A bank alerted Kaspersky to some suspicious withdrawals, and an investigation revealed that 50 ATMs in Eastern Europe were infected with the malware, which has been named Tyupkin.
The malware has since been detected around the globe, in countries including the USA, India, France, Israel, Malaysia and China.
So far it has been used to steal millions of dollars, according to Kaspersky and Interpol.
Modus operandi
The Windows-based ATMs were attacked after gangs took advantage of weak security to insert a CD, from which the malware was uploaded. Mules were then sent to the machines at specific times on either Sunday or Monday nights, armed with a randomly generated code which would allow them to withdraw up to 40 notes at a time.
The codes were generated only once, rendering them useless to those not involved in the gang.
In a nod to the sophistication of the operation, the gang has been steadily improving Tyupkin since it first came to Kaspersky’s attention in January. An upgrade enabled the gang to disable McAfee Solidcore security software installed on the ATMs to further reduce the chance of detection.
Kaspersky recommendations
The security company claims that malware attacks on ATMs are a response to greater awareness of traditional skimming attacks, where criminals physically replace the hardware of a machine in order to clone cards and collect pin numbers.
In a blog post, Kaspersky detailed how banks should combat the threat of a Tyupkin attack on their machines, including upgrading operating and security systems.
“The fact that many ATMs run on operating systems with known security weaknesses and the absence of security solutions is another problem that needs to be addressed urgently.”
“Our recommendations for the banks is to review the physical security of their ATMs and consider investing in quality security solutions”, it continued.
While it is perhaps not surprising to hear a cyber security company urging investment in the field, banks will presumably sit up and take note of a new threat.
