A two-stage financial attack has been discovered that targets multiple ATMs around the world, including Latin America, Europe and Asia, allowing attackers to remove money via direct manipulation and steal millions of dollars.
According to Kaspersky Lab, the criminals work in two stages. First, they gain physical access to the ATMs and insert a bootable CD to install the Tyupkin malware. After they reboot the system, the infected ATM is now under their control and the malware runs in an infinite loop waiting for a command.
“Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software,” said Vicente Diaz, principal security researcher at Kaspersky Lab. “Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly.”
This is done by infecting ATMs themselves or launching direct APT-style attacks against banks.
In an analysis, the firm found that the adversaries have made the scam harder to spot by only accepting commands at specific times on Sunday and Monday nights. During those hours, the attackers are able to steal money from the infected machine. And, the cyber-criminals only infected ATMs that had no security alarm installed.
But the perps didn’t count on a classic security strategy: video surveillance. Footage obtained from security cameras of the infected ATMs clearly shows the methodology used to access the cash from the machines.
From the footage, Kaspersky was able to uncover that a unique digit combination based on random numbers is newly generated for every session. This ensures that no person outside the gang could accidentally profit from the fraud. Then, the malicious operator receives instructions by phone from another member of the gang who knows the algorithm and is able to generate a session key based on the number shown.
“This ensures that the mules collecting the cash do not try to go it alone,” Kaspersky explained.
When the key is entered correctly, the ATM displays details of how much money is available in each cash cassette, inviting the operator to choose which cassette to rob. The ATM then dispenses 40 banknotes at a time from the chosen cassette.
The firm noted that the malware has evolved over time as well: the first infections were seen in March. In its last variant, (version .d), the malware implements anti-debug and anti-emulation techniques, and also disables McAfee Solidcore from the infected system.
INTERPOL has alerted the affected member countries and is assisting ongoing investigations, and warns that the public should be careful when using public ATMs.
“Offenders are constantly identifying new ways to evolve their methodologies to commit crimes, and it is essential that we keep law enforcement in our member countries involved and informed about current trends and modus operandi,” said Sanjay Virmani, director of the INTERPOL Digital Crime Centre.
Kaspersky Lab recommends that banks first review the physical security of their ATMs and network infrastructure, and replace all locks and master keys on the upper hood of the ATM machines, and change the default BIOS password.