|Kaspersky Lab (Photo credit: Wikipedia)|
Attackers unlock the ATM case, possibly with a default master key, and use a bootable CD to infect the machiene with the Tyupkin malware, Kaspersky Lab researchers said in a post on SecureList Tuesday. The malware is designed to accept commands in the middle of the night Sundays and Mondays, and quiet the rest of the week, making it difficult to detect.
Malware's PathOnce the malware is loaded onto the ATM, attackers can see how much money is still in the cassettes in the machine. The attacker has to be physically in front of the ATM to enter a specially generated six-digit PIN generated by the malware in order to withdraw money. They can take up to 40 bills at a time without having to swipe an ATM card or enter any account information, Kaspersky Lab said. Approximately 50 machines have been infected this way, according to the report, which was part of a joint investigation with Interpol.
"A unique six-digit combination key based on random numbers is freshly generated for every session. This ensures that no person outside the gang could accidentally profit from the fraud. Then the malicious operator receives instructions by phone from another member of the gang who knows the algorithm and is able to generate a session key based on the number shown. This ensures that the mules collecting the cash do not try to go it alone," according to the blog post.
Interestingly, if the wrong key is entered, the malware disables the entire network. Kaspersky researchers were not sure why the network was disabled. It could be a way to delay remote investigators from analyzing the malware.