Kaspersky and INTERPOL issue global alert: ATMs spitting out millions without cards

Status
Not open for further replies.

Dima007

Level 23
Thread author
Verified
Well-known
Apr 24, 2013
1,200
ATM-600x400.jpg


ATMs (automated teller machines) are everywhere and we all use them regularly. That has always made them a target for bad guys -- a card reader can steal all sorts of information. But in the wake of events like the Target and Home Depot breaches things have risen to a new level. So high, in fact, that security company Kaspersky and law enforcement organization INTERPOL have issued a warning.

It seems that ATMs are pouring out money to criminals who are not even using any sort of credit or debit card. While this isn't a problem for any particular individual, it is a major one for the banks, which makes it everyone's worry.

This is apparently a global problem, which explains the involvement by INTERPOL. It all stems from a recent investigation conducted by Kaspersky.

Read more: http://betanews.com/2014/10/07/kasp...ert-atms-spitting-out-millions-without-cards/
 

Exterminator

Community Manager
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Here is another article on this topic: http://news.softpedia.com/news/Tyup...ows-Cash-Extraction-Without-Card-461309.shtml

A new threat affecting ATM (automated teller machine) systems features security measures that allow interaction with it only at certain times, and permits cash withdrawal through direct interaction with the computer, without the need of a card.

The malware has been named Tyupkin by researchers at Kaspersky, who dissected a few samples. It runs on ATM systems from a single manufacturer with 32-bit Windows installed on them.

It appears that infecting the cash machines is done by breaking the physical security and gaining access to the computer inside. Tyupkin is then planted on the system by loading it from a bootable CD.
Interaction with the malware is protected
The actors using this malware have implemented certain security measures to ensure that only they have control over it.

One protection mechanism available is making it respond to commands only at certain times, when the crooks come to collect.

From Kaspersky’s observations, the Tyupkin responded to interactions only on Sunday and Monday nights by default.

Furthermore, a session key code needs to be entered before the main menu is shown, where the attacker can see the cash cassettes and the number of banknotes available; a maximum of 40 can be extracted at a time.

The unlocking key needs to be generated based on a seed displayed on the screen, so only an individual that knows the algorithm behind the operation can reach the command menu.

If the wrong code is entered, then the malware disconnects from the local network, probably in an attempt to prevent remote investigation, Kaspersky believes.
Eastern Europe banks most targeted by Tyupkin attacks
Based on the compilation dates of the analyzed samples, it is believed that Tyupkin has been in use since around March this year.

However, multiple variants exist, authors adding anti-analysis capabilities (anti-debug and anti-emulation) along with the ability to disable McAfee Solidcore, a dynamic whitelisting application, on the infected machines.

The researchers say that during their investigation, most of the 50 ATMs affected were from banking institutions in Eastern Europe.

According to statistics pulled from VirusTotal, most of the Tyupkin submissions came from Russia. However, Kaspersky noticed that the malware reached other countries too, as infections were reported from the United States, India, China, Israel, France and Malaysia.

Security experts from the Russian antivirus vendor see this type of attack as a natural evolution from skimming, which relies on stealing card information when the client inserts it into a corrupted ATM. Cybercriminals are “moving up the chain and targeting financial institutions directly. The Tyupkin malware is one such example of attackers moving up the chain and finding weaknesses in the ATM infrastructure.”

The general recommendation for banks is to ensure that proper security measures are enforced both to the cashpoints and the environment they are placed in, with sufficient lighting and cameras monitoring all activity.

 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top