Modified version of Skimer malware makes stealing cash from ATMs easy

Skimer malware is back to steal your cash from ATMS!

A new malware program named Skimer has been discovered by security researchers. The malware is designed in a way that it infects the ATMs that run with the Windows operating system and therefore be used in stealing of money and payment card details.

Source: JoyReactor

The malware was discovered seven years ago, but through evolution it has managed to withstand the test of time, and it has become more and more appealing for attackers to use. The new malware strain which was discovered by the Kaspersky researchers uses new methods to avoid detection.

When installed, the malware goes to work and checks whether the file system is FAT32 or NTFS. If the file system is FAT32 then the malware will put a malicious executable file in the C:\Windows\System32 directory. If the file system is NTFS then the malware will write in the NTFS data stream, therefore, corresponding to the Microsoft Extension for all Financial Services (XFS) service.

This method that the Skimer malware uses makes the use of forensics for analysis a very difficult thing, the Kaspersky researchers said.

The new malware changes the legitimate XFS executable SpiService.exe which is usually found on the ATM, therefore, making it’s own components available which is named netmgr.dll. These actions allow the Skimer malware to communicate with the PIN pad and the card reader.

Skimer lies dormant until activated by the insertion of a card. The card has to have Track 2 data on it. When the card is inserted, the malware can then start communication with two of the different types of cards. The first type is one that requests for data and commands through the interface, and the second type is to execute the commands which are already hard coded into the Track2.

How Your ATM Card Data Could Get Hacked Hackers Can Infect ATM With Malware To Hold Your Card

After ejection of the data, users are then given a form which asks them to press in the session key and is timed for 60 seconds. The user now has authentication and can now put in twenty-one different codes for setting its activity. All the codes should be put on the pin pad.

Some of the most important commands that can be executed by the Skimer malware include showing of the installation details, the dispensation of money from an ATM, collection and harvesting of details of all inserted cards. Other important features include printing of collected card details, self-delete option, a debug mode and an update option for the malware that is already in there.


Related Posts