Authorities dismantle criminal gang that used malware to steal cash from ATMs

08.01.2016
Law enforcement authorities from Romania and the Republic of Moldova have broken up a gang of criminals that stole 200,000 euros from ATMs in the E.U. and Russia after infecting them with a malware program.

The program was first documented by researchers from antivirus vendor Kaspersky Lab in Oct. 2014 and is known as Tyupkin. It can be installed on ATMs though a bootable CD and forces the machine to dispense cash when receiving specific commands entered through the PIN pad.

Romanian authorities this week arrested eight people suspected of being directly involved in the operation. The suspects allegedly coordinated with individuals in the Republic of Moldova to identify potentially vulnerable ATMs that were in poorly protected areas and not enclosed in walls.

The attackers targeted primarily machines made by U.S.-based ATM manufacturer NCR that had a CD-ROM unit inside and whose protective front covers could be opened easily with a universal key. If an anti-tampering sensor was present, the attackers disabled it with duct tape, the Romanian Directorate for Investigating Organised Crimes and Terrorism (DIICOT) said.

Once the potential targets were identified, members of the gang returned during weekends, installed the malware from a CD and extracted cash from the compromised machines in batches of around $1,000 in local currency. After the fraudulent withdrawals, the malware was instructed to delete itself, leaving very few traces on the machines.

The gang hit ATMs in Romania, the Republic of Moldova, Hungary, the Czech Republic, Spain and Russia, according to DIICOT.

The Romanian Police and DIICOT cooperated in the investigation with law enforcement agencies from the Republic of Moldova and the U.K. They were also assisted by Europol and Eurojust.

Researchers from Symantec and F-Secure analyzed a very similar ATM malware program dubbed Padpin, that might actually be an alias for Tyupkin. In their reports they pointed out that Padpin, like Tyupkin, interacts with a particular Windows DLL library known as Extension for Financial Services (XFS) that's only present on ATMs.

Since Microsoft doesn't provide any public documentation on this library's functions, the F-Secure researchers speculated that the malware's creators might have been helped by a programmer’s reference manual from NCR that was leaked on a Chinese ebook site.

Tyupkin and Padpin are not the only ATM malware programs found by researchers. In October 2013 security researchers from Symantec warned about an ATM backdoor program dubbed Ploutus, which was used to steal money in Mexico.

In September last year, security firm FireEye found another ATM malware program dubbed Suceful, whose primary purpose is to lock people's cards inside ATMs and then release them to crooks on command. That same month, another malware program called GreenDispenser was found on ATMs in Mexico.

The attack technique where malware is used to force ATMs to dispense money is known as jackpotting and is something that security researchers first demonstrated back in 2010. With payment cards becoming increasingly hard to clone and abuse, the number of attacks that directly target ATMs might increase.

Lucian Constantin

Zur Startseite