Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 920
- Points
- 113
Bank card skimmers are devices used by criminals to steal bank card data when using ATMs and payment terminals. These devices look like covers on a card reader, made in accordance with the design of an ATM. Although skimmers “mimic” real card readers, they are quite cumbersome - if you are careful, they are relatively easy to identify and remove from an ATM, which is disadvantageous for carders.
Content:
For a long time, attackers successfully used physical overlays to commit thefts from ATMs. Their evolution can be traced from thin linings inside the ATM to huge artificial panels that completely emulate the front panel of an ATM. The mechanics of the theft are as simple as possible: a skimmer is placed on the ATM card reader, with which the attacker reads all the data from the magnetic stripe. At the same time, some skimmers work on the principle of accumulating information about users, while others immediately transmit information about cards to fraudsters via a radio channel (to a miniature receiving device or directly to their receiving equipment). In addition, a fake keyboard is attached to the ATM, by pressing which the credit card owner gives the PIN code to the scammers. Another means of obtaining information that attackers use is hidden video cameras installed near the ATM.
The prevalence of these types of thefts has led ATM manufacturers and third-party vendors to install active or passive anti-skimming measures to effectively combat this type of theft. Although there are some things that anti-skimming equipment has not yet learned to detect: for example, one of the most inconspicuous overlays - the one that is located in the bus between the card reader and the ATM computer and stores the data of the read cards.
Another obstacle for fans of physical skimming was the introduction of criminal liability for theft of card data from ATMs. For illegal actions, criminals now face different types of punishment depending on the severity of the crime (from fines to imprisonment). That is why the most active hackers are gradually moving to a new level.
No contact
Transactions with cards at ATMs often involve transmitting Track2 magnetic stripe data in clear text. For example, if the network connection between the ATM and the processing center is not protected by encryption, then stealing the card number is not very difficult: overlays that listen to traffic transmitted from the ATM to the processing center are much easier to organize than opening and modifying the ATM itself.
In this case, for example, video surveillance systems in the ATM, control of the opening of the service area and other means of physical protection will not work.
Hackers have invented malware that can quietly remove card data for months. And this is not much more complicated than attacks using other malware, which, for example, “forces” an ATM to dispense all the bills it contains upon a special command.
Using social engineering techniques or other attacks on the bank’s perimeter, hackers can easily penetrate the banking network: according to our statistics, on average, up to a third of employees open letters with attachments that can infect their computers, and this despite the fact that for the attack to be successful it is enough to open one the only letter. In 47% of cases, the organization's perimeter can be penetrated using web application vulnerabilities.
After penetrating the bank’s internal network, attackers only have to gain access to a specific subnetwork of bank processing, where the data of the entire ATM network is located. There you can also find out which ATMs may not be protected from critical vulnerabilities or operate without a firewall. This will allow you to infect any ATM and extract money from each of them at any time. A similar scenario occurred in the robbery of the state-owned GSB bank in Thailand. By the way, in order to stop attempts to illegally withdraw money from a random ATM, in this particular case it was necessary to turn off half of the entire ATM network (more than 3,000 devices).
In October 2017, Jordanian Atef Alkhatib, who had been involved in skimming for several years, was convicted in the United States. Driving around the cities of Southern California, he placed devices on ATMs to read information from the magnetic stripes of cards, and also installed hidden video cameras in the visibility range of ATMs - this allowed him to find out PIN codes. At his home, the criminal set up a workshop for making duplicates of compromised cards. Over three years, the man stole financial information from more than 13 thousand clients of Wells Fargo and other American banks. The damage amounted to several million dollars.
Skimming schemes are often carried out by organized crime. In 2016, Abu Dhabi police arrested four hackers of Asian origin who were stealing credit card information using spy devices. The total loss of credit card owners amounted to more than a million Emirati dirhams (about $270 thousand). It should be noted that victims previously posted information about their credit cards on electronic trading platforms, which made the “work” easier for the attackers.
Often, “guest performers” - carders from other countries - engage in carding activity. For example, at the end of 2017, Indian police detained two groups of Romanian citizens at once. Having arrived in India on tourist visas, they did not spend time exploring the sights and culture, but began installing skimming devices. As a result, more than 1,000 people lost about 6.6 million rupees (about $100 thousand).
In addition to ATMs, payment terminals at gas stations are quite popular targets for skimmers. Thus, a group of 12 fraudsters was neutralized in Colorado. They worked at gas stations in several states. Members of the criminal group managed to compromise the financial data of more than 8 thousand victims, causing damage of about $2.5 million. In addition, it turned out that those arrested were involved in an international money laundering network.
Recommendations
When visiting an ATM, carefully inspect its front side for the presence of overlays on the keyboard, card reader and other suspicious devices. When entering your PIN code, cover the keyboard with your free hand - this will protect your financial information if the ATM is under surveillance by fraudsters. Try to withdraw money from ATMs located in bank branches or in well-secured offices. As a rule, skimmers choose outdoor terminals for their fishing. It is also better to refrain from paying with a card at unfamiliar gas stations, in suspicious cafes and shops.
A loophole that allows you to bypass such protection mechanisms for chipped cards, such as iCVV (this mechanism provides protection against copying the magnetic stripe of the card and creating a duplicate of it), is the fact that the process of issuing chipped cards in a number of banks is still not fully compliant chip card security standard known as EMV (Europay, Mastercard and Visa). The creators of shimming took advantage of this vulnerability.
The first shimmers appeared back in 2015 in Mexico and since then they have gained particular “popularity” in Canada. Many companies that process card data are concerned that it could soon spread to the US market due to the law requiring chipping of credit and debit cards.
Security experts urge store and ATM owners to check card readers daily to ensure there are no third-party devices. However, the main responsibility in eliminating the new threat lies with the issuing banks. Only full compliance with the security standards of international payment systems will protect their clients from financial risks.
Web skimming is a criminal method of collecting payment information from website visitors during checkout. Carders use vulnerabilities in e-commerce platforms and CMS to inject a skimming script into an e-store page. In some cases, attackers can exploit vulnerabilities in installed third-party plugins and themes to inject malicious scripts.
“During our research, we encountered two cases of malicious images being uploaded to a server hosted on Magento. Both images had the same JavaScript code, but were slightly different in the PHP script implementation. The first image was disguised as a favicon and available on VirusTotal, and the second was a regular WebP file discovered by our team,” says a report published by Microsoft.
Microsoft has also observed attackers using malicious Base64 JavaScript code to spoof Google Analytics and Meta Pixel scripts to evade detection. Experts noted that the hackers behind the Meta Pixel spoof used newly registered domains with HTTPS.
At the conclusion of the report, experts from Microsoft recommend that organizations update the CMS and installed plugins to the latest versions and ensure that all third-party plugins and services are downloaded only from trusted sources.
For the period from January to June 2016, carding accounted for 87% of all stolen funds of Russians. The remaining 13% were made by cybercriminals using phishing. According to experts, the number of crimes committed on the Internet has decreased by 3% compared to last year. The share of offline crimes has increased by exactly the same amount.
In January–June 2016, skimming brought income to attackers in the amount of 900 million rubles, while phishing - 140 million rubles. Due to lack of awareness of security issues, pensioners most often become victims of carders. As explained by the head of the Zecurion analytical center, Vladimir Ulyanov, in addition to data from the magnetic stripes of their cards, attackers can often also obtain a PIN code (for example, by looking over their shoulder or even asking).
According to Jet Infosystems expert Alexey Sizov, carding attracts criminals because, unlike online fraud, very little time passes between the theft of data and the immediate receipt of money. Installing the skimmer takes a matter of minutes or even seconds, and about five minutes are spent cloning the card. The process of obtaining funds through phishing takes much longer. Finding out just the credentials is not enough; you also need to get a duplicate SIM card, since SMS messages with one-time passwords for transactions are sent to your mobile device.
(c) https://www.tadviser.ru
Content:
- Skimming
- Shimmers
- Chronicle
- 2022: Elusive skimming campaigns unfold on the Internet
- 2016: Russian cybercriminals abandon phishing in favor of skimming
Skimming
One of the most popular methods of money theft in Europe and America: from 2014 to 2015 alone, the volume of hardware and software skimming increased 5.5 times (according to FICO Card Alert Service). However, in Russia its popularity is not so great. Firstly, due to the smaller number of ATMs in our country as a whole (in 2015, 200 thousand devices were recorded in Russia compared to 425 thousand in the USA), and secondly, due to the small number of payment terminals that accept cards only with magnetic stripe. In most cases in Russia, universal terminals are used that accept cards with a magnetic stripe and cards with a chip. One of the likely reasons for this is that the chip card was recognized by the Central Bank as more secure, and from July 1, 2015, the Central Bank obliged banks to issue payment and credit cards equipped with a microprocessor.For a long time, attackers successfully used physical overlays to commit thefts from ATMs. Their evolution can be traced from thin linings inside the ATM to huge artificial panels that completely emulate the front panel of an ATM. The mechanics of the theft are as simple as possible: a skimmer is placed on the ATM card reader, with which the attacker reads all the data from the magnetic stripe. At the same time, some skimmers work on the principle of accumulating information about users, while others immediately transmit information about cards to fraudsters via a radio channel (to a miniature receiving device or directly to their receiving equipment). In addition, a fake keyboard is attached to the ATM, by pressing which the credit card owner gives the PIN code to the scammers. Another means of obtaining information that attackers use is hidden video cameras installed near the ATM.
The prevalence of these types of thefts has led ATM manufacturers and third-party vendors to install active or passive anti-skimming measures to effectively combat this type of theft. Although there are some things that anti-skimming equipment has not yet learned to detect: for example, one of the most inconspicuous overlays - the one that is located in the bus between the card reader and the ATM computer and stores the data of the read cards.
Another obstacle for fans of physical skimming was the introduction of criminal liability for theft of card data from ATMs. For illegal actions, criminals now face different types of punishment depending on the severity of the crime (from fines to imprisonment). That is why the most active hackers are gradually moving to a new level.
No contact
Transactions with cards at ATMs often involve transmitting Track2 magnetic stripe data in clear text. For example, if the network connection between the ATM and the processing center is not protected by encryption, then stealing the card number is not very difficult: overlays that listen to traffic transmitted from the ATM to the processing center are much easier to organize than opening and modifying the ATM itself.
In this case, for example, video surveillance systems in the ATM, control of the opening of the service area and other means of physical protection will not work.
Hackers have invented malware that can quietly remove card data for months. And this is not much more complicated than attacks using other malware, which, for example, “forces” an ATM to dispense all the bills it contains upon a special command.
Using social engineering techniques or other attacks on the bank’s perimeter, hackers can easily penetrate the banking network: according to our statistics, on average, up to a third of employees open letters with attachments that can infect their computers, and this despite the fact that for the attack to be successful it is enough to open one the only letter. In 47% of cases, the organization's perimeter can be penetrated using web application vulnerabilities.
After penetrating the bank’s internal network, attackers only have to gain access to a specific subnetwork of bank processing, where the data of the entire ATM network is located. There you can also find out which ATMs may not be protected from critical vulnerabilities or operate without a firewall. This will allow you to infect any ATM and extract money from each of them at any time. A similar scenario occurred in the robbery of the state-owned GSB bank in Thailand. By the way, in order to stop attempts to illegally withdraw money from a random ATM, in this particular case it was necessary to turn off half of the entire ATM network (more than 3,000 devices).
In October 2017, Jordanian Atef Alkhatib, who had been involved in skimming for several years, was convicted in the United States. Driving around the cities of Southern California, he placed devices on ATMs to read information from the magnetic stripes of cards, and also installed hidden video cameras in the visibility range of ATMs - this allowed him to find out PIN codes. At his home, the criminal set up a workshop for making duplicates of compromised cards. Over three years, the man stole financial information from more than 13 thousand clients of Wells Fargo and other American banks. The damage amounted to several million dollars.
Skimming schemes are often carried out by organized crime. In 2016, Abu Dhabi police arrested four hackers of Asian origin who were stealing credit card information using spy devices. The total loss of credit card owners amounted to more than a million Emirati dirhams (about $270 thousand). It should be noted that victims previously posted information about their credit cards on electronic trading platforms, which made the “work” easier for the attackers.
Often, “guest performers” - carders from other countries - engage in carding activity. For example, at the end of 2017, Indian police detained two groups of Romanian citizens at once. Having arrived in India on tourist visas, they did not spend time exploring the sights and culture, but began installing skimming devices. As a result, more than 1,000 people lost about 6.6 million rupees (about $100 thousand).
In addition to ATMs, payment terminals at gas stations are quite popular targets for skimmers. Thus, a group of 12 fraudsters was neutralized in Colorado. They worked at gas stations in several states. Members of the criminal group managed to compromise the financial data of more than 8 thousand victims, causing damage of about $2.5 million. In addition, it turned out that those arrested were involved in an international money laundering network.
Recommendations
When visiting an ATM, carefully inspect its front side for the presence of overlays on the keyboard, card reader and other suspicious devices. When entering your PIN code, cover the keyboard with your free hand - this will protect your financial information if the ATM is under surveillance by fraudsters. Try to withdraw money from ATMs located in bank branches or in well-secured offices. As a rule, skimmers choose outdoor terminals for their fishing. It is also better to refrain from paying with a card at unfamiliar gas stations, in suspicious cafes and shops.
Shimmers
Since 2015, a new threat has emerged - so-called shimmers. These are thin, almost invisible devices located in the card readers themselves to read information from chip cards at ATMs. The shimmer is a thin "spacer" that sits between the chip on the card and the chip reader in the ATM or terminal - and writes data from the chip as the terminal reads it. The data collected during such an operation cannot be used to make a new chip, but it can be used to clone the magnetic stripe of the card.A loophole that allows you to bypass such protection mechanisms for chipped cards, such as iCVV (this mechanism provides protection against copying the magnetic stripe of the card and creating a duplicate of it), is the fact that the process of issuing chipped cards in a number of banks is still not fully compliant chip card security standard known as EMV (Europay, Mastercard and Visa). The creators of shimming took advantage of this vulnerability.
The first shimmers appeared back in 2015 in Mexico and since then they have gained particular “popularity” in Canada. Many companies that process card data are concerned that it could soon spread to the US market due to the law requiring chipping of credit and debit cards.
Security experts urge store and ATM owners to check card readers daily to ensure there are no third-party devices. However, the main responsibility in eliminating the new threat lies with the issuing banks. Only full compliance with the security standards of international payment systems will protect their clients from financial risks.
Chronicle
2022: Elusive skimming campaigns unfold on the Internet
On May 24, 2022, it became known that, according to specialists from Microsoft, the attackers disguised the skimming script by encoding it in a PHP script embedded in an image file. With this trick, malicious code is executed when the site's index page is loaded. Some skimming scripts also included anti-debugging mechanisms.Web skimming is a criminal method of collecting payment information from website visitors during checkout. Carders use vulnerabilities in e-commerce platforms and CMS to inject a skimming script into an e-store page. In some cases, attackers can exploit vulnerabilities in installed third-party plugins and themes to inject malicious scripts.
“During our research, we encountered two cases of malicious images being uploaded to a server hosted on Magento. Both images had the same JavaScript code, but were slightly different in the PHP script implementation. The first image was disguised as a favicon and available on VirusTotal, and the second was a regular WebP file discovered by our team,” says a report published by Microsoft.
Microsoft has also observed attackers using malicious Base64 JavaScript code to spoof Google Analytics and Meta Pixel scripts to evade detection. Experts noted that the hackers behind the Meta Pixel spoof used newly registered domains with HTTPS.
At the conclusion of the report, experts from Microsoft recommend that organizations update the CMS and installed plugins to the latest versions and ensure that all third-party plugins and services are downloaded only from trusted sources.
2016: Russian cybercriminals abandon phishing in favor of skimming
In connection with measures taken to strengthen the security of mobile and online services, the popularity of carding is growing. As reported by Izvestia, citing experts from the Zecurion company, attackers are increasingly stealing bank card data using skimmers installed in ATMs rather than phishing.For the period from January to June 2016, carding accounted for 87% of all stolen funds of Russians. The remaining 13% were made by cybercriminals using phishing. According to experts, the number of crimes committed on the Internet has decreased by 3% compared to last year. The share of offline crimes has increased by exactly the same amount.
In January–June 2016, skimming brought income to attackers in the amount of 900 million rubles, while phishing - 140 million rubles. Due to lack of awareness of security issues, pensioners most often become victims of carders. As explained by the head of the Zecurion analytical center, Vladimir Ulyanov, in addition to data from the magnetic stripes of their cards, attackers can often also obtain a PIN code (for example, by looking over their shoulder or even asking).
According to Jet Infosystems expert Alexey Sizov, carding attracts criminals because, unlike online fraud, very little time passes between the theft of data and the immediate receipt of money. Installing the skimmer takes a matter of minutes or even seconds, and about five minutes are spent cloning the card. The process of obtaining funds through phishing takes much longer. Finding out just the credentials is not enough; you also need to get a duplicate SIM card, since SMS messages with one-time passwords for transactions are sent to your mobile device.
(c) https://www.tadviser.ru
