Criminals in Eastern Europe have evolved their attacks against automated teller machines, moving beyond solely targeting consumers with card skimmers that steal debit card numbers, to attacks against banks using malware that allows someone to remove money directly from an ATM without the need for a counterfeit or stolen card.
Researchers at Kaspersky Lab, in conjunction with Interpol, today said they have detected the on more than 50
“The Tyupkin malware is an example of the attackers taking advantage of weaknesses in the ATM infrastructure,” said Vicente Diaz, Principal Security Researcher at Kaspersky Lab’s Global Research and Analysis Team. “We strongly advise banks to review the physical security of their ATMs and network infrastructure and consider investing in quality security solutions.
“The fact that many ATMs run on operating systems with known security weaknesses and the absence of security solutions is another problem that needs to be addressed urgently,” Diaz said
Most of the Tyupkin submissions to Virus Total are from Russia (20) with a limited number of samples (4) reported from the United States.
Kaspersky researchers have seen several variants of this malware with subtle advancements in each. The latest, version .d, includes anti-debug and anti-emulation features and also disables application security software from a particular vendor.
While all of these techniques aim to frustrate detection and examination of the malware, the criminals behind this operation also went to great pains to ensure their exclusive access to the money. The malware, for example, is configured to run only at specific times and a key is required in order to access the infected ATM. The key, researchers said, is based on a random seed number used for each session and are used to prevent random users from stumbling upon the interface used to steal money.
“When the key is entered correctly, the malware displays information on how much money is available in every cassette and allows an attacker with physical access to the ATM to withdraw 40 notes from the selected cassette,” the researchers wrote.