Tyupkin malware-infected ATMs give cash away to criminals


Interpol has issued a multi-country alert about a piece of cash machine-focused malware that allows criminal gangs to withdraw large sums of money without needing a bank card.

The Tyupkin malware, as it has been dubbed by the Kaspersky research team, is installed on the ATM machines using a CD.

Once the installation is complete, cyber criminals can then enter two separate combination of digits on the ATM's keypad to make the machine start paying out cash.

The scam has been tracked by Kaspersky, who said to evade detection the malware only accepts commands at specific times on Sunday and Monday nights, which is when the attackers tend to pounce.

In a blog post, announcing their findings, the researchers said a random code is needed each time to make the ATMs pay out to ensure anyone unconnected to the scheme doesn't benefit from it.

"A unique digit combination key based on random numbers is freshly generated for every session. This ensures that no person outside the gang could accidentally profit from the fraud," the post states.

"Then the malicious operator receives instructions by phone from another member of the gang who knows the algorithm and is able to generate a session key based on the number shown. This ensure the mules collecting the cash do not try to go it alone."

Once these credentials are entered correctly, the cash machine display will detail how much money is available in each cash machine cassette, before asking the criminals which one they want to empty.

"After this the ATM dispenses 40 banknotes at a time from the chosen cassette," the post continues.

So far, the scam has been detected in Europe, Latin America and Asia, prompting law enforcement agency Interpol to offer investigative assistance to the countries affected.

Sanjay Virmani, director of the Interpol Digital Crime Centre, said: "Offenders are constantly identifying new ways to evolve their methodologies to commit crimes, and it is essential that we keep law enforcement in our member countries involved and informed about current trends and modus operandi."

Vicente Diaz, principal security researcher at Kaspersky Lab's global research and analysis team, said the last few years have seen a marked upswing in the number of attacks on ATM machines.

"Now we are seeing the natural evolution of this threat, with cyber criminals moving up the chain and targeting financial institutions directly," said Diaz.

"This is done by infecting ATMs themselves or by launching direct APT-stlye attacks against bank.

"The Tyupkin malware is an example of the attackers taking advantage of weaknesses in the ATM infrastructure," he added.

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.