1 hour. 53 minutes ago
Russian language group Skimer forces ATMs to assist in stealing money users. Detected in 2009., Skimer was the first malicious program targeting ATM machines. Seven years later, the cybercriminals re-use of this pest.
Imagine the following situation: the bank discovers that he has been attacked. The catch is that not stolen any money, and it seems that the banking system has not been modified in any way. Criminals simply decamped to. Is it possible?
Finding a reason so unusual criminal activity has been a challenge. However, during the investigation within the incident response team of experts from Kaspersky Lab figured conspiracy and discovered traces of an enhanced version of the malware Skimer in one of the ATMs of the bank. The worm would remain inactive until the cybercriminal passes control – a clever way to hide the traces.
grouping Skimer starts its operation from obtaining access to the system ATMs – through physical access or via the internal network of the bank. Then, after the successful installation of the program Backdoor.Win32.Skimer system, infects an ATM module responsible for interaction with the machine infrastructure bank, as well as the processing of cash and credit cards.
This gives criminals control over infected ATMs. However they behave cautiously, and their actions are meticulously planned. Instead, install the type of skimmer (fraudulent copy of a card reader assumed to be legitimate reader) to download data from the card, transforming the entire ATM skimmer. When a machine is infected with malicious code known as Backdoor.Win32.Skimer, criminals can pull it all means or capture card data of customers: together with the number of your bank account and PIN code.
It is worrying that persons using the ATMs are not able to recognize infected devices. They do not wear any physical signs of infection or modification.
dormant ATMs zombie
Direct download money cassettes will be detected immediately, but the malware inside an ATM can safely capture card data for a very long time. For this reason, people control a pest Skimer do not act immediately and scrupulously hide their tracks: the malware can reside in an ATM infected for several months without performing any action.
To activate a threat, cybercriminals have to put a specific card that contains some data on the magnetic strip. After reading the data Skimer can perform pre-defined command or request commands via a special menu activated by card. The graphical interface skimmer appears on the screen only after the card is ejected and when the offender enters the correct key session of pinpadu in a special form in less than 60 seconds.
with this menu, the offender can activate 21 different commands, such as the payment of money (40 banknotes from the indicated cassette), collecting data on the inserted card, remove the malicious code from an ATM, update (with cybercrime card ) etc. Skimmer can make the collected card data can be saved with PIN codes in a chip that special card or printed using the printer’s built-in ATM.
In most cases, criminals prefer to wait and collect data captured cards for later execution copies. With such copies go to another, uninfected ATM and take money from customer accounts. In this way, criminals can make the infected ATMs are not quickly detected. And access to cash is simple and alarmingly easy to manage.
Thief veteran
Skimer was distributed on a large scale in 2010-2013. His appearance caused a rapid increase in the number of attacks on ATMs, while Kaspersky Lab has identified up to nine different families of malware. Among them was the family Tyupkin, discovered in March 2014., Which became the most popular and widespread. Now it seems that Backdoor.Win32.Skimer returned to action. Kaspersky Lab currently identifies 49 modifications of this malicious software, of which 37 attacks ATMs only one of the largest producers. The latest version has been detected at the beginning of May 2016.
On the basis of the samples sent to the site VirusTotal observed an extremely wide geographical distribution of potentially infected ATMs. The latest 20 samples pest family Skimer were sent from more than 10 locations around the world: the United Arab Emirates, France, the United States, Russia, China, the Philippines, Spain, Germany, Georgia, Poland, Brazil and the Czech Republic.
Security Technical
To prevent one described by the threat, Kaspersky Lab recommends that perform regular virus scan with the use of whitelisting technology, good management policies devices, full disk scan, protect BIOS ATM with a password, allowing you to run only from the hard drive and isolate network ATM of any other bank’s internal network.
“There is one important additional safety measure used in this particular case. Backdoor.Win32.Skimer verify the information (nine specific numbers) stored on the magnetic strip card cybercrime in order to decide whether it should be activated. During our audit we have identified those numbers and pass them to banks. With such numbers, banks can proactively look for them within their processing systems to detect potentially infected ATMs and cash poles or block every attempt by cybercriminals try to activate malicious software, “- said Sergey Golovanov, the principal investigator for. IT security, Kaspersky Lab.
As the investigation of cybercriminal groups Skimer is in progress, the full report has been delivered to a closed group of consisting of law enforcement, CERTs, financial institutions and customer service Kaspersky Security Intelligence Services.
No comments:
Post a Comment