Cybercriminals have developed and implemented malware designed to withdraw cash directly from ATMs without compromising consumers’ debit cards. The ATM malware allows criminals to identify the amount of money in each cash cassette and manipulate the machine to dispense it. Kaspersky Lab has identified infections in over 50 ATMs, mainly in Eastern Europe, but they have also been found in the United States and other countries.

ATM Threat

According to Securelist, a Kaspersky Lab forensic investigation identified a piece of ATM malware that allows criminals to attack ATMs directly. Through these direct attacks, criminals can empty the cash cassettes of ATMs produced by a specific manufacturer running Microsoft Windows 32-bit.

The ATM malware, called Tyupkin, has several features that help it avoid detection:

  • It is only active at specific times of the night on certain days of the week, typically Sunday and Monday.
  • It requires a key to be entered based on a random seed. The criminal must know the algorithm to enter the correct key based on the randomly displayed seed.
  • Tyupkin implements anti-debug and anti-emulation techniques
  • The malware can disable McAfee Solidcore from the infected system.

This is considered to be a higher-level attack because it attacks the bank directly, bypassing the need for capturing consumer debit card data using skimming devices. Unlike skimming attacks, which only require access to the public space around a machine, the malware attack requires access to the back end of the ATM. The investigation revealed that only ATMs with no active secure alarm were infected. Therefore, installing alarms and eliminating the use of master keys are two easy mitigating controls that can be implemented.

At ATMs where security alarms are installed, cybercriminals may seek a complicit insider at the bank, ATM vendor or security service vendor to install the malware. Additionally, bank personnel could be socially engineered to allow access to the machine by someone purporting to be associated with a vendor.

Suggested Actions Against ATM Malware

As has been discussed in previous intelligence bulletins, new fraud tactics are often introduced in Eastern Europe and migrate to the United States over a period of 12 to 18 months. This is precisely the theory in this particular case. It would behoove financial institutions and money service businesses to pay particular attention to this emerging threat and develop methodologies to counter the tactic before it arrives in the United States.

LINK.co.uk offers detailed mitigation and prevention controls. We have highlighted a few of their recommendations:

General Advice

  • Review security around the ATM, including the general premises and the machine’s immediate surroundings.
  • Enhance security protocols with regular inspections to ensure that no devices have been attached.
  • Review access controls to guarantee inappropriate access is not granted to people posing as vendors.

Merchant Fill Sites

  • Only fill the ATM with sufficient cash for one day’s trading.
  • Only perform cash maintenance when the store is locked and no customers are present.

Cash-in-Transit Fill Sites

  • Review security around the machine, ensuring it is located in the most secure place in the shop.
  • Deter would-be robbers by installing signs that indicate the store’s staff does not have access to the ATM.
  • Only perform cash maintenance when the store is locked and no customers are present.
  • Internal machines should be sited well inside the premises, away from the shopfronts, ideally against a strongly built internal or perimeter wall that does not have vehicular access to its external face.

Read the IBM research report on Security trends in the financial industry

More from Banking & Finance

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.…

SEC Proposes New Cybersecurity Rules for Financial Services

Proposed new policies from the Securities and Exchange Commission (SEC) could spell changes for how financial services firms handle cybersecurity. On Feb. 9, the SEC voted to propose cybersecurity risk management policies for registered investment advisers, registered investment companies and business development companies (funds). Next, the proposal will go through a public comment period until May 9.  The Importance of Cybersecurity in Finance The 2021 X-Force Threat Index found that financial services were the most targeted industry. Manufacturing beat out…

Top Security Concerns When Accepting Crypto Payment

From Microsoft to AT&T to Home Depot, more companies are accepting cryptocurrency as a way to pay for products and services. This makes perfect sense as crypto coins are a viable revenue source. Perhaps the time is ripe for businesses to learn how to receive, process and convert crypto payments into fiat currency. Still, many questions remain. How can you safely enable customers to pay with Bitcoin or other digital currency? What are the security risks that come with cryptocurrency? Let’s…