Cybercriminals have developed and implemented malware designed to withdraw cash directly from ATMs without compromising consumers’ debit cards. The ATM malware allows criminals to identify the amount of money in each cash cassette and manipulate the machine to dispense it. Kaspersky Lab has identified infections in over 50 ATMs, mainly in Eastern Europe, but they have also been found in the United States and other countries.

ATM Threat

According to Securelist, a Kaspersky Lab forensic investigation identified a piece of ATM malware that allows criminals to attack ATMs directly. Through these direct attacks, criminals can empty the cash cassettes of ATMs produced by a specific manufacturer running Microsoft Windows 32-bit.

The ATM malware, called Tyupkin, has several features that help it avoid detection:

  • It is only active at specific times of the night on certain days of the week, typically Sunday and Monday.
  • It requires a key to be entered based on a random seed. The criminal must know the algorithm to enter the correct key based on the randomly displayed seed.
  • Tyupkin implements anti-debug and anti-emulation techniques
  • The malware can disable McAfee Solidcore from the infected system.

This is considered to be a higher-level attack because it attacks the bank directly, bypassing the need for capturing consumer debit card data using skimming devices. Unlike skimming attacks, which only require access to the public space around a machine, the malware attack requires access to the back end of the ATM. The investigation revealed that only ATMs with no active secure alarm were infected. Therefore, installing alarms and eliminating the use of master keys are two easy mitigating controls that can be implemented.

At ATMs where security alarms are installed, cybercriminals may seek a complicit insider at the bank, ATM vendor or security service vendor to install the malware. Additionally, bank personnel could be socially engineered to allow access to the machine by someone purporting to be associated with a vendor.

Suggested Actions Against ATM Malware

As has been discussed in previous intelligence bulletins, new fraud tactics are often introduced in Eastern Europe and migrate to the United States over a period of 12 to 18 months. This is precisely the theory in this particular case. It would behoove financial institutions and money service businesses to pay particular attention to this emerging threat and develop methodologies to counter the tactic before it arrives in the United States.

LINK.co.uk offers detailed mitigation and prevention controls. We have highlighted a few of their recommendations:

General Advice

  • Review security around the ATM, including the general premises and the machine’s immediate surroundings.
  • Enhance security protocols with regular inspections to ensure that no devices have been attached.
  • Review access controls to guarantee inappropriate access is not granted to people posing as vendors.

Merchant Fill Sites

  • Only fill the ATM with sufficient cash for one day’s trading.
  • Only perform cash maintenance when the store is locked and no customers are present.

Cash-in-Transit Fill Sites

  • Review security around the machine, ensuring it is located in the most secure place in the shop.
  • Deter would-be robbers by installing signs that indicate the store’s staff does not have access to the ATM.
  • Only perform cash maintenance when the store is locked and no customers are present.
  • Internal machines should be sited well inside the premises, away from the shopfronts, ideally against a strongly built internal or perimeter wall that does not have vehicular access to its external face.

Read the IBM research report on Security trends in the financial industry

More from Banking & Finance

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today