Over the years, we have observed the evolution of cybercrimes, particularly an uptick in ATM attacks. The days where attackers used phony numbers pads and skimmers to steal debit card data are slowly fading away. Criminals have horned their skills, using very sophisticated malware to target ATM operating systems, and clean up clients’ accounts
“It just blows you away how sophisticated these folks are in thinking this stuff up,” says Bryan Sartin, director of the team at Verizon Communications that investigates data breaches.
Nowadays, hackers exploit the wireless internet connection used by financial institutions to monitors cash flows to steal PIN data remotely. By installing malicious codes into the ATM’s operating system, hackers are able to receive card information through email or instant messaging. Small and middles sized, with less sophisticated technology are the ideal targets for cybercriminals.
“Regulators at the Federal Financial Institutions Examination Council warned in April that the ATMs of small and midsize banks are preferred targets for criminals who hack bank Web pages to boost ATM withdrawal limits and then clean out people’s accounts,” reports Bloomberg Businessweek.
Earlier in March, the FBI spotted a wave of ATM attacks ranging from Bulgaria to Chicago. Preliminary investigation showed that the attackers were assembling undetectable pin hacking devices that were installed in ATM machines.
According to Security experts, criminals must have “profound Knowledge of the target ATM machines” before vandalizing the ATM and installing the malwares. “For sure, they had to have a profound knowledge of ATMs … Most likely they actually had one to test. Either they stole one and reverse engineered the cash client, or most likely, they had someone on the inside,” reveals a cybercrime researcher.
Forensic investigation into infected ATM machines shows highly sophisticated malwares that are perfected coded, suggesting a huge team of skilled developers are involved in the syndicate. Experts believe developing such a malware requires a considerable amount of economic resources and expertise.
Few weeks ago, researcher at Kaspersky Lab unearned Tyupkin, a complicated malware used by attackers to compromise ATM machines and dispense cash on demand. The malware was active on more than 50 ATM machines in Eastern Europe and was fast spreading to other countries including US, India and China.
Kaspersky said the code allowed the attackers to dispense cash form the ATM without necessary using a cloned credit card. Tyupkin only affected operating Systems from a particular major manufacturer running on 32-bits version of windows.
Installing Tyupkin requires the attacker to physically access the target ATM machine and upload the malware using a bootable CD. The Malware then runs in a loop, waiting for a command. Interestingly the malware only functioned on Sunday and Monday nights, accepting command from the hacker who interacts with the infected Machine.
Configuring the malware to work on specific times of the day and night allowed the malware to stay undetected throughout the week ensuing the hacker secure access to the infected machine. Tyupkin is based on a “random key for every session” that allowed the hacker to interact with the compromised ATM.
“When the key is entered correctly, the malware displays information on how much money is available in every cassette and allows an attacker with physical access to the ATM to withdraw 40 notes from the selected cassette,” explained Kaspersky.
Furthermore, if the wrong key is entered, the Malware triggers a defense mechanism that disables the Area Local Network to avoid any remote diagnostic tests which could detect the malware. It also runs countermeasure to neutralizes any security mechanisms in the banking System.
According to Vicente Diaz, the principal researcher at Kaspersky Lab the Tyupkin attacks resulted from poor baking infrastructure that gave criminals an upper hand. “The Tyupkin malware is an example of the attackers taking advantage of weaknesses in the ATM infrastructure,” said Vicente Diaz “We strongly advise banks to review the physical security of their ATMs and network infrastructure and consider investing in quality security solutions.”
In a similar application of Malware to hack ATMs, researchers at Symantec unearthed a malware dubbed Ploutus exploiting weakness in Windows XP based ATMs. The Malware caused havoc in Mexico earlier in March, allowing hackers to withdraw cash just by sending text messages to a compromised ATM.
“What was interesting about this variant of Ploutus was that it allowed cybercriminals to simply send an SMS to the compromised ATM, then walk up and collect the dispensed cash. It may seem incredible, but this technique is being used in a number of places across the world at this time.”
Like in Tyupkin, the attacker need to have physical access to the ATM in order to connect a mobile phone via USB tethering which enabled access to the bank’s network. Once connected, the Attacker will send commands to the phone attached to the ATM, authorizing a cash dispense.
“Since the phone is connected to the ATM through the USB port, the phone also draws power from the connection, which charges the phone battery. As a result, the phone will remain powered up indefinitely,” stated Symantec in a blog.
Ploutus and Tyupkin malwares prove the natural evolution in Cybercrime. Shockingly, some banks still have their ATM running on outdated windows XP making them extremely vulnerable to cyber criminals. Banks must invest more resources in updating their infrastructure otherwise cyber criminals will always have an upper hand.