Effective new Trojan skims card info from widely used ATMs
Posted on 18.12.2013
Researchers from Russian AV company Doctor Web have managed to get their hands on a Trojan aimed at recording and collecting card information from one of the most widespread ATM machine types. Unfortunately, they didn't say which one.

"Trojan.Skimer.18 is by no means the first backdoor to infect ATM software, but it is the first to target devices so common throughout the world," the researchers explained its importance.

The Trojan comes in the form of a dynamic link library (DLL) and gets loaded by an infected application. Once having gained a foothold on the machine, it immediately creates a log file that will store the stolen information - Track 2 data (card / account number, expiry date, service code) and PIN codes.

"It is noteworthy that in order to maintain confidentiality, ATM manufacturers employ a special technology that facilitates the encrypted transmission of PIN codes entered into ATMs, and the encryption key is regularly updated from the bank's server," they pointed out, but added that Trojan.Skimer.18 easily bypasses this protection and uses the ATM's software to decrypt PIN codes.

The criminals control the malware via specially designed master cards.

Once inserted into the ATM's card slot, these cards make a Trojan dialogue box pop up and allow criminals to use the ATMs keypad to interact with the malware.

If directed to do so, the Trojan can delete itself or the log file from an infected ATM, restart the machine or change its operation mode, and even update itself by using an app from the master card's chip. The master cards can also "download" the already stolen info after first compressing the file.


The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Fri, Aug 29th