Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/7/2014
12:30 PM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Hackers Steal Millions In Cash From ATMs, Using Tyupkin Malware

Attackers add in failsafes to prevent innocents from triggering attack and money mules from going rogue.

Attackers are infecting ATMs in Asia, Europe, and Latin America with malware, and walking off with stacks of cash, Kaspersky has found. Using the malware, called Tyupkin, and a team of money mules, the attackers have stolen what amounts to millions of dollars in cash.

“Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software," said Vicente Diaz, principal security researcher at Kaspersky Lab, in a statement. "Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly. This is done by infecting ATMs themselves or launching direct APT-style attacks against banks. The Tyupkin malware is an example of the attackers taking advantage of weaknesses in the ATM infrastructure.”

The good news is that the infection and theft require physical access to the ATM. The bad news is that it's easy to come by, since ATMs are intended to be physically accessible by the general public 24/7. That said, the attackers only went after machines that did not have security alarms installed.

[Read more about ATM hacks, like the ones using Ploutus malware earlier this year.]

Once access is gained, the attackers reboot the machine using a bootable CD that installs Tyupkin. The malware then runs in a loop, waiting for a command. It only accepts commands on Sunday and Monday nights, when the mules' suspicious withdrawals are less likely to be noticed.

During those hours, a unique key, based on a random set of numbers displayed by the ATM machine, is generated for each session. Video evidence shows that the mule collecting the cash calls another gang member on the phone and gives them that random combination. The person on the other side of the call then runs those digits through an algorithm to generate the session key, and gives the key to the mule. Once the key is entered, the machine displays the amount of cash located in each cassette, and dispenses 40 banknotes from whichever cassette the attacker chooses.

The process prevents both regular customers from accidentally triggering the attack and money mules from trying to steal the money themselves without the rest of the gang knowing about it.

INTERPOL is now working with member countries to detect and remediate the threat. Kaspersky is providing advice on how to verify whether or not your bank's ATMs are infected. Contact them at [email protected]

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/8/2014 | 3:58:20 PM
Re: Non only skimmer
Sure, they just want to finish their work on this and go to next one. They do not really want to spend so much time on one machine. This is like a cheating, trying to hack without so much effort. :--)).
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/8/2014 | 3:56:30 PM
Re: Non only skimmer
Yes, banks know that it is there and their machine is exposed to outside world and available 24/7 so there has to be additional security measures such as cameras.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/8/2014 | 3:54:31 PM
Not in US yet?
I am surprised this is not happening in US yet. Maybe thankfully. :--)). This is another indicator that there is not limit on what you can hack, it can be it can be your computer or mobile device or it can be ATM and POS devices. Attackers have advanced their skills in recent years and they have been using very sophisticated tools. 
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
10/8/2014 | 2:28:11 PM
Re: Non only skimmer
Exactly!
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/8/2014 | 11:04:47 AM
Re: Non only skimmer
"the attackers only went after machines that did not have security alarms installed."

Talk about making it easy for them...
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
10/8/2014 | 10:55:28 AM
Non only skimmer
Physical security is essential and similar attacks could be successfully conducted is system are not properly defended and run on outdated or not upgraded OS.

banking industry must be aware of the increasing activities of new gangs.
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17612
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
CVE-2019-17613
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
CVE-2019-17395
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVE-2019-17602
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
CVE-2019-17394
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.