While traditional ATM skimming attacks are spreading across a wide variety of devices, from train ticket kiosks to parking meters and other unattended payment terminals , using malware to "cash out" ATMs appears to be the trendiest cybercrime tactic.
A recent investigation from the international police organization Interpol has detected a new type of malware which allows the criminals to gain full control of the ATM allowing them to steal huge amounts of money in cash without having to use a credit or debit card.
The new generation malware, named Tyupkin, is said to have infected ATMs in Europe, Latin America and Asia, stealing millions of dollars in cash.
Tyupkin’s modus operandi differs from traditional ATM malware in that its intention is not to capture card and PIN information from customers, but rather to hit the bank in the face by draining cash directly from the ATMs without the need for customer data.
ATM Malware Waits for Instructions
The Tyupkin malware literally allows an attacker to tell an ATM to dispense money. It enables an attacker to use the ATM PIN pad to submit commands to the Trojan, without the need for a credit or debit card.
Here's how the Tyupkin attack works:
- Criminals need to gain physical access to the ATMs to insert a bootable CD which installs the malware. After a system reboot, the ATM is under control
- The malware runs in the background awaiting a command that is only accepted at specific times, making it harder to detect
- A unique random combination key is generated to activate the malware. The criminal enters the key in the PIN pad, and then receives a phone call from another member of the gang, with a session key based on the number shown on the ATM's screen.
- When this session key is entered correctly, the ATM displays details of how much money is available in each cash cassette. After choosing a cassette to steal from, the ATM dispenses 40 banknotes at a time
Malware attacks are currently the biggest concern in ATM fraud since they are far less risky and much more profitable than traditional skimming or physical attacks.
The criminals are extremely agile and innovative in producing new types of malware to launch direct APT-like attacks against banks, but they are also helped by the very poor security of ATMs, still running old-fashioned Microsoft systems, and the weaknesses in the ATM infrastructure.
Indeed the lack of proper security measures to avoid physical installation and execution of malware makes it easy for it to infect ATMs.
S21sec Approach to ATM Security
S21sec has extensive expertise in the development of technologies adapted to the needs of the banking industry. Its product Lookwise Device Manager helps to protect ATM networks from logical attacks by monitoring ATM activity, restricting its usage to only authorized hardware or processes, and allowing to execute remote actions.
S21sec also provides specialized and advanced security services for financial organizations.
We will be participating in the next ATM Security 2014 event organized by the ATM Industry Association in London on October 14-15th.
For further information please contact us.
Juan Ramón Aramendía
Product Marketing Manager Lookwise