Doctor Web researchers have analyzed the new threat

Dec 18, 2013 08:46 GMT  ·  By

Security researchers from Doctor Web have come across a new Trojan designed to steal information from ATMs. The threat, dubbed “Trojan.Skimer.18,” is interesting because it targets the devices developed by one of the world’s largest ATM manufacturers.

The malware is implemented as a DLL that’s loaded onto targeted machines via an infected application.

Once it infects an ATM, Trojan.Skimer.18 creates a log file. Then, when someone uses the ATM, it reads and saves Track 2 data – namely the payment card number, its expiry date and the card verification value (CVV). It’s also capable of capturing the PIN. All the harvested information is stored into the log file.

ATM manufacturers design the machines so that the PIN is encrypted when it’s entered. To make everything more secure, the encryption key is regularly updated. However, Trojan.Skimer.18 is capable of bypassing the protection mechanisms, and decrypts the PINs by leveraging the ATM’s software.

So how do the cybercriminals retrieve the harvested payment card information? They do it by using a master card, which is similar to other threats of this kind.

When the attacker enters the master card, a dialogue box appears on the screen, allowing the cybercriminals to operate the Trojan via the ATMs keypad. Interaction is done via the Extension for Financial Services (XFS) interface.

The attacker simply enters a number associated with a specific command in order to display statistics on the collected data. The crooks can also send commands to remove the infection, update the threat, restart the ATM, and delete the log file in which the data is stored.

Of course, the most important command is the one that transfers stolen information from the machine to the master card. Before the loot is copied to the card, the log file is compressed.

Researchers point out that the Trojan is similar to others designed to target ATMs, which most likely means that they’ve all been developed by the same individual, or group.