Automated teller machines (ATMs) are now targets for criminals of all sorts. After all, as the famous saying goes, that’s where the money is.
One common way to attack ATMs is via skimmers, devices that steal the data encoded on the magnetic strips of ATM cards. They can take a wide variety of form factors, from the simple to the more elaborate. One example, which we have blogged about earlier, was fake POS devices that are used to skim data from credit and debit cards. This threat, however, is not limited to the United States, as similar schemes have been found in China.
Advanced (and more expensive) models send their captured data to the cybercriminals via existing cellular phone networks. Criminals on a budget can rent skimmers with a 50/50 income split between the owner and the renter. (Some of the links in the above-mentioned paragraphs go to Brian Kreb’s blog, as Krebs has frequently discussed the ATM skimmer threat.)
However, ATMs are also under increasing attack by malware. As early as 2004, 70 percent of new ATMs ran on Windows. Diebold estimates that 90 percent of its shipment today uses Windows. This leaves them as potentially vulnerable to malware as any ordinary computer.
The TSPY_SKIMER malware family, including TSPY_SKIMER.A and TSPY_SKIMER.B, serves as a good sample of the malware threats facing ATMs. Both of these were authored by someone who has good knowledge of ATM architecture, considering that these systems are not publicly documented. In addition, these malware need to be manually installed by someone who has direct access to an ATM terminal.
Let’s take a look at TSPY_SKIMER.A. The code is specifically injected into specific services that are associated with Diebold ATMs. (Diebold is not alone as a target, however, as other ATM manufacturers have also been targeted by SKIMER variants.) In addition, the cybercriminal can also use the ATM’s own keypad and screen to send commands to the malware, including checking for the installed Diebold software version, printing stolen information onto the machine’s paper receipts, and even dispensing cash.
The sophistication and intricacy needed to mount these attacks mean that despite the significant financial incentive, these attacks have not yet become all that common. However, users should not be lured into a false sense of security but instead be more informed and guarded to avoid being victimized by these attacks.
Banks, on the other hand, should also take note of this threat, as clients expect them to safeguard their money. An ATM machine infected with a SKIMER variant can tarnish a bank’s reputation and trustworthiness so extra security measures should be taken in order to ensure ATMs are malware free.