals decided to use the infected ATM.

To activate a malicious program in an ATM, fraudsters insert a specially prepared card with specific entries encoded on its magnetic strip. After reading these entries, Skimer can execute the coded command or respond to commands using a special menu activated by the card.

If the offender ejects the card and enters the correct session key through the keyboard within 60 seconds, the Skimer’s graphical interface appears on the screen. Using the menu, the criminal can activate 21 different commands including:

  • withdrawal of money (40 banknotes from a specific cassette),
  • collecting details of the inserted card,
  • auto-removal,
  • update (from the updated code of the malicious program embedded in the card chip),
  • saving in the form of a file data related to cards and their PINs on the chip of the same card,
  • placing the collected card details on the ATM printouts.

How to protect yourself

In their post on Securelist, our experts listed recommendations for banks on what files they should look for in their ATM systems. The full report on the ATM Infector campaign has already been made available to law enforcement agencies, CERT employees, financial institutions.

When it comes to regular users like you or me, the scariest thing is that without scanning their computer, there is no way to determine if an ATM is infected with the ATM Infector threat, as from the outside it looks and works perfectly normal.

Banks usually treat entering the PIN code as proof that the transaction was carried out by the card owner. In addition, according to them, the owner is responsible for the appropriate protection of the PIN against leakage. Such a decision of the bank would be difficult to challenge and it is very likely that the money will be lost forever.

As you know, you cannot protect your card 100% against the ATM Infector threat, but you can follow our few tips to keep at least most of your money in the event of an incident.

  1. Although it is impossible to recognize an infected ATM, there is a way to minimize the risk. For this purpose, machines located in less suspicious places should be used. It is best to use the ATMs located in the bank’s offices – it is much more difficult for fraudsters to infect them and perhaps they are checked more often by the bank’s technical department.
  2. Check your account fees frequently. It is best to choose SMS notifications: if your bank has such a service, use it.
  3. If you notice a transaction that you have never made – call your bank immediately and block the hacked card. Remember that in this case you must act IMMEDIATELY. The faster you react, the greater the chance that you will have some money left.