14 DAY TRIAL // ATM customers have been the victims of many types of fraud, and new forms appeared, improving the older methods either in terms of efficiency or detection evasion.
The most common method used today is called skimming, but after being used successfully for years, it may soon be replaced by a different, more aggressive and direct type of attack that does not affect the owner of a bank account, but the bank itself.
Common method affects the customer of the bank
ATM skimming is a widespread fraudulent practice that involves placing a reading device on top of the card slot of the cashpoint and recording the data on the magstrip of the card. The collected information is then used to clone the cards, which are used for shopping online; the purchased goods are then sold.
In a more elaborate scheme, criminals also mount small video cameras to record the PIN code, allowing them to extract cash from an ATM directly using the cloned card. Similarly, fake keypads have been used for the same purpose.
There are other alternative methods to steal debit card information, one example being the creation of a facade for the entire ATM instead of just parts of it.
New trend affects the bank directly
Such methods have been very successful, law enforcement having a very busy time cracking down on criminal rings engaged in these fraudulent activities all over the world.
However, a new trend has emerged that creates a shortcut to illegally obtain money, and it requires little planning: infecting the ATM with malware that allows dispensing banknotes directly from the machine’s money cassettes, without the need of a card or other fraudulent props.
To pull this off, the criminals need to gain physical access to the computer system inside the cashpoint in order to load the malicious software. After that, viewing the banknotes available and extracting them is just a matter of accessing the malware’s menu and selecting the denomination of the notes to be dispensed.
Multiple ATM jobs can be pulled in one night
Reports of this kind of attack have been recorded more frequently lately, with incidents identified in Malaysia and Russia. The financial loss resulting from them is estimated at millions of dollars, and in both cases, the criminals used the same piece of malware: Tyupkin, also known under the name of PadPin.
Stealing from the ATMs this way could be likened to a modern-day Bonnie and Clyde robbery in terms of boldness, but without all the violence and the bloodshed.
With Tyupkin/Padpin, criminals are able to remove the cash from multiple machines in one night. The only resistance encountered would be the security of the ATM itself. The targets are placed in a dim-lit environment that allows hiding the activity of the hackers.
Physical attacks on cashpoints see an increase
Vicente Diaz, Principal Security Researcher at Kaspersky Lab’s Global Research and Analysis Team, said that Tyupkin was a natural step in the evolution of malicious software after the use of card skimming devices.
The attackers take advantage of the lack of security measures and open the ATM machine to access the CD-Rom drive. Then, they install the malware from a CD getting access to information about the funds that can be extracted.
Money mules are often used for these jobs, and to make sure that they cannot run all this on their own, the malware authors added some precautions.
Accessing the options in the menu, as well as withdrawing the money, is protected through a session key generated from a seed by someone who knows the algorithm. The seed is displayed on the ATM’s screen and it is communicated by phone to the person who can generate the access key, who is at a different location.
Diaz said that “this kind of operation is becoming usual, such as when cashing out as a result of stealing credit card credentials.”
“They are international, well-coordinated and quick: the result usually is millions of dollars stolen in a few hours,” he added via email.
According to online sources, Tyupkin/Padpin and similar threats have been used for a string of robberies from cashpoints in Malaysia, Mexico and Ukraine. Kaspersky reported a robbery spree that affected Russia and their telemetry data showed that the malware was also present on computers in the US, India, China, Israel and France.
However, information about the infection from the software security products vendor is limited because it is pulled from consumer solutions, it does not reflect malware distribution on ATMs.
Better protection of cash machines may prevent more complex attacks
The threat potential in the case of Tyupkin/Padpin and the like is greater than just simply stealing from cashpoints, Diaz told us.
Apart from the possibility to exfiltrate card data and secret numbers, the goal of the old skimming technique, this could be the base of more sophisticated attacks in the future. However, the security researcher stopped from further commenting in order to not give ideas to the cybercriminals.
Given the fact that a cyber-intrusion into an ATM is a much more rewarding business, crooks may start targeting machines that are not protected enough.
Some steps can be taken by banks to mitigate this risk, and avoiding the use of default keys and locks, along with installing an alarm system on the machine, do increase protection.
All this, coupled with a monitored environment with plenty of light, would make crooks think twice about robbing a machine.
On the other hand, senior security researcher at Malwarebytes, Jean-Philippe Taggart, said that "the larger issue is that the banks still do risk analysis and fraud budgets to evaluate if the problem needs immediate attention, rather than addressing the problem from the get go."
What this suggests is that upgrading security for the ATMs depends on cost analysis and action will be taken if "this type of attack is costing them [the banks] enough to warrant it," Taggart said.