Cybercriminals have developed and implemented malware designed to withdraw cash directly from ATMs without compromising consumers’ debit cards. The ATM malware allows criminals to identify the amount of money in each cash cassette and manipulate the machine to dispense it. Kaspersky Lab has identified infections in over 50 ATMs, mainly in Eastern Europe, but they have also been found in the United States and other countries.

ATM Threat

According to Securelist, a Kaspersky Lab forensic investigation identified a piece of ATM malware that allows criminals to attack ATMs directly. Through these direct attacks, criminals can empty the cash cassettes of ATMs produced by a specific manufacturer running Microsoft Windows 32-bit.

The ATM malware, called Tyupkin, has several features that help it avoid detection:

  • It is only active at specific times of the night on certain days of the week, typically Sunday and Monday.
  • It requires a key to be entered based on a random seed. The criminal must know the algorithm to enter the correct key based on the randomly displayed seed.
  • Tyupkin implements anti-debug and anti-emulation techniques
  • The malware can disable McAfee Solidcore from the infected system.

This is considered to be a higher-level attack because it attacks the bank directly, bypassing the need for capturing consumer debit card data using skimming devices. Unlike skimming attacks, which only require access to the public space around a machine, the malware attack requires access to the back end of the ATM. The investigation revealed that only ATMs with no active secure alarm were infected. Therefore, installing alarms and eliminating the use of master keys are two easy mitigating controls that can be implemented.

At ATMs where security alarms are installed, cybercriminals may seek a complicit insider at the bank, ATM vendor or security service vendor to install the malware. Additionally, bank personnel could be socially engineered to allow access to the machine by someone purporting to be associated with a vendor.

Suggested Actions Against ATM Malware

As has been discussed in previous intelligence bulletins, new fraud tactics are often introduced in Eastern Europe and migrate to the United States over a period of 12 to 18 months. This is precisely the theory in this particular case. It would behoove financial institutions and money service businesses to pay particular attention to this emerging threat and develop methodologies to counter the tactic before it arrives in the United States. offers detailed mitigation and prevention controls. We have highlighted a few of their recommendations:

General Advice

  • Review security around the ATM, including the general premises and the machine’s immediate surroundings.
  • Enhance security protocols with regular inspections to ensure that no devices have been attached.
  • Review access controls to guarantee inappropriate access is not granted to people posing as vendors.

Merchant Fill Sites

  • Only fill the ATM with sufficient cash for one day’s trading.
  • Only perform cash maintenance when the store is locked and no customers are present.

Cash-in-Transit Fill Sites

  • Review security around the machine, ensuring it is located in the most secure place in the shop.
  • Deter would-be robbers by installing signs that indicate the store’s staff does not have access to the ATM.
  • Only perform cash maintenance when the store is locked and no customers are present.
  • Internal machines should be sited well inside the premises, away from the shopfronts, ideally against a strongly built internal or perimeter wall that does not have vehicular access to its external face.

Read the IBM research report on Security trends in the financial industry

more from Banking & Finance

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 –…

SEC Proposes New Cybersecurity Rules for Financial Services

Proposed new policies from the Securities and Exchange Commission (SEC) could spell changes for how financial services firms handle cybersecurity. On Feb. 9, the SEC voted to propose cybersecurity risk management policies for registered investment advisers, registered investment companies and business development companies (funds). Next, the proposal will go through a public comment period until May 9.  The Importance of…