In early January, and then again in March, reports detailed some smart ATM attacks that allowed hackers to steal money from malware-infected ATMs without requiring any access to the credit or debit cards used by customers. Instead, hackers managed to steal cash directly from the bank, after taking over the machines with special programs. This ultimate heist appears to still be working, The Register reports, as hackers are still using the practice that has netted them “millions of dollars.”
Such attacks were sighted in Mexico first, but apparently more ATMs around the world belonging to an unnamed financial institutions have now been infected with the malware. Called Tyupkin, the malware has been installed on some 50 ATMs in eastern Europe, although exact details about the infected machines haven’t been offered by Kaspersky Lab, which is investigating the matter.
Interestingly, hackers need to gain access inside the 32-bit Windows-powered ATM and then install the Tyupkin malware with help of a bootable CD before getting cash out of it. It’s not clear how they’re able to actually get inside the ATMs in the first place, but hackers have wisely only infected ATMs that had no security alarms in place.
Once the malicious program is installed, hackers can simply return as many times as they want — apparently they do it on Sunday and Monday evenings, which is when Tyupkin accepts commands — and collect cash. Before accessing the special menu that lets them withdraw up to 40 banknotes at a time from a chosen money cassette, hackers need to use a special code to activate the malicious program and then enter a verification PIN either by performing some sort of calculation based on a code delayed on the screen, or by calling a boss who knows how to calculate it.
During such attacks, the ATM’s network connection is temporarily shut down, likely to prevent detection.
A video available at the source link shows this ATM malware in action.