Skip to main content

Hackers develop ATM -malware : No Card.. !! No PIN...!!

Security issues associated with Windows XP-driven ATMs - following the operating system going end-of-life earlier in the year - it appears that criminals have moved in for the kill, developing malware specifically designed to exploit cash machines that still run the embedded operating system.

According to Kaspersky Lab, which has been working with Interpol on the issue, the malware - Tyupkin - allows criminals to gain cardless access to ATM funds using six digit access codes.Vicente Diaz, Kaspersky's principal security researcher said that the fraud shows that criminals are improving their tactics and appear to be able to gain enough access to ATMs to install program code.Kaspersky claims that the Tyupkin malware does not infect ATMs, but must be installed via physical access to the device. The criminals are then are able to check the amount of notes in each of the ATM's cartridges and select from which cartridge to draw up to 40 notes at a time.Diaz says that, based on his observations, he strongly advises banks to review the physical security of their ATMs and network infrastructure.


Kaspersky discovered the existence of the malware during a forensic examination into attacks on ATMs, revealing the presence of Tyupkin, which allows attackers to empty the cash machines via direct manipulation.


The criminals behind the attack, says the security vendor, tend to work at night - usually only on Sundays and Mondays.


Without inserting a card into the ATM slot, they enter a combination of digits on the ATM's keyboard, make a call to receive further instructions from an operator, enter another set of numbers and the ATM starts giving out cash, after which they leave.


The attack process operates in two stages. Firstly, Kaspersky says the criminals gain physical access to the ATMs and insert a bootable CD to install the Tyupkin malware, at which stage the system is rebooted and the machine is then available for code-based withdrawals. 


According to Kaspersky Lab, video footage obtained from security cameras at the infected ATMs revealed the methodology used to access cash from the machines. 

"A unique six-digit combination key based on random numbers is freshly generated for every session. This ensures that no person outside the gang could accidentally profit from the fraud. Then the malicious operator receives instructions by phone from another member of the gang who knows the algorithm and is able to generate a session key based on the number shown. This ensures that the mules collecting the cash do not try to go it alone," says the security vendor.

Sanjay Virmani, director of Interpol's digital crime centre, said that offenders are constantly identifying new ways to evolve their methodologies to commit crimes, and it is essential that we keep law enforcement in our member countries involved - and informed - about current trends and modus operandi.

Countering the risk

To reduce the risk of a successful attack, Kaspersky and Interpol say that banks should review the physical security of their ATMs and consider investing in quality security solutions, alarming the units and replacing all locks plus master keys on the hood of the cash machines, as well as ditching the default settings provided by the manufacturer.

Rob Bamforth, a principal analyst with Quocirca, the business and IT analysis house, said that the arrival of the Tyupkin malware in the wild is a worrying development, but highlights the dangers of using outdated operating systems, even if they are used in embedded versions."More than anything I think it highlights the fact that there are different set of security challenges associated with using an embedded version of an OS. Hardware systems using embedded OS technology have a lifespan far greater than conventional desktop computers. This causes problems in an industry where the security of a computer is based on the need to update and/or patch the operating system. With embedded OS-based systems, you don't normally have this option," he explained.
Bamforth went on to say that the key to success with this malware appears to centre on the criminals gaining physical access to the ATM.

"If you prevent physical access, then you have solved the security issue. The challenge for banks is that many of their ATMs, however, are located in places where the pubic - as well as the bank staff - have access. I think banks will have to look very seriously at the physical access issue if they are to counter this problem," he said.


I have also posted a video of Tyupkin in action:

Comments

Popular posts from this blog

CIA Triad for- Base of Information security

The essential security principles of confidentiality, integrity, and availability are often  referred to as the  CIA Triad. All security controls must address these principles. These three  security principles serve as common threads throughout the CISSP CBK. Each domain  addresses these principles in unique ways, so it is important to understand them both in  general terms and within each specific domain: Confidentiality is the principle that objects are not disclosed to unauthorized subjects. Integrity is the principle that objects retain their veracity and are intentionally modified by  authorized subjects only. Availability is the principle that authorized subjects are granted timely access to objects  with sufficient bandwidth to perform the desired interaction. Different security mechanisms address these three principles in different ways and offer varying  degrees of support or application of these principl...

List of Company Slogans

·          3M : "Innovation" ·          Agere Systems : "How Communication Happens" ·          Agilent : "Dreams Made Real" ·          Airbus : "Setting the Standards" ·          Amazon.com : "…and You're Done" ·          AMX : "It's Your World. Take Control" ·          Anritsu : "Discover What's Possible ·          AT&T : "Your World. Delivered" ·          ATG Design Services : "Circuit Design for the RF Impaired" ·          ATI Technologies : "Get In the Game" ·          BAE Systems : "Innovatin...

My Article :- હેકર બનવું છે? કઈ રીતે?

મારી ૨ વર્ષ ની કારકિર્દી માં મને કેટલાય  લોકોએ, ખાસ કરીને કોલેજ ના વિદ્યાર્થીઓએ ઘણી વાર પૂછ્યું છે કે "મારે હેકર બનવું છે. તો હું શું કરું? " અને મારા બ્લોગ્સ માં પણ પૂછવામાં આવે છે કે એક સારો હેકર કઈ રીતે બની શકાય? એવું હું શું કરું અથવા તો મારા માં કઈ લાયકત હોવી જોઈએ એક હેકર બનવા માટે? આ પ્રશ્ન નો સંતોષકારક જવાબ આપવા માટે મેં internet પર શોધખોળ કર્યા પછી મને જે કઈ માહિતી મળી તેને હું આજે અહી રજુ કરું છું. મિત્રો, સૌપ્રથમ હેકર કઈ રીતે બનવું એ જાણવા પહેલા એ જાણવું જરૂરી છે કે ખરેખર હેકિંગ શું છે ? અને હેકર કોને કહેવાય. હેકિંગ ની સીધી અને સરળ વ્યાખ્યા નીચે મુજબ છે.  "તમારા કમ્પ્યુટર,નેટવર્ક(ઈન્ટરનેટ કે LAN દ્વારા) કે કોઈ ડીવાઈસ માં (ફોન, ટેબ્લેટ) માં કરવામાં આવતા ગેરકાયદેસર પ્રવેશ અને ઉપયોગ એ હેકિંગ કહેવાય છે."અને હેકિંગ કરતા લોકોને હેકર કહેવાય છે. હવે તમને થશે કે આવું શું કામ કરવું જોઈએ? આ તો ક્રાઈમ છે. તો તમને જણાવી દઉં કે હેકર મુખ્યત્વે ૨ પ્રકારના હોય છે.    વાઈટ હેટ હેકર્સ (એથીકલ હેકર્સ) : ધારો કે તમે તમારો ફેસબુક નો પાસવર્ડ ભૂલી ગયા(ખરેખર ના ભૂલતા ક્યારેય..)કે ત...