Infected ATMs Give Away Millions of Dollars Without Credit Cards

← Back to Stories (view on slashdot.org)

Infected ATMs Give Away Millions of Dollars Without Credit Cards

Posted by Soulskill on Tuesday October 7, 2014 @10:06AM from the i'll-order-a-dozen dept.

An anonymous reader writes: Kaspersky Lab performed a forensic investigation into cybercriminal attacks targeting multiple ATMs around the world. During the course of this investigation, researchers discovered the Tyupkin malware used to infect ATMs and allow attackers to remove money via direct manipulation, stealing millions of dollars. The criminals work in two stages. First, they gain physical access to the ATMs and insert a bootable CD to install the Tyupkin malware. After they reboot the system, the infected ATM is now under their control and the malware runs in an infinite loop waiting for a command. To make the scam harder to spot, the Tyupkin malware only accepts commands at specific times on Sunday and Monday nights. During those hours, the attackers are able to steal money from the infected machine.

9 of 83 comments (clear)

Min score:

Reason:

Sort:

This doesn't add up by drsquare · 2014-10-07 10:07 · Score: 4, Interesting

If you have access to the ATM physically, why not just take the cash there and then?
1. Re:This doesn't add up by BitterOak · 2014-10-07 10:10 · Score: 5, Informative
  
  If you have access to the ATM physically, why not just take the cash there and then?
  Because there would only be a finite amount of cash in the machine. By installing this software, you can steal a little bit at a time, and the cash would be reloaded periodically.
  
  --
  If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
2. Re:This doesn't add up by Anonymous Coward · 2014-10-07 10:27 · Score: 5, Informative
  
  It's also easier to tie cash loss to an event where a bad actor had special physical access. I'd be willing to bet the cash box itself has monitors/procedors/audit trails to prevent theft/tampering from people who normally service it.
  The trojan bypasses all that, hiding cash loss in an event that does not require special physical access (Normal walk-up transactions carried out by customers) The trojan also cleans up all the auditing logs so you less sure about when the loss occurred.
  If, say, the bad actor is a crooked service man the gang of crooks can bribe him to slip their CD in and install the trojan. That way the cash gets taken when he's nowhere near the machine, and he has nothing to do with taking the cash all together. Or if, say, you're picking locks and breaking in to the machine to slip in your CD there's nothing suspicious (like an empty cash box) to point to the time where you could have broken in to the machine. You put the risk of the actual cash theft (Taking money from trojan compromised machines) on low rent thugs and suckers in your gang.
3. Re:This doesn't add up by nojayuk · 2014-10-07 10:34 · Score: 5, Insightful
  
  Going back repeatedly isn't going to work -- the bank or financial company maintaining the ATMs does actually count the money going into the machines and the amounts legally withdrawn and if they don't balance then investigations are carried out. Put in 10000 quatloos, 7000 quatloos withdrawn by customers over a few days, 1000 quatloos left when the next refill is carried out = something fishy. Cookie jar accountancy rules apply, eventually Mom will notice the distinct lack of cookies and eventually catch you cookie-crumb-handed.
4. Re:This doesn't add up by PRMan · 2014-10-07 10:57 · Score: 5, Interesting
  
  You can actually punch a hole in many popular ATMs and there is a live USB port right behind it. This has been discussed repeatedly as a security problem. I don't know if they fixed that one, but there could be more or it could be really slow to be fixed. http://www.extremetech.com/ext...
  
  --
  Peter predicted that you would "deliberately forget" creation 2000 years ago...
5. Re:This doesn't add up by sg_oneill · 2014-10-07 11:25 · Score: 5, Informative
  
  If you have access to the ATM physically, why not just take the cash there and then?
  Not as easy as you think. A guy who used to live in the apartments across from me was a retired burglar. Found god in prison, went straight, yada yada. One of his old tricks was burglaring ATM machines. Apparently his trick was he'd tie a chain to the ATM and the other side to stolen truck and take off down the road with the ATM in tow. He'd then get out with a few men and lift the ATM into the truck and make a run for it.
  It would take them about 4-5 days to extract the money. Apparently the cash reserves are booby-trapped so that tampering with the mechanism would destroy the cash. As a result removing the money was a complicated procedure involving slow dismantling and a lot of welding.
  After his third attempt at it, they got a newer one, that was battery backed and had some sort of radio thing in it. Cops tracked it and they where done.
  
  --
  Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
6. Re:This doesn't add up by davester666 · 2014-10-07 19:47 · Score: 4, Insightful
  
  yeah. those are called "atm fee's". Oh wait, we're talking about different criminals.
  
  --
  Sleep your way to a whiter smile...date a dentist!
Re:These on XP? by Obfuscant · 2014-10-07 10:54 · Score: 5, Insightful

If so, are they exploiting some vulnerability in XP that is never-to-be-patched?
They are exploiting a vulnerability that is found in almost every operating system, and which has yet to be patched by any vendor. It's called "running a program". As the summary says:

First, they gain physical access to the ATMs and insert a bootable CD to install the Tyupkin malware.
This is small potatoes. by fahrbot-bot · 2014-10-07 11:49 · Score: 4, Funny

If you want to steal BIG, you have to own the bank - just ask those guys on Wall Street.

--
It must have been something you assimilated. . . .