To help us provide you with free impartial advice, we may earn a commission if you buy through links on our site. Learn more

Cash machine hackers steal millions with Tyupkin malware

Tyupkin malware

ATMs running Windows are being emptied by criminal gangs exploiting vulnerabilities in outdated software

Criminals have walked away with millions of dollars after installing malware on cash machines, with China, India and the USA next on their hit list. More than 50 Windows-based ATMs in Eastern Europe have already been targeted by the Tyupkin malware which lets hackers steal huge sums of cash.

An unnamed bank asked computer security firm Kaspersky to investigate the attacks which have mostly targetted Russia. Kaspersky identified that the malware was being installed on ATMs running Microsoft Windows 32-bit.

The attackers are almost impossible to trace as the malware is only active at certain times and uses a random key for every attack. Without using the unique key at a specific time nobody else can access the infected ATM.

When the key is entered correctly the malware forces the ATM to display how much money is available in its stores, also known as cassettes. The hacker, who must have physical access to the ATM to carry out the attack, can then withdraw up to 40 notes from the selected cassette.

Kaspersky said that the malware was evolving rapidly and that the latest variant uses anti-debug and anti-emulation techniques while also disabling security software. Footage obtained from CCTV cameras at infected ATMs showed the hackers installing the malware via a bootable CD.

After the malware performs checks on the ATM it then creates a key in the registry to give the hacker full control. The malware only accepts commands on Sunday and Monday nights, making it even harder for security researchers and police to trace.

The malware is controlled using the ATM buttons and keypad. The screen on the ATM displays how much money is available in each cassette and the hacker then selects a cassette to withdraw 40 notes from. To demonstrate how the attack works Kaspersky carried out a test on a real ATM and filmed the process.

With ATM attacks using skimmers and malicious software dwindling due to better public awareness hackers are now targeting financial institutions directly with more sophisticated techniques. Kaspersky said that banks needed to invest in better security solutions to halt the hackers:

“The fact that many ATMs run on operating systems with known security weaknesses and the absence of security solutions is another problem that needs to be addressed urgently.”

Kaspersky warned that the China, the US and India were likely to be targeted next with some attacks already being detected. The Tyupkin malware has mostly targeted Russia but has also been spotted in Israel, France and Malaysia.

Read more