Skimming Threat Landscape: Technology Advances Lower Barriers of Entry for Novice Skimming Operators

Skimmers are microelectronic spying devices which are planted into automated teller machine (ATM) and/or point of sale (PoS) terminals to steal track information from a card magnetic stripe. This information is a cornerstone for any card-present fraud operation, also known as "real" or offline carding.

Such skimming operations are oftentimes riskier than other types of crime for fraudsters; however, they also yield higher returns. The purpose of their cashouts behind them is to draw as much cash as possible and remit the money to the criminal organizers.

Physical Skimming Operations as Concentric Criminal Networks

Image 1: Skimmer operations reveal a trend towards decentralization.

Russian-speaking real carding communities have traditionally been exclusive and tight-lipped regarding their skimming operations. Skimming developers form exclusive trusted underground criminal networks thereby connecting talented engineers, their trusted sellers, and wealthy carder buyers of such tools.

Newer technologies advance help reduce barriers of entry: "lone-wolf" cybercriminals craft cheaper and simpler skimmers without the historical dependence on the well-established trusted criminal networks.

Skimming Centralized Production: “We know everything about ATMs”

Image 2: The criminal skimmer seller hosts a dedicated website meant to enable skimming sales.

Russian-speaking skimmer networks can be characterized by several traits, formalized by the most reputable and well-known skimmer producers. These traits include:

• Long-term criminal underground presence: most of the reputable networks offer their services for over 10 years on the criminal underground.

• Main operations are conducted on vetted elite forums via underground escrows.

• The integrated approach toward operations and supply chains: networks possess human and technical resources for the entire skimming operation cycle: ATM identification -> skimmer assembly and upgrade -> skimmer planting -> skimmer extraction and stolen data decryption.

• The groups are able to operate internationally.

Image 3: One major underground skimmer seeks a real carding team to cash out via shimmers.

These rigid organizational and operational frameworks enable exclusive skimming networks to design their product lines based on advanced technological solutions. It is these networks that develop, upgrade, and sell the most potent and imperceptible skimmers.

Based on the review of the most reputable shops and source intelligence, AdvIntel subject matter experts identified the following trends in the centralized segment of skimmer threat landscape:

1. Audio skimmers on the rise since 2018. These devices record audio in a moment when the card magnetic track is being scanned. They are an ideal entry point for novices to skimming industry due to their moderate price of approximately $1,500 USD and high resilience. These skimmers can bypass jittering and radio-electronic defenses; however, they are extremely vulnerable to noise jamming.

• Flash audio-skimmers. They are an even more advanced version, proliferating since 2017. They use timing-calculating algorithms to “reed” the audio when the card is been scanned by the ATM, which allows them to decode a track in 1-2 seconds and immediately convert it into text format. These skimmers are more expensive with the price of over $2,000 USD; however, they are able to operate for over 20 hours and record over 500 track dumps per session.

2. Flash skimmers loose traction on the market. These skimmers are inserted into bezels of ATMs and read the magnetic stripe of the card. These are one of the most simple and vulnerable skimmers, capable of reading 10-50% cards and susceptible to radio-electronic jamming, and, especially, jittering. but even they cost around $300-500 USD. However, they can be improved with special screening upgrades allowing them to become more resilient.

3. Shimmers remain a controversy. Shimmers or "inside skimmers" are paper-thin plates with a chip which is inserted into the dip-and-wait slot and reads the information directly from the magnet swipe and chip. Theoretically, this means that traditional defense types will not interrupt their work. The Russian-speaking community observed leveraging these devices, as early as 2013, but the main discussion started in 2017. Some vendors claim that shimming technology is rather a myth emerging from researchers who observed traditional insert skimmers of extremely high quality. Others argue that shimmers have their own selected niche, in which they are never sold to customers but are provided to them on a temporary basis for $1,000-5,000 USD per week.

4. Video skimmers turn into a kit. Traditional video skimmers are small cameras which capture a cardholder entering personal identification number (PIN) information. Since 2018, these cameras are being attached to audio-skimmers as a combined set. These sets are especially popular among the Russian-speaking underground since they allow to install the device quicker than during a separate installation of camera and an audio skimmer.

Image 4: The underground buyer leaves positive feedback related to the purchase of skimming devices in Latin America.

Technology Advances Lower Barriers of Entry for Novice Skimming Operators

Since the 2010th, technological shifts revolutionized skimming operations capabilities and changed the balance in skimming production. One of the key shifts was the introduction of smaller batteries with larger capacities, which increased skimmer operation time. Additionally, the memory of device drives also increased exponentially along with signal coverage. Skimmers are now smaller, cheaper, and more efficient.

Another technical advance was related to the 2016-2017 increased availability of smartphones and Bluetooth devices for them. The development of massive online retailer services made ATM components, including anti-skimming plugins readily available. As a result of this shift, many carders started to develop their own small ATM skimmers, often known as mini-readers. Instead of classic skimmers, mini-readers, are more simple devices which can be assembled in home settings.

The community started to share instructions on hand-craft skimming assembly. For instance, a known Russian-speaking threat actor specializing in ATM skimming on various underground communities started a thread explaining how to craft a Global System for Mobile Communications (GSM) skimmer in home settings. They explained how to connect a legitimately-purchased “BT009” Bluetooth tiny card reader to an Android smartphone via TeamViewer host. The smartphone receives signals and information from the card reader directly.

Image 5: Russian-speaking cybercriminals detail how to make your own skimmers in home conditions.

Such discussions attract many skimming fraudsters joining with their own recommendations. Most recently, one senior underground member posted their suggestions on improving this simple GSM skimmer by modifying the receiving phone to increase its operational range up to 0,7 mile.

On April 13, 2019, one of the forum members posted their own instruction on creating a home-made ATM bezel skimmer. Through e-commerce retailers, a 3-mm card reader magnetic head can be purchased for less than $10 USD. This is the essential component of the card reader which reads the information on the card track. In addition, 7 "TWS" or 9 "TWS" headphones can be purchased around $10 USD and a cheap burner phone operating on Android. Russian Avito or AliExpress are used as e-commerce platforms for these products. As a result, total skimming device costs will likely not exceed $50 USD in the compartment to a service-produced bezel skimmer with a median cost between $400 and $500 USD.

Image 6: Many ATM parts necessary for skimming can be simply purchased on various e-commerce platforms at a lower cost.

Headphones serve as transmitters of Bluetooth signal; however, their microphone is extracted, and, instead, the magnetic-head is inserted (instruction provides an elaborate explanation of this mechanical process). The newly created device is also modified through adding tin layers to charger connectors so it can be charged via adjustable chargers. An Android phone connected to the headphones, now transformed into a card-reader will serve as an information receiver should be equipped with “Mono-BT” Android application or “Btmono” Android software to transmit the signal.

Conclusion & Outlook

Physical skimming offers a risky but extremely lucrative endeavor. Even one cashout operation can yield thousands of dollars. Such high returns motivate Russian-speaking cybercriminals to constantly develop new ways of advancing the skimming technology.

Various socio-economic and educational upbringing factors contribute to this growth amongst fraudsters in the countries of the Commonwealth of Independent States with its traditionally high quality of education, especially in the areas of microelectronics and engineering.

AdvIntel subject matter experts assess with a high degree of confidence that skimming technology will be continued to be upgraded to bypass new defenses with the trend towards decentralized skimming operations with the lowered barriers of entry for novice skimming operators. Moreover, considering how organized and internationalized Russian physical carding networks are the most developed solutions will most likely be used for cashout in the Western Hemisphere due to higher revenues.

Becoming familiar with the new evolving skimming trend operations of a typical skimming operation helps analysts place their investigative findings in context, identify areas of interest and target collection efforts as well as understand and dissect trends within the skimming threat landscape.