Crooks use malware to empty cash machines

Crooks use malware to empty cash machines

Criminals are using malware to clean out cash machines around the world, stealing millions of dollars without having to insert a credit card.

Kaspersky Lab says that it discovered the Tyupkin malware after a forensic investigation conducted at the request of an unknown financial institution. Interpol is now working with countries to investigate the software, which has been spotted in Europe, Latin America, and Asia.

The attack first requires crooks to gain physical access to ATMs so that bootable CDs can be installed. Then, after a system reboot the infected ATM is under control and the malware runs in an infinite loop waiting for a command.

To make the scam harder to spot, the Tyupkin malware only accepts commands at specific times on Sunday and Monday nights. During those hours, the attackers are able to steal money from the infected machine.

When a gang member visits an infected ATM a unique digit combination appears on the screen. This is relayed to another crook over the phone who knows the algorithm needed to generate a session key. When the key is entered, the ATM displays details of how much money is in each cash cassette and invites the operator to choose one. Once this is done, 40 notes are dispensed.

Vicente Diaz, principal security researcher, Kaspersky Lab, says: "Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software. Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly. This is done by infecting ATMs themselves or launching direct APT-style attacks against banks."

The security company is advising banks to review the physical security of their ATMs and network infrastructure, change default Bios passwords and make sure machines have up-to-date antivirus protection.

Comments: (1)

Hitesh Thakkar
Hitesh Thakkar - SME - Fintech startups (APAC and Africa) - India 08 October, 2014, 00:18Be the first to give this comment the thumbs up 0 likes

Usually most ATMs have its Inbuilt PC SECURED behind chest door or sometimes separate physical partition in whixh ots kept for field engineers to maintain machine for break fix, software updates.

Kind of malware attackdescribed is possible only if some one has such access to PC in ATM. I believe  two or three year  back USB access slot to external party was removed.c