October 7, 2014
Kaspersky Lab experts have carried out a forensic investigation of attacks carried out by cybercriminals targeting multiple ATMs around the world. During the course of this investigation, analysts at the security company discovered a piece of malware that infects ATMs and allows attackers to literally and directly empty them, stealing millions of dollars. INTERPOL alerted affected countries and is assisting in ongoing investigations.
In this case, cybercriminals work only on Sunday and Monday nights. Without inserting a card, they enter a combination of digits on the ATM keypad, make a call for further instructions, after which they obtain another series of numbers. This simple operation causes the ATM to start issuing large amounts of cash that the “mules” withdraw and leave.
Video footage showing how this attack works on a real ATM.
How the attacks are carried out
Criminals work in two stages. First, they get physical access to the ATMs where they insert a bootable CD to install the Tyupkin malware. After rebooting the system, the infected ATM is already under your control.
After a successful infection, the malware runs in an infinite loop, waiting for a command. To make the scam more difficult to detect, Tyupkin is a malware that only accepts commands on specific times of Sunday and Monday nights. During those hours, the attackers are able to steal the cash from the infected machines. A video obtained from the security cameras of the infected ATMs showed the methodology used to access cash. In each looting session, a unique key based on random numbers is generated, ensuring that no passer-by could accidentally profit from the fraud. The performer receives instructions by phone from another member of the network who knows the algorithm and is able to generate a session key. This second control code prevents the mules that collect the money from trying to do the operation on their own.
When the password is entered correctly, the cashier shows the details of the amount of money that is available in each cash cartridge, inviting the operator to choose the cassette he wants to empty, after which the machine dispenses up to 40 bills in a few seconds.
At the request of a financial institution, Kaspersky Lab’s global investigation and analysis team conducted a forensic investigation of this criminal cyberattack. The malware identified and named by Kaspersky Lab as Backdoor.MSIL.Tyupkin has so far been detected in ATMs in Latin America, Europe and Asia.
“In recent years, we have seen a significant spike in ATM attacks using skimming devices and malicious software. We are now facing the natural evolution of this threat in which cybercriminals directly attack financial institutions by infecting ATMs or direct APT-style attacks against banks. The Tyupkin malware is an example of how cybercriminals take advantage of weaknesses in ATM infrastructure “, explains Vicente Díaz, security analyst at Kaspersky Lab.” We advise banks to review the physical security of their ATMs and the network infrastructure and consider investing in quality security solutions, ”adds Díaz.
“Criminals are constantly identifying new ways to evolve their criminal methods and it is essential that we enforce the laws in member countries and stay promptly informed about current trends and their modus operandi”, requests Sanjay Virmani, Director of the Digital Crime Center from INTERPOL
What can banks do to minimize risk?
· Review the physical security of your ATMs and consider investing in quality security solutions · Replace all ATM locks and master keys and get rid of the standard factory-provided defaults · Install an alarm and make sure that it is in good condition. Tyupkin cybercriminals have only operated on ATMs where no alarm system was installed. · Change BIOS password. · Make sure ATMs have up-to-date virus protection. · For information on how to check if your ATM is infected or not, you can contact Kaspersky Lab experts
[+] Videos de nuestro canal de YouTube