The malware can record the details of payment cards inserted into ATMs and can force them to dispense cash Credit: TaxCredits.net Security researchers have found a new version of a malware program called Skimer that’s designed to infect Windows-based ATMs and can be used to steal money and payment card details. Skimer was initially discovered seven years ago, but it is still actively used by cybercriminals and has evolved over time. The latest modification, found by researchers from Kaspersky Lab at the beginning of May, uses new techniques to evade detection. Upon installation, the malware checks if the file system is FAT32 or NTFS. If it’s FAT32 it drops a malicious executable file in the C:WindowsSystem32 directory, but if it’s NTFS, it will write the file in the NTFS data stream corresponding to Microsoft’s Extension for Financial Services (XFS) service. This technique is most likely intended to make forensic analysis more difficult, the Kaspersky researchers said in a blog post. The XFS service is only present on ATMs and provides a special API (application programming interface) that enables software to communicate with an ATM’s PIN pad. Microsoft doesn’t provide any public documentation for this service, but cybercriminals might have found the necessary information to interact with it in a programmer’s reference manual from ATM manufacturer NCR that was leaked on a Chinese ebook site a few years ago. The new Skimer version modifies the legitimate XFS executable SpiService.exe found on the ATM in order to load its own malicious component, called netmgr.dll. This allows the malware to interact with the PIN pad and card reader. Skimer will only wake up when a payment card with special data written on its magnetic stripe is inserted into the ATM. Depending on the card’s Track 2 data, the malware will either open its interface on the ATM screen, which requires authentication, or will automatically execute commands contained in the data. After the attacker authenticates he can issue commands through the interface to dispense banknotes from the ATM’s internal cassettes, to start collecting the details of cards inserted in the ATM, to update the malware or to uninstall it. “One important detail to note about this case is the hardcoded information in the Track2 — the malware waits for this to be inserted into the ATM in order to activate,” the Kaspersky researchers said. “Banks may be able to proactively look for these card numbers inside their processing systems, and detect potentially infected ATMs, money mules, or block attempts to activate the malware.” Skimer is just one of several malware programs designed to infect ATMs that were discovered in recent years, suggesting that this method of attack is becoming increasingly popular among cybercriminals. The way in which malware programs have been installed on ATMs in the past has varied. In some cases it was installed by insiders. In others it was installed by booting from a CD drive after opening the ATM’s front case using special keys. Attackers can also compromise ATMs if they’re connected to the bank’s internal network or by using stolen remote support credentials. The Kaspersky researchers recommend regular antivirus scans, the use of whitelisting technologies, good device management policies, full disk encryption, securing the ATM BIOS with a password and only allowing HDD booting and isolating the ATMs from other internal bank networks. Related content news UK court scrutinises legality of mainframe to cloud application migration technology IBM suing is LzLabs over reverse-engineering claims. By John Leyden Apr 29, 2024 3 mins Mainframes Technology Industry feature 7 tips for deploying Wi-Fi 6E The enhanced version of Wi-Fi 6 uses 6GHz frequency band for dense, high-traffic applications. By Eric Geier Apr 29, 2024 7 mins Wi-Fi Network Security Networking news Sovereign cloud demand booms in APAC amid geopolitical tensions Global spending on sovereign cloud solutions is expected to surpass $250 billion by 2027, according to IDC. By Gyana Swain Apr 29, 2024 4 mins Cloud Computing news Hitachi Vantara launches unified storage platform Virtual Storage Platform One provides on-premises and cloud storage of both structured and unstructured data. By Andy Patrizio Apr 26, 2024 2 mins Enterprise Storage Data Center PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe