Researchers have recently discovered the Tyupkin malware used to infect ATMs and allow attackers to remove money via direct manipulation, stealing millions of dollars. The creators are very smart and clever and go to great lengths to disguise their successful ruse.
MA-based Kaspersky Lab performed a forensic investigation into cybercriminal attacks targeting multiple ATMs around the world.
At the request of a financial institution, Kaspersky Lab’s Global Research and Analysis Team performed a forensic investigation into this cyber-criminal attack. The malware identified and named by Kaspersky Lab asBackdoor.MSIL.Tyupkin, has so far been detected on ATMs in Latin America, Europe and Asia.
The criminals work in two stages. First, they gain physical access to the ATMs and insert a bootable CD to install the Tyupkin malware. After they reboot the system, the infected ATM is now under their control and the malware runs in an infinite loop waiting for a command. To make the scam harder to spot, the Tyupkin malware only accepts commands at specific times on Sunday and Monday nights. During those hours, the attackers are able to steal money from the infected machine.
Video footage obtained from security cameras of the infected ATMs showed the methodology used to access the cash from the machines. A unique digit combination based on random numbers is newly generated for every session. This ensures that no person outside the gang could accidentally profit from the fraud. Then the malicious operator receives instructions by phone from another member of the gang who knows the algorithm and is able to generate a session key based on the number shown. This ensures that the mules collecting the cash do not try to go it alone.
When the key is entered correctly, the ATM displays details of how much money is available in each cash cassette, inviting the operator to choose which cassette to rob. The ATM then dispenses 40 banknotes at a time from the chosen cassette.
Kaspersky Lab says over the last few years, they have observed a major upswing in ATM attacks using skimming devices and malicious software. Now they are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly. This is done by infecting ATMs themselves or launching direct APT-style attacks against banks. The Tyupkin malware is an example of the attackers taking advantage of weaknesses in the ATM infrastructure.
Kaspersky Lab recommends the following to banks in order to mitigate the risk:
• Review the physical security of all ATMs and consider investing in quality security solutions.
• Replace all locks and master keys on the upper hood of the ATM machines and ditch the defaults provided by the manufacturer.
• Install an alarm and ensure it is in good working order. The cyber-criminals behind Tyupkin only infected ATMs that had no security alarm installed.
• Change the default BIOS password.
• Ensure the machines have up-to-date antivirus protection.
• For advice on how to verify that your ATMs are not currently infected, please contact us [email protected] To make a full scan of the ATM’s system and delete the backdoor, please use the free Kaspersky Virus Removal Tool (available to download here).
A video showing how this attack works on a real ATM is available here.
Read more about Tyupkin ATM malware on Securelist.com.
For more data on ATM Security access CardData®. For information and commentary on ATM Security visit the searchable CardFlash® Library of more than 58,000 articles published since 1995. RAM Research® forecasts on ATM Security are available exclusively through CardWeb.com.®