Cash machines running Windows being emptied by 'Tyupkin' malware

ATMs across Eastern Europe emptied by malware that instructs the machine to dispense cash without card

An exploit dubbed Tyupkin that can infect cash machines running 32-bit versions of the Windows operating system has spread across Eastern Europe, netting cyber thieves millions. And use of the exploit is spreading fast, according to security software supplier Kaspersky.

The fast spread of the Tyupkin exploit has even provoked Interpol to issue an alert.

"Kaspersky Lab's experts performed a forensic investigation into cyber-criminal attacks targeting multiple ATMs around the world. During the course of this investigation, the company's researchers discovered a piece of malware infecting ATMs that allowed attackers to empty the cash machines via direct manipulation, stealing millions of dollars," warned Kaspersky in an advisory.

The attacks, however, require the thieves to have physical access to the machines so that they can insert a bootable CD in order to install the malware. When the ATM is re-booted, it can be controlled by the attackers and instructed to disperse all its cash.

"After a successful infection, the malware runs in an infinite loop waiting for a command. To make the scam harder to spot, Tyupkin malware only accepts commands at specific times on Sunday and Monday nights. During those hours the attackers are able to steal money from the infected machine," explains Kaspersky.

It continues: "Video footage obtained from security cameras at the infected ATMs showed the methodology used to access cash from the machines. A unique digit combination key based on random numbers is freshly generated for every session.

"This ensures that no person outside the gang could accidentally profit from the fraud. Then the malicious operator receives instructions by phone from another member of the gang who knows the algorithm and is able to generate a session key based on the number shown. This ensures that the mules collecting the cash do not try to go it alone.

"When the key is entered correctly, the ATM displays details of how much money is available in each cash cassette, inviting the operator to choose which cassette to rob. After this the ATM dispenses 40 banknotes at a time from the chosen cassette."

As a first step, Kaspersky has advised banks to take a number of basic security measures:

• Review the physical security of ATMs and look at upgrading security;
• Replace all locks and master keys on the upper hood of the ATM machines and dump the defaults provided by the manufacturer;
• Install an alarm and ensure it is in good working order. The cyber-criminals behind Tyupkin only infected ATMs that had no security alarm installed;
• Change the default BIOS password;
• Ensure the cash machines have up-to-date anti-virus protection.

Kaspersky has also produced a tool to remove the infection from affected machines and has published a video demonstrating how the attacks work.

Kaspersky has published a more technical advisory on Securelist.