Malware attacking ATMs across the world, Kaspersky warns

Share on facebook
Share on twitter
Share on linkedin
Share on email

A malware is infecting automated teller machines (ATMs) across the world, security firm Kaspersky warned.

The malware, codenamed ?Tyupkin,? does damage by allowing attackers to empty these cash machines without the need for a credit card. Kaspersky Lab experts further said attackers can steal by direct manipulation of the ATMs.

According to Kaspersky Lab, the attackers often work at night and only on Sundays and Mondays. The attack is initiated as criminals enter a combination of digits on the ATM?s keyboard, make a call to receive further instructions from an operator, enter another set of numbers.

The ATM then starts giving out cash without the need for a card. The criminals work in two stages. First, they get physical access to the ATMs and insert a bootable CD to install the malware.. After they reboot the system, the infected ATM is under their control.

After a successful infection, the malware runs in an infinite loop waiting for a command. To make the scam harder to spot, Tyupkin malware only accepts commands at specific times?on Sunday?and?Monday?nights. During those hours the attackers are able to steal money from the infected machine.

Video footage obtained from security cameras at the infected ATMs showed the methodology used to access cash from the machines.

A unique digit combination key based on random numbers is freshly generated for every session. This ensures that no person outside the gang could accidentally profit from the fraud.

Then the malicious operator receives instructions by phone from another member of the gang who knows the algorithm and is able to generate a session key based on the number shown. This ensures that the mules collecting the cash do not try to go it alone.

When the key is entered correctly, the ATM displays details of how much money is available in each cash cassette, inviting the operator to choose which cassette to rob.

After this the ATM dispenses 40 banknotes at a time from the chosen cassette.

At the request of a financial institution, Kaspersky Lab?s Global Research and Analysis Team performed a forensic investigation into this cyber-criminal attack.

The malware identified and named by Kaspersky Lab as Backdoor.MSIL.Tyupkin, has so far been detected on ATMs in Latin America, Europe and Asia.


?Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software. Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly. This is done by infecting ATMs themselves or launching direct APT-style attacks against banks. The Tyupkin malware is an example of the attackers taking advantage of weaknesses in the ATM infrastructure,? said Vicente Diaz, principal security researcher at Kaspersky Lab?s Global Research and Analysis Team.

?We strongly advise banks to review the physical security of their ATMs and network infrastructure and consider investing in quality security solutions.?

Kaspersky Lab will also be working with Interpol on the countries that have been identified to have infected ATMs.

?Offenders are constantly identifying new ways to evolve their methodologies to commit crimes, and it is essential that we keep law enforcement in our member countries involved and informed about current trends and modus operandi,? said Sanjay Virmani, director of Interpol Digital Crime Centre.

Latest Posts