Lock it up! ATMs are attacked with “software skimmers”

October 7, 2014

Interpol just released an alert regarding cyberattacks targeting multiple ATMs around the world. During the course of a forensic investigation performed by Kaspersky Lab, researchers discovered a piece of malware infecting ATMs. It allowed attackers to empty the cash machines via direct manipulation, stealing millions of dollars. INTERPOL alerted the affected members’ countries and is assisting in ongoing investigations.

“Skimmers” – devices plugged into the card slots of ATMs or latched on their keyboards in order to harvest payment cards data – are a long-known threat, reported around the globe on a regular basis. These devices are physical and easily visible to an experienced eye. So, criminals would prefer installing these devices in crowded areas where surveillance is lacking or inefficient. This allows them to harvest as much data as they can before the device is discovered and dismantled.

Someone created a purely software counterpart of a skimmer device. Codenamed Tyupkin by Kaspersky Lab, it is a piece of malware (a backdoor, to be more specific) that runs within an ATM’s operating system, and upon receiving a command, can help a criminal withdraw an unlimited amount of cash. It still requires physical access to an ATM, so criminals insert a bootable CD, reboot the system, and get an ATM under their control.


The malware itself runs in an infinite loop waiting for a command from a remote server. To make the scam harder to spot, Tyupkin malware only accepts commands at specific times on Sunday and Monday nights. During those hours the attackers are able to steal money from the infected machine. A “money mule” arrives at the infected machine and grabs the cash after a procedure of “authentication” with the other attackers. For more information on how the scam is conducted – including technical details – please refer to this publication at Securelist.

Cybercriminals are increasingly taking on financial institutions directly, by infecting ATMs themselves or launching direct APT-style attacks against banks.

This Tyupkin malware is a bold and effective move. The criminals behind it clearly know their trade well, and assume (for a reason) that not everyone would expect attacks like this. They only attack ATMs that aren’t equipped with additional protection. For instance, they avoid using ATMs with a security alarm installed.

This is indicative of how the risks can be mitigated: It is physical security of ATMs that should be upgraded first. Lock it up, replace all locks and master keys on the upper hood, and ditch the defaults provided by the manufacturer. Service crews and cash-in-transit providers will have the necessary keys. For anyone else, opening an ATM should be as difficult as opening a safe.

Some subtler steps are required as well. ATMs mostly have certain versions of Windows operating systems. Earlier this year, mere days before Microsoft axed Windows XP support, well-informed people stated that up to 95% of ATMs in the world are powered by XP with all of its security deficiencies. An unsanctioned tinkering with the software would be problematic: The system shouldn’t accept any unauthorized bootable CD. Kaspersky Lab’s experts also suggest (or even insist) that the default BIOS password be changed, and the machines should install an up-to-date antivirus protection to block the malware if it is indeed planted.

The Tyupkin backdoor can be detected and removed with a free utility Kaspersky Virus Removal Tool (available for download here).