A new method of stealing from cashpoints has withdrawn millions of dollars from ATMs across the world
Cyber criminals have created a new backdoor program (a method of bypassing the authentication process), called Tyupkin. It requires physical access to the ATM system, which is running a 32-bit version of Windows, and booting from a CD in order to install the malware. According to the judicial authorities, the threat has continued to evolve in the past months by infecting ATMs in Asia, Europe and Latin America.
Up until this time, no information has been obtained regarding the criminal groups that are behind these attacks, but “millions of dollars” have already disappeared from ATMs across the world in which the sophisticated malware has been installed. The security solutions firm, Karspersky, and Interpol are working together in an attempt to put a stop to this phenomenon.
„Over recent years we have seen a major rise in ATM attacks, using skimming devices and malware. Now we are seeing the natural evolution of the cybercriminals’ threats, which are going up the chain, directly targeting financial institutions. This is done by infecting their ATMs or by launching an Advanced Persistent Threat (APT) – attack style against banks. The Tyupkin malware is a type of attack which takes advantage of the weaknesses in the ATM structure” –Vincente Diaz, Karspersky Lab researcher
How does the Tyupkin attack work?
In order to install the malicious backdoor, the carriers (money mules – people who transfer money that was illegally obtained through couriers or electronically) must physically enter a bootable CD (which allows the initialization of the system) that installs the malware.
Once the device is rebooted, the ATM is under the control of the criminal group. The sophisticated malware then runs in the background, on a loop awaiting the command given by the attacker. However, the malware only accepts commands at certain times – in this case only on Sundays and Mondays – which makes it even harder to be detected. Moreover, a unique key is generated, a combination based on random numbers, so that the chance of a user accidentally accessing a code is avoided. This key code must be entered before the main menu is displayed.
„The malware operator receives instructions by phone from another member of the group which knows the algorithm and is capable of generating a session key based on the displayed number” – Karspersky
When this session key is entered correctly, the ATMs display details about how much money is available in each cash box, inviting the operator to choose which box is stolen and the number of available bills – the ATMs distribute a maximum of 40 notes at a time from the selected box.
The countries affected by Tyupkin
During the investigations, authorities have discovered that more than 50 ATMs from financial institutions across Eastern Europe were infested, and that most of the Tyupkin attacks took place in Russia. The malware seems to have spread to the United States, India, China, Israel, France and Malaysia.
Theft of this kind was even filmed, because some of the ATMs have cameras.
Karspersky has informed all the specialized authorities and banks regarding the steps which need to be followed in order to prevent this type of cyber-attack.
It is worth mentioning that, in general, ATMs run Windows XP or 98, which have not been updated and are easily subjected to the risk of viruses.