MalwareBytes is reporting a weird software credit card skimmer. It harvests credit card data stolen by another, different skimmer:
Even though spotting multiple card skimmer scripts on the same online shop is not unheard of, this one stood out due to its highly specialized nature.
“The threat actors devised a version of their script that is aware of sites already injected with a Magento 1 skimmer,” Malwarebytes’ Head of Threat Intelligence Jérôme Segura explains in a report shared in advance with Bleeping Computer.
“That second skimmer will simply harvest credit card details from the already existing fake form injected by the previous attackers.”
Posted on February 9, 2021 at 6:01 AM •
Modern credit card skimmers hidden in self-service gas pumps communicate via Bluetooth. There’s now an app that can detect them:
The team from the University of California San Diego, who worked with other computer scientists from the University of Illinois, developed an app called Bluetana which not only scans and detects Bluetooth signals, but can actually differentiate those coming from legitimate devices — like sensors, smartphones, or vehicle tracking hardware — from card skimmers that are using the wireless protocol as a way to harvest stolen data. The full details of what criteria Bluetana uses to differentiate the two isn’t being made public, but its algorithm takes into account metrics like signal strength and other telltale markers that were pulled from data based on scans made at 1,185 gas stations across six different states.
Posted on August 26, 2019 at 6:41 AM •
Interesting research paper: “Fear the Reaper: Characterization and Fast Detection of Card Skimmers“:
Abstract: Payment card fraud results in billions of dollars in losses annually. Adversaries increasingly acquire card data using skimmers, which are attached to legitimate payment devices including point of sale terminals, gas pumps, and ATMs. Detecting such devices can be difficult, and while many experts offer advice in doing so, there exists no large-scale characterization of skimmer technology to support such defenses. In this paper, we perform the first such study based on skimmers recovered by the NYPD’s Financial Crimes Task Force over a 16 month period. After systematizing these devices, we develop the Skim Reaper, a detector which takes advantage of the physical properties and constraints necessary for many skimmers to steal card data. Our analysis shows the Skim Reaper effectively detects 100% of devices supplied by the NYPD. In so doing, we provide the first robust and portable mechanism for detecting card skimmers.
Boing Boing post.
Posted on October 5, 2018 at 6:44 AM •
Watch how someone installs a credit card skimmer in just a couple of seconds. I don’t know if the skimmer just records the data and is collected later, or if it transmits the data back to some base station.
Posted on July 17, 2018 at 6:20 AM •
“Periscope skimmers” are the most sophisticated kind of ATM skimmers. They are entirely inside the ATM, meaning they’re impossible to notice.
They’ve been found in the US.
Posted on September 19, 2016 at 6:16 AM •
I have no idea if this is real. If I had to guess, I would say no.
Posted on December 10, 2012 at 5:56 AM •
This is a clever development in ATM skimming technology. It’s a skimmer that attaches to the ATM-room door lock, not the ATM itself. Combined with a hidden camera, it’s an ATM skimmer that requires no modification to the ATM.
Posted on February 3, 2011 at 5:54 AM •
In Europe, although the article doesn’t say where:
Many banks have fitted ATMs with devices that are designed to thwart criminals from attaching skimmers to the machines. But it now appears in some areas that those devices are being successfully removed and then modified for skimming, according to the latest report from the European ATM Security Team (EAST), which collects data on ATM fraud throughout Europe.
Posted on November 24, 2010 at 1:33 PM •
ATM skimmers — or fraud devices that criminals attach to cash machines in a bid to steal and ultimately clone customer bank card data — are marketed on a surprisingly large number of open forums and Web sites. For example, ATMbrakers operates a forum that claims to sell or even rent ATM skimmers. Tradekey.com, a place where you can find truly anything for sale, also markets these devices on the cheap.
The truth is that most of these skimmers openly advertised are little more than scams designed to separate clueless crooks from their ill-gotten gains. Start poking around on some of the more exclusive online fraud forums for sellers who have built up a reputation in this business and chances are eventually you will hit upon the real deal.
Generally, these custom-made devices are not cheap, and you won’t find images of them plastered all over the Web.
EDITED TO ADD (6/23): Another post.
Posted on June 22, 2010 at 6:49 AM •
Sidebar photo of Bruce Schneier by Joe MacInnis.