Cybercriminals have developed and implemented malware designed to withdraw cash directly from ATMs without compromising consumers’ debit cards. The ATM malware allows criminals to identify the amount of money in each cash cassette and manipulate the machine to dispense it. Kaspersky Lab has identified infections in over 50 ATMs, mainly in Eastern Europe, but they have also been found in the United States and other countries.

ATM Threat

According to Securelist, a Kaspersky Lab forensic investigation identified a piece of ATM malware that allows criminals to attack ATMs directly. Through these direct attacks, criminals can empty the cash cassettes of ATMs produced by a specific manufacturer running Microsoft Windows 32-bit.

The ATM malware, called Tyupkin, has several features that help it avoid detection:

  • It is only active at specific times of the night on certain days of the week, typically Sunday and Monday.
  • It requires a key to be entered based on a random seed. The criminal must know the algorithm to enter the correct key based on the randomly displayed seed.
  • Tyupkin implements anti-debug and anti-emulation techniques
  • The malware can disable McAfee Solidcore from the infected system.

This is considered to be a higher-level attack because it attacks the bank directly, bypassing the need for capturing consumer debit card data using skimming devices. Unlike skimming attacks, which only require access to the public space around a machine, the malware attack requires access to the back end of the ATM. The investigation revealed that only ATMs with no active secure alarm were infected. Therefore, installing alarms and eliminating the use of master keys are two easy mitigating controls that can be implemented.

At ATMs where security alarms are installed, cybercriminals may seek a complicit insider at the bank, ATM vendor or security service vendor to install the malware. Additionally, bank personnel could be socially engineered to allow access to the machine by someone purporting to be associated with a vendor.

Suggested Actions Against ATM Malware

As has been discussed in previous intelligence bulletins, new fraud tactics are often introduced in Eastern Europe and migrate to the United States over a period of 12 to 18 months. This is precisely the theory in this particular case. It would behoove financial institutions and money service businesses to pay particular attention to this emerging threat and develop methodologies to counter the tactic before it arrives in the United States. offers detailed mitigation and prevention controls. We have highlighted a few of their recommendations:

General Advice

  • Review security around the ATM, including the general premises and the machine’s immediate surroundings.
  • Enhance security protocols with regular inspections to ensure that no devices have been attached.
  • Review access controls to guarantee inappropriate access is not granted to people posing as vendors.

Merchant Fill Sites

  • Only fill the ATM with sufficient cash for one day’s trading.
  • Only perform cash maintenance when the store is locked and no customers are present.

Cash-in-Transit Fill Sites

  • Review security around the machine, ensuring it is located in the most secure place in the shop.
  • Deter would-be robbers by installing signs that indicate the store’s staff does not have access to the ATM.
  • Only perform cash maintenance when the store is locked and no customers are present.
  • Internal machines should be sited well inside the premises, away from the shopfronts, ideally against a strongly built internal or perimeter wall that does not have vehicular access to its external face.

Read the IBM research report on Security trends in the financial industry

More from Banking & Finance

How to Spot a Nefarious Cryptocurrency Platform

Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…