Europol dismantles ATM malware gang

A recent malware known as Tyupkin and Padpin has been discovered by Europol, which is being used by attackers to conduct a new type of attack which is commonly being known as “jackpotting attacks”. This malware was first analyzed in 2014 by the Kaspersky labs since its presence was noted in more than 50 machines in eastern europe. It is known for its capability to enable its operators to withdraw money from ATMs without cards.
Romania’s Directorate for Investigating Organised Crime and Terrorism (DIICOT) stated that the arrested individual are under suspicion of establishing an organised criminal group, illegally accessing computer systems, causing computer fraud,  disrupting information systems, alternating data integrity, operating devices and software illegally and destructing property.
A damage of approximately $217,000 is claimed to have caused by the suspects, residents of Romania and the Republic of Moldova. A group, led by the Moldovan national Solozabal Cuartero Rodion and Romanian national Mihaila Sorin, have been targeting various ATMs in Europian countries, primarily Romania, Hungary, the Czech Republic, Spain and Russia, as reported by the Romanian prosecutors.

(pc-google images)

The first phase of the attack started to take place in weekdays, members of the group scouted ATMs, which specifically targeted the 24-hr cash machines with possibilities of manipulation. After locating an ATM, tamperings were made accordingly to the machines in order to gain access to its CD-ROMs, which is then used as the site of planting the malware. The group used to deactivate all the existing alarm systems with duct tape. The malware planted on weekdays, started its function on weekend. Once it was planted on an ATM, the group sent commands to the malware, instructing the machine to dispense cash automatically.

The group set a characteristic method of dispensing cash in small transactions of $1000 rather than sweeping the machines in one go. Once the machine dispenses all the cash, the malware would automatically be removed from the machine. Since these attacks cause serious harm to the ATMs, European ATM Security Team (EAST) and Europol had published certain guidelines last year to help the members of law enforcement and the industry to counter the threat and in September, the security firms started reporting two new malware families. One of these, known as GreenDispense, is found similar to Tyupkin as it uses the machine’s PIN pad to empty the vault. The other, called Suceful, acts as a captor for cards inserted by cardholders into ATMs.

Leave a Reply