Cybercrime can mean big money for hackers. No one is any doubt about that.
But what is unusual is for the attackers to get their hands directly on hard cash, rather than raiding an online bank account, exploiting stolen credit card numbers or hijacked PCs, or selling on stolen intellectual property to others.
But, according to new reports, malicious hackers have managed to cut all the pfaffing about, and are now emptying high street ATMs of cash, and stealing millions in the process.
A malicious trojan horse dubbed Backdoor.MSIL.Tyupkin is helping criminals steal cash from ATMs running a 32-bit version of Windows, according to researchers at Kaspersky Lab. The researchers say that the ATM-attacking Tyupkin malware was found running on more than 50 cash machines in Eastern Europe earlier this year, and seems to have already popped its head up in the United States, as well as other nations, including India and China.
The security firm discovered the malware in an investigation at a request of a financial institution. Interpol has already alerted countries in Asia, Europe and Latin America and is carrying out an investigation. Director of Interpol’s digital crime center Sanjay Virmani stated:
“Offenders are constantly identifying new ways to evolve their methodologies to commit crimes, and it is essential that we keep law enforcement in our member countries involved and informed about current trends and modus operandi.”
The researchers explained the hack can force ATM machines to dispense 40 notes at a single time. The initiation requires hackers to physical access cash machine, in order to install the Tyupkin malware via a bootable CD ROM.
Once the Tyupkin malware is installed, a gang member can be sent to the infected machine to enter two codes on the keypad. One is known to the robber, but the other is a unique code generated randomly from a remote location via an algorithm.
The cash machine only dispenses notes when the second code is entered, giving the remote criminal visibility and control over the frequency and instances of these withdrawals. The requirement for a second code also ensures that no-one outside the hacking group can profit from the crime.
The ATM robber receives instructions via phone from the other member of the group; giving them the all-important key to enter that will instruct the ATM to detail the amount of money available in a cassette.
CASH OPERATION PERMITTED.
TO START DISPENSE OPERATION –
ENTER CASSETTE NUMBER AND PRESS ENTER.
The robber can then select which cassette to empty, dispensing 40 banknotes.
Kaspersky principal security researcher Vincent Diaz informed that hackers are increasingly conducting attacks on financial institutions using direct methods: “Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software,” Diaz said. “Now we are seeing the natural evolution of this threat with cybercriminals moving up the chain and targeting financial institutions directly,” he added. “This is done by infecting ATMs themselves or launching direct Advanced Persistent Threat (APT) – style attacks against banks.”
Security cameras recorded video footage of how criminals enter a unique digit combination key based on random numbers, which is freshly generated in each session.
The Tyupkin malware only accepts commands at specific times such as Sunday and Monday nights. Hackers are able to infect ATMs and steal cash during these hours, which could make detection even more difficult.
What’s the answer to these threats?
This isn’t the first time ATMs have been infected with malware in order to dispense cash. For instance, the Ploutus malware allowed criminals to steal money with a little help from an SMS text message, while renowned hacker Barnaby Jack famously demonstrated his technique dubbed ‘Jackpotting’ in 2010.
Financial institutions need to tightly control access and consider the physical security of their ATMs and network infrastructure. The malware currently disables the local network when dishing out cash, which should be an indication of some kind of security failure.
Banks also need to replace locks and master keys on the upper hood of ATM machines and do more than just settle for the default security settings provided by ATM manufacturers. It may also be helpful to install security alarms as it has been noted that the Tyupkin malware had only infected cash machines without such protection.
Other recommended security measures include installation of sophisticated and updated anti-virus programs on cash machines and the avoidance of default boot passwords.
Malware has been long known to infect mobile devices and PCs to steal passwords. Today, they can empty ATM machines and allow hackers to become millionaires overnight.