Kaspersky Lab and INTERPOL Malware Alert: Cybercriminals are Targeting Multiple ATMs with Tyupkin Malware

Malware on public computers is a growing concern; it can be found on almost any type of system and has been recently found on ATMs. Kaspersky Lab’s (News - Alert) experts discovered malicious code infecting ATMs that allowed attackers to empty the cash machines via direct manipulation, stealing millions of dollars.

The Kaspersky Lab’s Global Research and Analysis Team announced that the malware identified and named by Kaspersky Lab as Backdoor.MSIL.Tyupkin has, so far, been detected on ATMs in Latin America, Europe and Asia.

INTERPOL, which is the world’s largest international police organization, with 190 member countries, is assisting with ongoing (forensic) investigations regarding the cybercriminal attacks targeting multiple ATMs around the world. Along with Kaspersky Lab, INTERPOL Digital Crime Centre works to fight cybercriminals and publishes research to a wider audience to encourage collaborative security practices and increased international cooperation.

Sanjay Virmani, Director of the INTERPOL Digital Crime Centre, says, “Offenders are constantly identifying new ways to evolve their methodologies to commit crimes”; expressing that it is time for all member countries involved to concentrate their efforts to keep malware off their networks.

As the Kaspersky Lab expert’s explain, the ATM attacks that have occurred have been played out very sophisticatedly, as video footage obtained from security cameras showed. The criminals carry out the act in two stages: “First, they get physical access to the ATMs and insert a bootable CD to install the malware—code named Tyupkin by Kaspersky Lab. After they reboot the system, the infected ATM [is] under their control.”

The criminals can then carry out an ATM transaction without inserting a credit card into the slot. They simply enter a combination of digits on the system’s keyboard, make a call to receive further instructions from another gang member, and then enter another set of numbers that has the ATM start giving out cash; lots of it too. Then they leave.

To carry out the ATM transaction, a unique digit combination key based on random numbers is generated; a session key is also generated using an algorithm. When the combination of keys is entered correctly, then the malicious operators via the Tyupkin malware pull off the hit and profit from the fraud. What is peculiar about the ATM attacks, it only accepts commands at specific times on Sunday and Monday nights to make it even harder to spot the scam.

This is not the first time criminals have made a successful infection; in fact, such news follows a similar alert about a Cash Register Malware, which occurred this last summer (in August); that occurrence involved malware targeting financial data. The new attack, rather, deals with financial institutions directly with the fraud principally aimed to steal money.

Vicente Diaz, Principal Security Researcher at Kaspersky Lab’s Global Research and Analysis Team said, “The Tyupkin malware is an example of the attackers taking advantage of weaknesses in the ATM infrastructure.”

Diaz stresses that malware is not the only method used by criminals to steal money. In fact, the Kaspersky Lab experts have observed other ATM hits; previous incidents involved using skimming devices and malicious software. As well, offenders are using Trojans and other programs to launch direct APT (News - Alert)-style attacks against banks; as a result, infecting ATMs that has handed over cybercriminals a way to obtain money quickly, Diaz said.

He strongly advises banks to review the physical security of their ATMs and network infrastructure and considers investing in quality security solutions an apt means to avoid such attacks. For those that are victims, Diaz recommends a full scan of the banks ATM’s system to get rid of the Backdoor.MSIL.Tyupkin, which affects those machines running Microsoft (News - Alert) Windows 32-bit, by using an Anti-Malware Remediation Tool, such as the free Kaspersky Virus Removal Tool.