This week the Kenya government received a warning from the Federal Bureau of Investigation (FBI), it states that there is a high risk of ATMs being emptied by savvy cyber criminals. The truth is that this type of crime has been going on in eastern europe, parts of Asia since 2009.

In 2009 researchers in an incident response team, that were attending to a bank that just got hacked, discovered a virus in the banks ATM. Upon analyzing the virus the researchers concluded that the virus was stealing card data from unsuspecting users of the ATMs, the attackers had now moved from using physical skimming devices to now turning the whole ATM into a skimming device.

Traditional physical skimming device on ATM

Skimmer 2.0

In 2016 researchers once again found another skimmer virus in an infected ATM, but this time the virus had been modified. The new skimmer virus dubbed backdoor.Win32.skimmer had over 49 new modifications,37 of those target one specific ATM manufacturer plus it was now harder to detect.

Most ATMs in Kenya run outdated and unpatched software, and a simple social engineering attack is all that it takes to infect a banks information systems.  Once the virus has infected the systems it lies dormant and waits for a  specific command.


the criminals always seem to be one step ahead of us, we solve this, they find another way, they are not giving up-CISO of a certain bank


Anti Virus Proof.

The skimmer virus uses various advanced techniques to avoid forensic detection. First the virus is hidden or “packed” within another file that looks legitimate. Secondly if the skimmer detects an NTFS system, the same file will be placed in to  the NTFS data stream, this is done to further throw off investigators.


The skimmer virus has many capabilities and is definitely not the work of one man or even a hacking group. This is a virus that is state sponsored or belongs to a criminal organization that has worldwide reach.

To activate the skimmer, an attacker must insert a particular card, which has certain commands in the magnetic strip.

With this the skimmer user interface will come up and the attacker has less than 60 seconds to enter a certain session key. After this the attacker will able to carry out over 21 commands such as dispensing money(100 notes from a specified cassette),collecting details of inserted cards, self deleting, updating the malware etc.

Watch an infected ATM get emptied HERE

Amazingly the skimmer virus can save the dumps and the PINs of the stolen cards onto the chip of the attackers card, or it can print the card details it has collected onto the ATMs receipt.

In most of the cases the criminals are patient and do not empty out infected machines, instead they collect the data of the skimmed cards to make copies of the cards. With these fake cards they go to non-infected ATMs and casually withdraw all of your money.

Watch another infected ATM get emptied HERE


To prevent this damaging attack, researchers at kaspersky labs recommend that you conduct intense and regular Anti Virus scans, you must have a good device management policy, Encryption not just any but full disk encryption, Protect the ATMs BIOS with a strong passphrase,allowing only hard disk drive booting and isolating the ATMs network from the banks internal network.

Getting the team trained by RLCS will also reduce and mitigate the effects of a Cyber attack.

Have Skimmer free day…!