Jackpotting ATMs: Here it comes again

ATMs over the years have been seen throughout the communities at the banks and credit unions. These however are now seen in several forms of retail establishments (convenience stores, grocery stores, malls, etc.) and in the workplace for the convenience of the consumers. The first ATMs were implemented in 1967 at a Barclays Bank branch in London (Kochetova, 2016). With the vast number of these located across the planet, all loaded with money, the attackers have decided to work at breaching these for profit.

History

The attacks on ATMs are not a new phenomenon. These attempts have been recorded for at least a decade. In 2010 at Black Hat there was a demonstration on the methodology to jackpot on ATM machine. In this instance the demonstrator showed the methods to gain admin privilege and issue the command for it to liberate all of its cash (ATMequipment, 2010).

Another presentation by Barnaby Jack also at Black Hat first demonstrated how to open an ATM, plug in a USB, and restarting the ATM. This attack was not complex or difficult. A second attack bypassed the authentication process remotely. A rootkit was installed, and the ATM machine was pwned (Dirro, 2010; Zetter, 2010).

A later attack involved jackpotting ATMs by only using the keypad. This attack was done over 18 months in the Nashville, TN area. The attackers fraudulently collected over $400K in other people’s money. They were caught and will spend a great deal of time at the hospitable jail. With the lure of easy money, this is not unusual.

Recent Attack

Over the last six years, after the security had improved, the incidents of ATM attacks had decreased to a not significant level. This was mostly done by people just being curious an not breaching the machine.

That was, until recently. There was a theft of over $2M from ATMs with fraudulent withdrawals in Taiwan. As this had not happened for years, the authorities had no idea of the method it was perpetrated. From the camera recording, it was seen that the thefts were done without a card being inserted into the machine (Ducklin, 2016). At this point, the machine was jackpotted. The people gathering the cash wore masks, making identification exceptionally difficult at best. As the investigation continued, it became known that this was done by at least two Russian nationals. At first glance, it appeared the attackers used malware downloaded by the ATM.

Further research indicated the parties involved were from Infocube, a security firm located in Russia, and a gang focused on cybercrime, Carbanack (Cluley, 2016). Carbanack is a familiar name in certain circles. They have been accused of fraudulently acquiring over $200M. In other attacks, they have used e-payment systems and installed malware on the infrastructure the ATMS operate on.

These suspects were located and arrested (Abel, 2016). One was located in northeast Taiwan and two were in Taiwan’s capital of Taipei. There were also 13 others, who had fled the country, who were also implicated. Fortunately over half of the money was recovered. The process used to place the malware on the system for this attack in unknown. This attack on the network (Gray, 2016) will be investigated further.

One thing is certain. if there is money available, those with malicious intent will try to get it.

References

Abel, R., (2016, July 19). Three arrested in £1.8 mil ($2.5M) Taiwanese ATM malware heist. Retrieved fromhttp://www.scmagazineuk.com/three-arrested-for-alleged-using-malware-to-snag-18mil-from-taiwanese-atms/article/510195?DCMP=EMC-SCUK_Newswire&spMailingID=14995005-spUserID=NTAzOTUzM

ATMequipment. (2010, August 3). Hantle (formerly Tranos) ATM machines. Retrieved from http://atmequipment.com/News/Technical-Bulletin-Jackpotting-ATM-Machines

Cluley, G. (2016, July 20). Russian security firm linked to cybercrime gang. Retrieved from https://www.grahamcluley.com/2016/07/russian-security-firm-linked-cybercrime-gang/

Dirro, T. (2010, July 28). Remote jackpot: Hacking ATMs. Retrieved from https://blogs.mcafee.com/mcafee-labs/remote-jackpot-hacking-data/

Ducklin, P. (2006, July 18). Mystery surrounds $2M ATM “jackpotting” attack in Taiwan. Retrieved fromhttps://nakedsecurity.sophos.com/2016/07/18/mystery-surrounds-2m-atm-jackpotting-attack-in-taiwen

Durden, T. (2014, November 16). “ATM jackpotting” exposed-It’s not just the fed that spits out free money. Retrieved fromhttp://www.zerohedge.com/news/2014/11-16/atm-jackpotting-exposed-its-not-just-fed-spits-out-free-money

Gray, P. (2016, July 21). Risky.biz #419—Brian krebs on future of bank cybecrime. Retrieved from http://risky.biz/RB419

Kochetova, O. (2016, April 26). Malware and non-malware ways for ATM jackpotting. Retrieved from https//:securelist.com/analysis/publications/74533/malware-and-non-malware-ways-for-atm-jackpotting-extended-cut/

Krebs, B. (2014, October 20). Spike in malware attacks on aging ATMs. Retrieved from http://krebsonsecurity.com/2014/10/spike-in-malware-attacks-on-aging-atms/

Krebs, B. (2015, January 6). Thieves jackpot ATMs with ‘Black Box’ attack. Retrieved from http://krebsonsecurity.com/2015/01/thieves-jackpot-atms-with-black-box-attack

Roger, J. (n.d.). Jackpotting ATM machines courtesy of the jolly roger jackpotting was done rather successfully. Retrieved fromhttp://skepticfiles.org/new/068doc.html

Wikipedia. (2016, July 15). Security of automated teller machines. Retrieved from https://en.wikipedia.org/wiki/Security_of_Automated_Teller_Machines

Zetter, K. (2010, July 28). Researcher demonstrates ATM ‘jackpotting’ at black hat conference. Retrieved fromhttps://www.wired.com/2010/07/atms-jackpotted/

****

Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.

Mr. Parker has matriculated and attained the MBA, MSA, JD, LLM, and is in the final stage of the PhD in Information Assurance and Security (ABD) from Capella University. Mr. Parker’s areas of interest include cryptography, AV, and SCADA.