The Russian Ministry of Internal Affairs, together with the Federal Security Service, are taking steps to try and locate a criminal cyber-group specialising in robbing ATMs using the Tyupkin computer malware.
The criminals work in two stages. First, they get physical access to the ATMs and insert a bootable CD to install the malware – code named Tyupkin by Kaspersky Lab which discovered the exploit last year. After they reboot the system, the infected ATM is under their control.
Kaspersky reports on its website how the scam works and has produced a video on its operation.
Following successful infection, the malware runs in an infinite loop waiting for a command. To make the scam harder to spot, Tyupkin malware only accepts commands at specific times on Sunday and Monday nights. During those hours the attackers are able to steal money from the infected machine.
When the combination key is entered correctly, the ATM displays details of how much money is available in each cash cassette, inviting the operator to choose which cassette to rob. After this the ATM dispenses 40 banknotes at a time from the chosen cassette.
Alexander Vurasko, an official spokesman of the department of investigation of cyber-crimes at the Russian Ministry of Internal Affairs told SCMagazineUK.com that, in addition to being used in Russia, the Tyupkin virus has also been used for to rob ATMs around the world, including in EU states as well as in the US and China.
He added that most of attacks are achieved thanks to the widespread use of Microsoft's XP operating systems in ATMs. The virus has several variations which include skimming capabilities, being able to read data from card magnetic stripes, and saving PIN-codes.
Analysts at Russian-based international security software company Kaspersky Lab believe that Tyupkin and other similar viruses may soon replace traditional skimming.
Ruslan Stoyanov, head of department of investigations of computer incidents of Kaspersky Lab, has said that Tyupkin represents a more progressive technology for the crooks, and that it can dramatically reduce the number of different actions and transactions needed to steal large amounts of cash.
He has also added that the use of the virus helps criminals so that they don't need to transfer money from the card to other accounts and create fake companies and have the authorities chase the money through their accounts.
Amid this ever-growing threat of the malware's spread, many Russian banks are taking measures to strengthen their IT security, as well as increase the security of their ATMs, with the aim of preventing an unauthorised access.
IT analysts at Russian Izvestia business paper, citing on Edward Ahunyanov, head of the department payment systems of the Russian Bank of Settlements and Savings, one of Russia's leading banks, told SCMagazineUK.com that the malware is a typical Trojan, commenting: “There is also a threat that such malware may result in information leakage. Part of our plans are to change the locks and to modify the programs. In addition, we plan to tighten control over the keys, cash-in-transit couriers and educate the technical service staff of our bank about the threat.”
According to Andrey Lyushin, deputy chairman of Loco-bank, another leading Russian bank, the use of such high-tech theft methods is unusual in the Russian banking sector. He adds that the bank will need another one to two months to implement countermeasures against this malware.