This article is more than 1 year old

Revealed: Malware that forces weak ATMs to spit out 'ALL THE CASH'

Banks, lock down your cash machines

Video Thieves are sneaking malware dubbed Tyupkin into ATMs to force them to cough millions of dollars, we're told.

The crims don't need to use stolen or cloned cards. Instead, fraudsters infect the ATM's on-board PC, and later type a special combination of digits on the PIN keypad to drain the machine of banknotes – that's according to researchers at Kaspersky Lab.

Scams of this type were first recorded in Mexico, but they have since expanded in scope across the world – though mainly in Asia and Russia. Kaspersky Lab is calling on banks to double-check the physical security of their money machines to stamp out the thefts.

Experts at the Russian security firm were hired by a financial institution to investigate the disappearance of cash from its ATMs around the world. During this probe, the researchers discovered a piece of malware installed on the machines that allowed criminals to loot the devices. Some 50 infected ATMs were found in eastern Europe. Policing agency Interpol is now involved.

A video showing this attack, which has apparently netted "millions of dollars", is embedded below.

Youtube Video

First, the crims must gain physical access to the inside of the 32-bit Windows-powered ATM, and insert a bootable CD to install the Tyupkin malware. After they reboot the system, the infected cash machine is under their control.

The malware runs unseen in the background while awaiting instructions. Tyupkin only accepts commands at specific times on Sunday and Monday nights.

When a command to wake up the malware is typed at the keypad, a random number is shown. To proceed, the thief must must type into the keypad a valid key value derived from the random number.

If the thief doesn't know how to calculate the unlock key from the random seed, he or she can phone a crime boss who knows the algorithm and does the maths: this ensures the boss's money-collecting mules are unable to carry out the scam alone – they need help in converting the random numbers into unlock keys.

When the required key is entered correctly, the ATM displays how much money is available in each cash cassette, inviting the crim to choose which cassette to rob. After this is selected, the ATM dispenses 40 banknotes at a time from the chosen cassette.

“Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software,” said Vicente Diaz, principal security researcher at Kaspersky Lab’s global research and analysis team.

“Now we are seeing the natural evolution of this threat with cybercriminals moving up the chain and targeting financial institutions directly.

“This is done by infecting ATMs themselves or launching direct Advanced Persistent Threat (APT)-style attacks against banks. The Tyupkin malware is an example of the attackers taking advantage of weaknesses in the ATM infrastructure."

Banks need to review the physical security of their ATMs and network infrastructure, Diaz recommends – the malware disables its local network when dishing out dosh to thieves, which should be a telltale sign something is up.

Banks should replace all locks and master keys on the upper hood of their ATM machines and ditch the default settings provided by the manufacturer, it's suggested. The use of security alarms can also help.

The masterminds behind Tyupkin only infected ATMs that had no security alarms. Changing the default BIOS access and boot passwords, and ensuring cash machines have up-to-date antivirus protection, are other sensible precautions.

Kaspersky Lab and cops hope highlighting the threat will encourage banks to take action against the fraudsters.

Sanjay Virmani, director of Interpol's digital crime centre, explained: “Offenders are constantly identifying new ways to evolve their methodologies to commit crimes, and it is essential that we keep law enforcement in our member countries involved and informed about current trends and modus operandi.” ®

More about


Send us news

Other stories you might like