Criminals are using malware to steal cash from ATMs without debit and credit cards.
The Tyupkin malware, which was discovered by Kaspersky Lab's global research and analysis team, enables criminals to withdraw large sums of money by just typing in a code.
The Kaspersky Lab's forensics investigation was instigated after a financial services company requested help when ATMs in Eastern Europe were targeted.
Kaspersky discovered malware that – once installed on the ATM – allowed attackers to empty the ATM cash cassettes via direct manipulation.
Criminal gangs gain physical access to the ATMs and use a CD to install the malware. When rebooted, the gang has control of the ATM and can use a code to take money out. Up to 40 notes can be taken out at a time from the cassette that holds them.
More on ATM security
At the time of the investigation, the malware was active on more than 50 ATMs in Eastern Europe, but Kaspersky believes it has spread to other countries, including the US, India and China.
“Over the past few years, we have observed a major uptick in ATM attacks using skimming devices and malicious software. Following major reports of skimmers hijacking financial data at banks around the world, we have seen a global law enforcement crackdown that led to the arrests and prosecution of cyber criminals,” said Kaspersky Labs.
“Now we are seeing the natural evolution of this threat with cyber criminals moving up the chain and targeting financial institutions directly.
"This is done by infecting ATMs directly, or through direct advanced persistent threat (APT) attacks against the bank. The Tyupkin malware is one such example of attackers moving up the chain and finding weaknesses in the ATM infrastructure," it added.
Kaspersky said many ATMs run on operating systems with known security weaknesses and warned banks to review the physical security of their ATMs and consider investing in security.
Advice from Kaspersky
What businesses that operate ATMs on-premise should consider:
- Review the physical security of its ATMs and consider investing in quality security systems.
- Change default upper-pool lock and keys in all ATMs. Avoid using default master keys provided by the manufacturer.
- Install and make sure the ATM security alarm works. It was observed the cyber criminals behind Tyupkin infected only those ATMs without a security alarm installed.
- For the instructions on how to verify your ATMs are not currently infected in one step, contact firstname.lastname@example.org. For the full scan of the ATM’s system and deleting the backdoor, use the free Kaspersky Virus Removal Tool available to download here.
General advice for on-premise ATM operators:
- Ensure the ATM is in an open, well-lit environment monitored by visible security cameras. The ATM should be securely fixed to the floor with an anti-lasso device that will deter criminals.
- Regularly check the ATM for signs of attached third-party devices (skimmers).
- Be on the lookout for social engineering attacks by criminals who may be masquerading as inspectors, using security alarms, security cameras or other devices on-premise.
- Treat intruder alarms seriously and act accordingly by notifying law enforcement authorities of any potential breach.
- Consider filling the ATM with just enough cash for a single day of activity.