Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/7/2014
12:30 PM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Hackers Steal Millions In Cash From ATMs, Using Tyupkin Malware

Attackers add in failsafes to prevent innocents from triggering attack and money mules from going rogue.

Attackers are infecting ATMs in Asia, Europe, and Latin America with malware, and walking off with stacks of cash, Kaspersky has found. Using the malware, called Tyupkin, and a team of money mules, the attackers have stolen what amounts to millions of dollars in cash.

“Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software," said Vicente Diaz, principal security researcher at Kaspersky Lab, in a statement. "Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly. This is done by infecting ATMs themselves or launching direct APT-style attacks against banks. The Tyupkin malware is an example of the attackers taking advantage of weaknesses in the ATM infrastructure.”

The good news is that the infection and theft require physical access to the ATM. The bad news is that it's easy to come by, since ATMs are intended to be physically accessible by the general public 24/7. That said, the attackers only went after machines that did not have security alarms installed.

[Read more about ATM hacks, like the ones using Ploutus malware earlier this year.]

Once access is gained, the attackers reboot the machine using a bootable CD that installs Tyupkin. The malware then runs in a loop, waiting for a command. It only accepts commands on Sunday and Monday nights, when the mules' suspicious withdrawals are less likely to be noticed.

During those hours, a unique key, based on a random set of numbers displayed by the ATM machine, is generated for each session. Video evidence shows that the mule collecting the cash calls another gang member on the phone and gives them that random combination. The person on the other side of the call then runs those digits through an algorithm to generate the session key, and gives the key to the mule. Once the key is entered, the machine displays the amount of cash located in each cassette, and dispenses 40 banknotes from whichever cassette the attacker chooses.

The process prevents both regular customers from accidentally triggering the attack and money mules from trying to steal the money themselves without the rest of the gang knowing about it.

INTERPOL is now working with member countries to detect and remediate the threat. Kaspersky is providing advice on how to verify whether or not your bank's ATMs are infected. Contact them at [email protected]

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/8/2014 | 3:58:20 PM
Re: Non only skimmer
Sure, they just want to finish their work on this and go to next one. They do not really want to spend so much time on one machine. This is like a cheating, trying to hack without so much effort. :--)).
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/8/2014 | 3:56:30 PM
Re: Non only skimmer
Yes, banks know that it is there and their machine is exposed to outside world and available 24/7 so there has to be additional security measures such as cameras.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/8/2014 | 3:54:31 PM
Not in US yet?
I am surprised this is not happening in US yet. Maybe thankfully. :--)). This is another indicator that there is not limit on what you can hack, it can be it can be your computer or mobile device or it can be ATM and POS devices. Attackers have advanced their skills in recent years and they have been using very sophisticated tools. 
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
10/8/2014 | 2:28:11 PM
Re: Non only skimmer
Exactly!
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/8/2014 | 11:04:47 AM
Re: Non only skimmer
"the attackers only went after machines that did not have security alarms installed."

Talk about making it easy for them...
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
10/8/2014 | 10:55:28 AM
Non only skimmer
Physical security is essential and similar attacks could be successfully conducted is system are not properly defended and run on outdated or not upgraded OS.

banking industry must be aware of the increasing activities of new gangs.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...