WATCH: How a virus can steal your ATM money
MANILA, Philippines – How safe is your money?
Kaspersky Lab’s experts performed a forensic investigation into cyber-criminal attacks targeting multiple ATMs around the world. They discovered a piece of malware infecting ATMs that allowed attackers to empty the cash machines via direct manipulation, stealing millions of dollars.
According to the researchers, the culprit works at night time on Sundays and Mondays. Without inserting a credit card into the ATM slot, they enter a combination of digits on the ATM’s keyboard, make a call to receive further instructions from an operator, enter another set of numbers and the ATM starts giving out cash, lots of cash. Then they leave.
How the malware works
The criminals work in two stages. First, they get physical access to the ATMs and insert a bootable CD to install the malware named Tyupkin.
After a successful infection, the malware runs in an infinite loop waiting for a command. To make the scam harder to spot, Tyupkin malware only accepts commands at specific times on Sunday and Monday nights. During those hours the attackers are able to steal money from the infected machine.
A unique digit combination key based on random numbers is freshly generated for every session. This ensures that no person outside the gang could accidentally profit from the fraud.
The malicious operator then receives instructions by phone from another member of the gang who knows the algorithm and is able to generate a session key based on the number shown. This ensures that the mules collecting the cash do not try to go it alone.
When the key is entered correctly, the ATM displays details of how much money is available in each cash cassette, inviting the operator to choose which cassette to rob.
After this the ATM dispenses 40 banknotes at a time from the chosen cassette.
What banks can do to mitigate the risk:
• Review the physical security of their ATMs and consider investing in quality security solutions.
• Replace all locks and master keys on the upper hood of the ATM machines and ditch the defaults provided by the manufacturer.
• Install an alarm and ensure it is in good working order. The cyber-criminals behind Tyupkin only infected ATMs that had no security alarm installed.
• Change the default BIOS password.
• Ensure the machines have up-to-date antivirus protection
The malware has so far been detected on ATMs in Latin America, Europe and Asia.
“We strongly advise banks to review the physical security of their ATMs and network infrastructure and consider investing in quality security solutions,” said Vicente Diaz, Principal Security Researcher at Kaspersky Lab’s Global Research and Analysis Team.
A video showing how this attack works on a real ATM is available here.
- Latest
