A forensic investigation into cybercriminal attacks targeting multiple ATMs around the world, performed by Kaspersky Lab, discovered malware dubbed “Tyupkin” that infects ATMs and allows attackers to remove money via direct manipulation, stealing millions of dollars.
Interpol has alerted the affected member countries and is assisting ongoing investigations. Tyupkin has so far been detected on ATMs in Latin America, Europe, and Asia.
How Tyupkin attack works
Criminals work in two stages, says Kaspersky Lab:
1. Physical break-in. They gain physical access to the ATMs and insert a bootable CD to install the Tyupkin malware.
2. Remote activation. After they reboot the system, the infected ATM comes under their control and the malware runs in an infinite loop waiting for a remote command.
To make the scam harder to spot, the Tyupkin malware only accepts commands at specific times on Sunday and Monday nights. During those hours, the attackers are able to steal money from the infected machine.
Video footage obtained from security cameras of infected ATMs showed the methodology used to access the cash from the machines. A unique digit combination based on random numbers is generated for every session. This ensures that no person outside the gang could accidentally profit from the fraud. Then the malicious operator receives instructions by phone from another member of the gang who knows the algorithm and is able to generate a session key based on the number shown. This ensures that the mules collecting the cash do not try to go it alone.
When the key is entered correctly, the ATM displays details of how much money is available in each cash cassette, inviting the operator to choose which cassette to rob. The ATM then dispenses 40 banknotes at a time from the chosen cassette.
Growth industry in fraud
“The Tyupkin malware is an example of the attackers taking advantage of weaknesses in the ATM infrastructure,” says Vicente Diaz, principal security researcher at Kaspersky Lab. “We strongly advise banks to review the physical security of their ATMs and network infrastructure and consider investing in quality security solutions.”
Over the last few years, continued Diaz, “we have observed a major upswing in ATM attacks using skimming devices and malicious software. Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly,” says.
Diaz says that this is accomplished by infecting ATMs themselves or launching direct APT-style attacks against banks. APT—“advanced persistent threat”—is a network level attack.
“Offenders are constantly identifying new ways to evolve their methodologies to commit crimes, and it is essential that we keep law enforcement in our member countries involved and informed about current trends and modus operandi,” said Sanjay Virmani, director of the INTERPOL Digital Crime Centre.
Consider your bank’s exposure
Commenting on the Tyupkin malware, Jean-Philippe Taggart, senior security researcher at Malwarebytes Labs—not affiliated with Kaspersky Lab—says: “Since criminals require physical access to the ATM, that severely limits what can be achieved. Europe has many ATMs directly on the street, and that makes them somewhat more vulnerable to physical attack. The session key required in this attack prevents a rogue mule from taking over the scam. It attacks the bank infrastructure directly, so while customers’ accounts are not being drained, they will feel the pain when the banks transfer the costs of fraud over with higher fees. Banks will likely not tighten their ATM security stance until cost analysis shows that this type of attack is costing them enough to warrant it.”
Taggart acknowledged the cost-benefit thinking that’s going on: “Tyupkin malware doesn’t seem like a big deal at this point. The larger issue is that the banks still do risk analysis and fraud budgets to evaluate if the problem needs immediate attention, rather than addressing the problem from the get go.”
How to reduce your bank’s risk
Kaspersky Lab recommends the following to banks in order to mitigate the risk:
• Review the physical security of all ATMs and consider investing in quality security solutions.
• Replace all locks and master keys on the upper hood of the ATM machines and ditch the defaults provided by the manufacturer.
• Install an alarm and ensure it is in good working order. The cyber-criminals behind Tyupkin only infected ATMs that had no security alarm installed.
• Change the default BIOS password.
• Ensure the machines have up-to-date antivirus protection.