How’s this for easy money? Cybersecurity researchers warn a secret code can make any ATM start spitting out money without even needing to read a bank card.
Kaspersky Lab has reported that software containing a complex trojan virus is somehow being physically uploaded to ATM machines, allowing criminals to steal millions of dollars. Called Tyupkin, the malware allows a person to walk up to an infected machine, access a few hidden menus, input a secret passphrase, and hope they brought a big enough sack to carry off the loot.
Investigators found that Tyupkin was was capable of executing a number of sophisticated operations. Installed using a bootable CD, the trojan’s first order of business is to disable the McAfee antivirus software, often ATMs’ only defense against such malicious code. It can also disable local network connections, preventing a bank, for instance, from discovering the security breach. And it’s capable of entering a “standby mode,” activating itself only on certain nights, to help avoid detection.
Tyupkin has been deployed primarily on Russian and Eastern European ATMs, but at least some machines in the U.S., Israel, China, France, India, and Malaysia have also fallen victim. “Although one can only dispense 40 banknotes per transaction, it’s possible to dispense any amount of money by simply performing the actions several times over,” Kaspersky’s Alex Savitsky wrote.
Global Research and Analysis Team (GReAT) researchers warn that, while only certain ATM models are vulnerable now, if banks and manufacturers don’t take immediate action, the exploit is likely to spread to others.