ATM in Philippines at risk from Skimer malware – Kaspersky

MANILA, Philippines - The Philippines is one of 10 countries where a sleeper malware allows a cybercrime group to rob money from automated teller machines (ATMs), global Internet security firm Kaspersky Lab warned.

Kaspersky Lab discovered that a group of Russian-speaking cybercriminals resurrected an improved version of the Skimer malware just this month.

Sergey Golovanov, principal security researcher at Kaspersky Lab, said they don’t know yet which bank in the Philippines has had their ATM network infected with the new version of the Skimer malware.

“From the samples submitted to (Kaspersky Lab malware detector solution) VirusTotal, we found that somebody from the Philippines uploaded it on to the bank’s ATM,” Golovanov told The STAR in a long-distance phone interview from Russia.

He added: “This however we can’t say with the 100-percent confidence that there are infected ATMs in Philippines. Samples may have been uploaded to VirusTotal by security researchers and system administrators. It is impossible to know where those users got these samples: from an actual ATM or another forum. But considering a wide geographical distribution of this malware there is a big chance that infected ATMs is located in Philippines as well.”

He added that once an ATM is infected, criminals are able to withdraw all the funds in the ATM or grab the data from cards used at the ATM.

In the majority of cases, criminals choose to wait and collect the data of skimmed cards in order to create copies of these cards later.

First discovered in 2009, the Skimer malware is the first malicious program that targets automated teller machines (ATMs). It was distributed extensively between 2010 and 2013.

Its appearance resulted in a drastic increase in the number of attacks against ATMs, with up to nine different malware families identified by Kaspersky Lab.

Among this group of malware was the Tyupkin family discovered in March 2014, which became the most popular and widespread.

It appears that the Backdoor.Win32.Skimer is back in action. It has identifies 49 modifications of this malware, with 37 of these modifications targeting the ATMs by just one of the major manufacturers.

The group behind the resurrection of the Skimer malware uploaded it in many ATM networks of certain banks spread across a very wide geographical area.

Kaspersky Lab said that the latest 20 samples of the Skimer family were uploaded from more than 10 locations around the globe namely the Philippines, the United Arab Emirates (UAE, France, USA, Russia, Macao, China, Spain, Germany, Georgia, Poland, Brazil, and the Czech Republic.

It was learned that the cybercriminals behind the distribution of the new version of the Skimer malware are more careful and patient.

The Skimer group, the firm said, starts its operations by getting access to the ATM system – either through physical access, or via the bank’s internal network.

Then, after successfully installing Backdoor.Win32.Skimer into the system, it infects the core of an ATM – the executable responsible for the machine’s interactions with the banking infrastructure, cash processing and credit cards.

While already having full control over the ATM system, they tread carefully and skillfully.

Instead of installing skimmer devices (a fraudulent lookalike card reader over the legitimate reader) to siphon card data, they turn the whole ATM into a skimmer.

With the ATM successfully infected with Backdoor.Win32.Skimer, criminals can withdraw all the funds in the ATM or grab the data from cards used at the ATM: including the customer’s bank account number and PIN code, Kaspersky Lab said.

In order to wake it up, criminals need to insert a particular card, which has certain records on the magnetic strip.

After reading the records, the Skimer malware can either execute the hardcoded command, or request commands through a special menu activated by the card.

The Skimer’s graphic interface appears on the display only after the card is ejected and if the criminal inserts the right session key from the pin pad into a special form in less than 60 seconds.