Eastern European cybercriminals have begun utilizing more sophisticated attacks targeting ATM machines, using malware that enables them to take money directly from a machine without having to steal legitimate credentials or create counterfeit cards. More than 50 machines have been identified as carrying the Tyupkin malware, according to researchers at Kaspersky Labs. The majority of the infected ATMs are located in Russia, but at least four of the compromised machines are inside the U.S., ThreatPost reported.
Multiple variants of the Tyupkin malware have been detected by researchers, each containing subtle advancements from the previous version. The most recent iteration includes anti-emulation and anti-debug features, as well as the ability to disable the application security software used by a certain vendor.
"The fact that many ATMs run on operating systems with known security weaknesses and the absence of security solutions is another problem that needs to be addressed urgently," said Vicente Diaz, principal security researcher for Kaspersky Labs' global research and analysis team.
Attack primitive, but affective
The ATMs targeted by the cybercriminal network were exploited individually, with attackers installing the malware onto each machine with a bootable CD. After a machine is compromised, it waits for a specific sequence to be entered onto its keypad. A unique code is generated during each session, ensuring that only the hackers responsible are able to leverage an attack and steal money. The keys used to access infected ATMs are based on a random seed number and are delivered by the gang's ringleaders during each session. The malware program only allows cash to be dispensed on Sunday and Monday afternoons, making the attacks harder to spot and ensuring a ringleader will be available to dispense a keycode.
Financial services firms are increasingly being targeted by cybercriminals interested in making a quick buck. Unfortunately, most of these companies do not have the manpower to dedicate the necessary resources toward monitoring systems for suspicious behavior that might indicate a data breach. Implementing a security information and event management solution allows companies to monitor traffic for any anomalous activity with the help of a third-party provider. SIEM service providers monitor enterprise networks around the clock and provide companies with activity analysis that can then be used to create a more robust and effective cybersecurity defense procedure in the future.