Menu
Authorities dismantle criminal gang that used malware to steal cash from ATMs

Authorities dismantle criminal gang that used malware to steal cash from ATMs

The gang installed the malware program through the CD-ROM unit present in ATMs made by NCR

Law enforcement authorities from Romania and the Republic of Moldova have broken up a gang of criminals that stole 200,000 euros from ATMs in the E.U. and Russia after infecting them with a malware program.

The program was first documented by researchers from antivirus vendor Kaspersky Lab in Oct. 2014 and is known as Tyupkin. It can be installed on ATMs though a bootable CD and forces the machine to dispense cash when receiving specific commands entered through the PIN pad.

Romanian authorities this week arrested eight people suspected of being directly involved in the operation. The suspects allegedly coordinated with individuals in the Republic of Moldova to identify potentially vulnerable ATMs that were in poorly protected areas and not enclosed in walls.

The attackers targeted primarily machines made by U.S.-based ATM manufacturer NCR that had a CD-ROM unit inside and whose protective front covers could be opened easily with a universal key. If an anti-tampering sensor was present, the attackers disabled it with duct tape, the Romanian Directorate for Investigating Organised Crimes and Terrorism (DIICOT) said.

Once the potential targets were identified, members of the gang returned during weekends, installed the malware from a CD and extracted cash from the compromised machines in batches of around $1,000 in local currency. After the fraudulent withdrawals, the malware was instructed to delete itself, leaving very few traces on the machines.

The gang hit ATMs in Romania, the Republic of Moldova, Hungary, the Czech Republic, Spain and Russia, according to DIICOT.

The Romanian Police and DIICOT cooperated in the investigation with law enforcement agencies from the Republic of Moldova and the U.K. They were also assisted by Europol and Eurojust.

Researchers from Symantec and F-Secure analyzed a very similar ATM malware program dubbed Padpin, that might actually be an alias for Tyupkin. In their reports they pointed out that Padpin, like Tyupkin, interacts with a particular Windows DLL library known as Extension for Financial Services (XFS) that's only present on ATMs.

Since Microsoft doesn't provide any public documentation on this library's functions, the F-Secure researchers speculated that the malware's creators might have been helped by a programmer’s reference manual from NCR that was leaked on a Chinese ebook site.

Tyupkin and Padpin are not the only ATM malware programs found by researchers. In October 2013 security researchers from Symantec warned about an ATM backdoor program dubbed Ploutus, which was used to steal money in Mexico.

In September last year, security firm FireEye found another ATM malware program dubbed Suceful, whose primary purpose is to lock people's cards inside ATMs and then release them to crooks on command. That same month, another malware program called GreenDispenser was found on ATMs in Mexico.

The attack technique where malware is used to force ATMs to dispense money is known as jackpotting and is something that security researchers first demonstrated back in 2010. With payment cards becoming increasingly hard to clone and abuse, the number of attacks that directly target ATMs might increase.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments