Dozens of European ATMs rooted, allowing criminals to easily cash out
Criminals are installing fairly sophisticated malicious programs on banks’ ATMs, allowing them to control access to the machines and easily steal cash, security firms Kaspersky and Interpol said in a joint statement released on Tuesday.
The malware, which Kaspersky dubbed ‘Tyupkin,’ allows low-level thieves, known as money mules, access to the machines at certain times of day using an intermittently changing code, similar to the six-digit electronic tokens used for security in the financial industry. More than 50 ATMs in Eastern Europe and Russia were found to have been infected with the malware to date, leading to the theft of currency equivalent to millions of dollars, according to the statement.
The attack shows that criminals are improving their tactics and appear to be able to gain enough access to ATMs to install code, Vicente Diaz, principal security researcher at Kaspersky Lab, said.
“Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software,” he said. “Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly.”
Unlike much of the malware that targets consumers’ bank accounts, Tyupkin does not infect ATMs, but must be installed via physical access to the device. Kaspersky did not describe under what circumstances the criminals had access to the ATMs, but once compromised, the thieves essentially controlled access to the devices and any cash stored in the machines.
Using an algorithm to create one-time use codes, the criminals enabled low-level money mules to take cash out of the ATMs, giving them the code for the current session. The thieves are able to check the amount of bills in each of the ATM’s cartridges and select from which cartridge to steal, causing it to dispense 40 bills at a time.
“The malicious operator receives instructions by phone from another member of the gang who knows the algorithm and is able to generate a session key based on the number shown,” Kaspersky stated in its release. “This ensures that the mules collecting the cash do not try to go it alone.”
To avoid detection, the malware limits activity to Sunday and Monday nights.
The discovery of the malware means that financial institutions need to better secure the physical infrastructure of their ATMs, Jean-Philippe Taggart, senior security researcher at Malwarebytes Labs, said in a statement sent to Ars.
“Since criminals require physical access to the ATM; that severely limits what can be achieved,” he said. He did point out that “Europe has many ATMs directly on the street, and that makes them somewhat more vulnerable to physical attack.”