Why rob a bank through the front door when you can steal cash through an ATM at your leisure? That’s the thinking of thieves who have managed to hack ATMs to dispense cash at any time they choose.
Investigators from the security software firm Kaspersky Lab recently found evidence that a type of malicious software known as “Tyupkin” is being used by cybercriminals all over the world to hack ATMs.
How Tyupkin works
1. Physical access. A hacker gains access to a CD drive or USB port on the ATM itself, sometimes by actually breaking physical protections, says Vicente Diaz, principal security researcher at Kaspersky Lab.
It may seem funny to think of an ATM having a CD drive like a home PC, but “many ATMs are not much more than a computer in a box,” Diaz says.
2. Installation. The hacker installs Tyupkin on the ATM. So far, Diaz says they haven’t seen a case where the hacker was able to install it remotely, but that doesn’t mean it hasn’t happened.
“At the moment, we have found that the group is infecting the machines through the CD, but they could use an USB port or even network access if they figure out how,” he says. “So far, we have detected only attacks using the first two methods.”
3. Big withdrawals. During hours chosen by hackers using Tyupkin, hired “mules” go to certain banking ATMs and enter a special key. That key tells the mule how much money is available in each of the ATM’s money bins, known as “cassettes.” From there, the mule can dispense 40 cash notes at a time, quickly emptying it out, and be on his or her way.
“Each cassette has a different bill, and most likely attackers will empty all of them,” Diaz says. “We believe the attackers just wanted to steal everything and don’t care about doing this slowly to avoid detection.”
Fortunately, the fraudulent withdrawals made by Tyupkin users aren’t tied to any particular bank account, Diaz says. That means that accountholders won’t be surprised with a zero balance because of a Tyupkin attack.
But if you don’t like the idea of ATMs being emptied out by organized crime, there is something you can do to help. Let your bank know if you see evidence the ATM has been tampered with, Diaz says.
New technology driving criminal ‘innovation’?
The adoption of EMV chip cards, which make it harder to clone debit and credit cards with details gleaned from skimming, may be driving criminals to invent new bank-robbing schemes, Diaz says.
“We are not sure if the attackers are trying to find alternatives to the EMV adoption,” Diaz says.
Whatever their motivations, it’s likely that the practice, and the malware that enables it, will become more popular.
“The total combined amount of stolen money is millions of dollars,” Diaz says. “It’s clear that ATM fraud is lucrative for them, thereafter catching the attention of more organized gangs.”
Follow me on Twitter: @claesbell