December 18, 2013

This blog has spotlighted some incredibly elaborate and minaturized ATM skimmers, fraud devices that thieves attach to ATMs in a bid to steal card data and PINs. But a skimmer discovered in Brazil last month takes this sort of fraud to another level, using a completely fake ATM designed to be stacked directly on top of a legitimate, existing cash machine.

On Saturday, Nov. 23, a customer at a Bank of Brazil branch in Curitiba, Brazil approached the cash machine pictured below, dipped his ATM card in the machine’s slot, and entered his PIN, hoping to get a printed statement of his bank balance.

A completely fake ATM discovered in Brazil, designed to sit directly on top of the real cash machine.

A completely fake ATM discovered in Brazil, designed to sit directly on top of the real cash machine.

When the transaction failed, the customer became suspicious and discovered that this ATM wasn’t a cash machine at all, but a complete fake designed to be seated directly on top of the real cash machine. Here’s what the legitimate ATM that was underneath looked like.

The real ATM.

The real ATM underneath.

When the cops arrived, they pulled the fake ATM off the real cash machine. Here is the fake ATM, set down on the floor.

FakeATMfloor

The backside of the phony cash machine reveals what may be a disassembled laptop with the screen facing outward. The entire apparatus is powered by two large batteries (right). Notice the card skimming device (top right, with the green light) and a side view of the component for the fake PIN pad (top).

The backside of the fake ATM shows what appears to be laptop and skimmer components powered by two huge batteries.

The backside of the fake ATM shows what appears to be laptop and skimmer components powered by two huge batteries.

It’s not clear from the reporting in these stories from the Brazilian media (nor from the Youtube video from which the above photos were taken) exactly what hardware was included in this device. It seems difficult to believe that thieves would go to all this trouble without incorporating some type of GSM or 3G components that would allow them to retrieve the stolen information wirelessly. I don’t imagine it would be easy to simply walk away from a cash machine unnoticed while holding a giant fake ATM, and a wireless component would let the skimmer scammers offload any stolen data even after their creations were seized by the authorities.

This device appears to be nearly identical to a fake ATM found in April 2013 in Santa Cruz do Rio Pardo. The story about that April incident has much higher resolution photos, and states that the fake ATM indeed included a 3G mobile connection, ostensibly for sending the stolen card and PIN data to the thieves wirelessly via text message.

Interestingly, much like grammatical and spelling errors that often give away phishing emails and Web sites, the thieves who assembled the video for the screen for the fake ATM used in the April robbery appear have made a grammatical goof in spelling “país,” the Portuguese word for “country”; apparently, they left off the acute accent.

Most skimming attacks (including the two mentioned here) take place over the weekend hours. Skimmer scammers like to place their devices at a time when they know the bank will be closed for an extended period, and when foot traffic to the machine will be at its highest.

Keep a keen eye out for anything that looks amiss when you visit the ATM; if you see something that doesn’t look right, notify the bank or owner of the machine, and go somewhere else to get your cash. More importantly, make sure you’re aware of your physical surroundings when you go to withdraw money, and whenever possible use cash machines in well-lit, open places. Most people probably have a better chance of being physically mugged while at the ATM than they do getting scammed by a skimmer. According to a January 2013 report by the U.S. State Department, this is especially true for foreigners in São Paulo, Brazil, where “express kidnappings” occur when criminals force their victims to extract their daily cash limit from an ATM machine.

Finally, although it would not have helped the victims of these fake Brazilian ATMs, using your hand to cover the PIN pad while you enter your digits is a great way to foil most skimmers, which tend to rely on hidden cameras as opposed to fake PIN pads or PIN pad overlays.

Fascinated by ATM skimmers? Check out my series on these fraud devices: All About Skimmers.


42 thoughts on “The Biggest Skimmers of All: Fake ATMs

  1. andy

    All that quality external craftsmanship and interior is just duct tape city.

  2. Barry Shteiman

    All Skimmers should have a masters degree in design and fine arts, Skimmers for a long time have been borderline-artistic with these attacks. Next phase -> a full blown fake bank branch

    1. Stu Pendisdick

      It already exists, mate.

      It is called The Federal Reserve.

      1. Ed

        If only there was someone really smart to expose their whole fraudulent operation. Instead we’ve only got you.

  3. redrock

    These types of attacks against banks are common in Brazil. The Banks and credit card companies have large anti-fraud departments (with advanced computer/network forensics capabilities).

  4. Vitor Sakaguti

    At 0:47 the guy says “um chip da Tim”, which is Portuguese for “a Tim chip”. “Tim” is a major mobile network carrier in Brazil. Also, we see a 3g modem when the guy says that.

    Additionally, being a Brazilian living in São Paulo, I strongly recommend anyone not to use ATM machines at night. Ideally, use one inside a mall or some other closed public space (other than a bank). “Express kidnappings” happen to locals too, not just foreigners.

  5. harsh

    You say in your article that it is unlikely to walkout of the ATM with a ATM like machine in hand but then how did they got in their in the first place. He could surely be wearing a repair man costume. If there is a cctv in the atm then it might shed some light.

    1. BrianKrebs Post author

      True, but these guys know the skimmers will get discovered at some point. If their device doesn’t have 3G or GSM, they can kiss all that info goodbye.

  6. Old School

    “More importantly, make sure you’re aware of your physical surroundings when you go to withdraw money, and whenever possible use cash machines in well-lit, open places.” Most importantly, minimize or eliminate the use of ATMs. Start with a cash back credit card to reduce the use of cash and thus the need to make a trip to an ATM. When getting cash from an ATM, use a machine in a bank branch and withdraw as much as you can afford. Then return to your home and put most of the cash in an envelope which is then stored in a safe, secure area such as a sock drawer . Use the envelope as your home “ATM”.

    1. White Power

      Yeah, nothing says secure and safe like a sock drawer.

      1. **EJ**

        LOL – indeed. It’s the first place a robber will look for cash in a home robbery.

        1. Heath

          That’s why I leave a thin layer of socks at the top of every one of my dresser drawers – it slows them down because then they feel obligated to search them all.

          I also leave a bevy of fake keys under my doormat.

          1. mkellington

            I call bs.
            Let me guess you have fake cars in your driveway to slow down the car jackers.

      2. Old School

        Gentle Reader: The reference to a sock drawer was intended to be humorous. The sentence had just previously said to “put most of the cash in an envelope which is then stored in a safe, secure area” which was to be a contrast to the capabilities of a sock drawer. “White Power” seems to have caught the humorous intent.

  7. Vitor Sakaguti

    > When getting cash from an ATM, use a machine in
    > a bank branch and withdraw as much as you can
    > afford.

    Not a good advice in Brazil. Withdrawing from a bank branch is how kidnappers find you. If you have to use an ATM, use one from a closed public space, where a lot of people see you, but no one can throw you in the trunk. Spend some time in the place instead of leaving immediately.

    1. Old School

      Nice catch. I should have listed the places where this advice does not apply.

    2. Emilian

      I always withdraw money from ATMs that are under visual surveillance. Even, if something happens the police will have a clue.

  8. Jovan

    I come from a country where Lebanese loop is still used much more than skimmers.
    Brasilian criminals took skimming to another level, definitely.
    Just imagine logistics needed for installing a regular skimmer and installing the whole fake ATM?
    I suppose that there is a whole chain of corruption involved in this case.
    This is seriuos stuff, but I must admit, on the outsite it’s kinda funny.

    1. Debbie

      Megan,
      Thanks for sharing that. From now on I will look more closely at ATMs and for those that really look suspicious I’ll pull on the parts to see if anything comes off!

      1. Bobs

        Tom, any blogspot address will redirect to your country’s local blogspot servers (if they exist). I get redirected to my own country, and I haven’t called the cops. 🙂 These people are very likely not in New Zealand. It’s just Blogspot being efficient.

    2. Erma Vepp

      The comments on that site are just bizarre! Along the lines of, “Thank you for your wonderful product.” (“…that allows me to be a total a**hole by creating misery for other people.”)

      One can only hope Karma bites them in the ass tomorrow, if not sooner.

  9. TheOreganoRouter.onion

    Couldn’t the fuzz do a forensic analysis on the hard drive to find out more information or possibly the connection to the owner?

    This was a real awesome article, like the pictures

  10. Lindy

    So can we assure ourselves a of genuine machine by yanking on various parts of the ATM? Then if nothing moves it’s probably a real machine? It never ceases to amaze me at how these smart, clever people refuse to get a real job and prefer to duct tape their way to wealth on the backs of people who do (work at real jobs.)
    Thanks Brian for another fabulous year of reporting. May all your ATM experiences be good… 😉

    1. David K

      I do this at all ATMs – (some of) my friends think I’m nuts. I’ll wiggle the card slot, pick at the edge of the keys or keypad, and run my hands along the edges of the screen/bezel. Most of these things are only stuck on with glue, tape or something similar. They may not come off in your hand, but real ATM parts don’t wiggle.

    1. JCitizen

      Brian – peter’s link needs to be disabled or deleted – my honey pot shows it attacks anyone who clicks on it.

  11. Paul

    Not only ATM’s are being used to skim.

    In Brazil credit card readers are typically brought to your table in restaurants/bars etc. when you are ready to pay your bill with plastic. I got caught by an instance in Rio where the machine brought out couldn’t complete the transaction (the machine just “hung”), they brought out another machine which worked, next day fraudulent charges started showing up on the card. I strongly suspect the first machine was a skimmer or cloning device of some kind.

    Also, according to many reports on Tripadvisor the open air ATM’s at the Rio GIG airport have supposedly been compromised and the authorities have done nothing.

  12. IA Eng

    Here ya go Brian. Another ATM style attack that seems new and interesting. From DHS Infrastructure Report;

    9. December 18, Softpedia – (International) Skimmer trojan targets ATMs made by
    – 4 –
    one of the world’s largest manufacturers. Researchers at Doctor Web identified a new ATM trojan dubbed Trojan.Skimmer.18 that targets machines developed by a major ATM manufacturer. The trojan is spread by an infected application, captures payment card information, and allows criminals to collect the data and perform other functions on an ATM using a master card. Source: http://news.softpedia.com/news/Skimmer-Trojan-Targets-ATMs-Made-by-One-of-the-World-s-Largest-Manufacturers-410249.shtml

  13. Walker Rowe

    That is a common tactic down here in Chile. Thieves stolen $400 from my wife’s bank account and got to my father-in-laws bank account too. Most of these thieves are coming to Chile from Colombia.

    1. Raphael Oliveira

      Any tips for a brazilian that is soon to move to chile?

  14. ed

    In Peru thieves stole 100,000 dollars a famous footballer. They used a Trojan. The news is on youtube. You may be interested.

  15. Craby

    Comment from Russia.

    Actually this year there was at least 1 atm of false bank.
    Someone just instlled it in the mall near moscow center and was gathering data for a period of time.

    So false cover isn’t the biggest way of scumming)

    1. SeymourB

      Indeed, I’m surprised there aren’t more fake ATM stations. For a time that seemed to be all the rage for miscreants… build a box that looked just like an ATM, drop it off in a mall near a power outlet, fill it with a couple thousand dollars, read cards & PINs, dispense whatever cash the person requested, then scoop it up a few days later, and drain all the bank accounts to recoup your costs.

  16. john

    Would love to have emailed you directly, being an avid reader of your posts for a while, have you heard of ATM’s being compromised via USB in Europe, I was only able to find a small bit of info and would love to read up on your findings. Attached is article from today’s Irish journal site. Happy birthday from Ireland and looking forward to your posts in 2014.
    http://businessetc.thejournal.ie/atm-hacking-usb-port-1244190-Dec2013/

      1. Peter Fillmore

        Here is a link to the talk on the USB attack on ATMs:
        http://media.ccc.de/browse/congress/2013/30C3_-_5476_-_en_-_saal_2_-_201312271600_-_electronic_bank_robberies_-_tw_-_sb.html

        Interestingly enough this was just to “jackpot” the ATMs, not capture card data.

        For reference ATMs are usually an industrial PC attached to a safe to protect the money. Card Data is handled by the PC, which then sends this data to the Encrypting PIN Pad which forms the PIN block.
        The Encrypting PIN Pad (usually) is a tamper resistant device certified under PCI-PTS. So plaintext PINs are (if using certified hardware) not able to be monitored using the PC controlling the ATM. This is why skimmers in the wild need to use cameras or overlays over the keypad to capture your PIN.

        Too many ATMs use Windows XP Embedded as their OS, this is normally locked down using white-listing/restricted accounts/virus scanning etc. However manufacturers have a tendency of forgetting about the BIOS of the system and allow for booting from external sources. (in addition to all the issues of using a consumer OS…)

        The ATM industry are not fans of certifying their hardware for security as the margins on machines are too low to implement proper security. See the attempts by PCI to get an ATM security standard to be used by industry.

Comments are closed.