Kaspersky Lab this week reported that criminals have been emptying ATMs and infecting them with malware dubbed “Tyupkin.”
About 50 machines have been infected in eastern Europe, and the attacks have spread to the United States, India and China, based on statistics culled from VirusTotal, Kaspersky said.
The attackers target ATMs running Windows 32-bit operating systems from a vendor Kaspersky Principal Security Researcher Vincente Diaz declined to name.
They empty out the ATM’s cash cassettes, each of which holds 40 notes.
“Cyberattacks using malware are not uncommon but are responsible for far fewer losses than skimming,” said the ATM Industry Association’s David Tente, executive director, USA.
The association keeps its members informed of such attacks, Tente told the E-Commerce Times.
Tyupkin Turns Up
Kaspersky conducted an investigation of attacks on ATMs in eastern Europe at a financial institution’s request. It discovered a piece of malware, which it dubbed “Backdoor MSIL Tyupkin,” that the attackers have been using to empty the ATMs by manipulating their operating systems.
Footage from security cameras where infected ATMs were located show the attackers used a bootable CD to access the machines’ OS, Kaspersky said.
They then uploaded several files into the ATMs in a process that required them to press “Enter” after every command on the machines’ PIN pads. The malware let the criminals select the cassettes to empty.
“We believe the attackers just wanted to steal everything and didn’t care about doing this slowly to avoid detection,” Diaz told the E-Commerce Times.
The attackers may have some connection to the banks whose ATMs they rob: They use a key generated by a random seed without which they would not be able to interact with the ATMs. When the key is entered correctly, the ATM displays information on how much money is available in each of its cassettes and lets the attackers make withdrawals.
If the wrong key is entered, the malware disables the local network, but Kaspersky can’t explain why.
The key is provided by a small application. The attackers either have this with them on a laptop or receive instructions over the phone from conspirators who have access to the program, Diaz said.
Further, the attackers know where the CD readers are located behind the ATMs’ covers, so they are able to force their way in to access them, Diaz said.
Tyupkin’s Magical Mystery Tour
Many questions about the thefts remain unanswered.
The criminals disabled McAfee Solidcore, which provides change management auditing, configuration control, PCI compliance and system lockdown for enterprise IT systems, but “we don’t know why only this [software] was specially targeted,” Diaz said.
Further, it’s not clear why the criminals didn’t use better-designed malware that would make their operation smoother.
Also, Kaspersky analyzed theft data from VirusTotal to determine countries where the malware has been used but cannot determine the extent of the infections.
By default, Tyupkin accepts commands only on Sunday and Monday nights, Kaspersky said, speculating that this is to make detection more difficult.
It’s not clear why the malware disables the local network.
Protecting Against ATM Theft
Kaspersky recommends a review of physical security at all ATMs, along with replacement of all locks and master keys on the machines’ upper hoods. Default keys and locks provided by the manufacturer should be ditched.
ATM installations should have an alarm in good working order — the ATM robbers using Tyupkin only hit ATMs without security alarms installed.
ATM machine owners should change the default BIOS password and ensure they have up-to-date antivirus protection.
The ATMIA’s Best Practice manuals cover software, cybersecurity, ATM lifecycles, ATM physical key management and ATM physical security, Tente said, adding that most of these attacks require access to the machines’ insides.