Authorities dismantle criminal gang that used malware to steal cash from ATMs

The gang installed the malware program through the CD-ROM unit present in ATMs made by NCR

Law enforcement authorities from Romania and the Republic of Moldova have broken up a gang of criminals that stole 200,000 euros from ATMs in the E.U. and Russia after infecting them with a malware program.

The program was first documented by researchers from antivirus vendor Kaspersky Lab in Oct. 2014 and is known as Tyupkin. It can be installed on ATMs though a bootable CD and forces the machine to dispense cash when receiving specific commands entered through the PIN pad.

Romanian authorities this week arrested eight people suspected of being directly involved in the operation. The suspects allegedly coordinated with individuals in the Republic of Moldova to identify potentially vulnerable ATMs that were in poorly protected areas and not enclosed in walls.

The attackers targeted primarily machines made by U.S.-based ATM manufacturer NCR that had a CD-ROM unit inside and whose protective front covers could be opened easily with a universal key. If an anti-tampering sensor was present, the attackers disabled it with duct tape, the Romanian Directorate for Investigating Organised Crimes and Terrorism (DIICOT) said.

Once the potential targets were identified, members of the gang returned during weekends, installed the malware from a CD and extracted cash from the compromised machines in batches of around $1,000 in local currency. After the fraudulent withdrawals, the malware was instructed to delete itself, leaving very few traces on the machines.

The gang hit ATMs in Romania, the Republic of Moldova, Hungary, the Czech Republic, Spain and Russia, according to DIICOT.

The Romanian Police and DIICOT cooperated in the investigation with law enforcement agencies from the Republic of Moldova and the U.K. They were also assisted by Europol and Eurojust.

Researchers from Symantec and F-Secure analyzed a very similar ATM malware program dubbed Padpin, that might actually be an alias for Tyupkin. In their reports they pointed out that Padpin, like Tyupkin, interacts with a particular Windows DLL library known as Extension for Financial Services (XFS) that's only present on ATMs.

Since Microsoft doesn't provide any public documentation on this library's functions, the F-Secure researchers speculated that the malware's creators might have been helped by a programmer’s reference manual from NCR that was leaked on a Chinese ebook site.

Tyupkin and Padpin are not the only ATM malware programs found by researchers. In October 2013 security researchers from Symantec warned about an ATM backdoor program dubbed Ploutus, which was used to steal money in Mexico.

In September last year, security firm FireEye found another ATM malware program dubbed Suceful, whose primary purpose is to lock people's cards inside ATMs and then release them to crooks on command. That same month, another malware program called GreenDispenser was found on ATMs in Mexico.

The attack technique where malware is used to force ATMs to dispense money is known as jackpotting and is something that security researchers first demonstrated back in 2010. With payment cards becoming increasingly hard to clone and abuse, the number of attacks that directly target ATMs might increase.

Join the CSO newsletter!

Error: Please check your email address.

More about EuropolFireEyeF-SecureKasperskyMicrosoftSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place