After years of warnings, ATM jackpotting strikes the US
Way back in 2010, computer hacker Barnaby Jack first raised the specter of ATM logical attacks, informally called “jackpotting,” in a demonstration at the annual Black Hat conference in Las Vegas.
Nearly eight years later, jackpotting in its many forms has popped up in in various places around the globe — Japan, Taiwan, Thailand, at least four countries in western Europe, and various parts of Latin America (particularly Mexico).
According to a report by Reuters, the list also includes Armenia, Belarus, Britain, Bulgaria, Estonia, Georgia, Kyrgyzstan, Malaysia, Moldova, the Netherlands, Poland, Romania, Russia and Spain.
But one place that’s never made the hit list is the United States. Until now, that is.
Not that anyone assumed America was immune. Authorities have predicted since at least 2013 that someone would eventually tweak the Ploutus malware used on ATMs in Mexico for application north of the border.
And now it appears that someone has.
In an alert dated Friday, Jan. 26, Diebold Nixdorf reported, “[W]e were informed by U.S. authorities about potential jackpotting attacks moving from Mexico to the United States within the next days.”
The alert went on to say that the modus operandi for attacks in the U.S. was consistent with the MO of attacks carried out last October in Mexico, and described those attacks in detail:
In this attack vector, the top hat of the terminal is opened in order to execute different activities based on the currently known information.
The original hard disk of the terminal is removed and replaced by another hard disk, which has been prepared by the criminals before the attack and also contains an unauthorized and/or stolen image of ATM platform software.
In order to pair this new hard drive with the dispenser, the dispenser communication needs to be reset, which is only allowed when the safe door is open. As a preparation a cable is unplugged to manipulate the sensor state to allow the pairing functionality to become available.
In order to initiate the dispenser communication, additionally, a dedicated button inside the safe needs to be pressed and held. With the help of an extension, which is inserted into existing gaps next to the presenter, the button is depressed. According to customer CCTV footage the criminals use an industrial endoscope to achieve this.
It’s not the swiftest or simplest setup. Which is why criminals target off-premises drive-through and standalone machines. In some cases, they have even masqueraded as ATM technicians on the job in order to escape notice.
Once the procedure described above has been carried out, the fraudsters have complete control of the ATM. At this point, gang leaders can take send instructions from any remote location telling the ATM to dispense all of its cash, as a low-level money mule stands at the ATM to collect the money.
Currently, this method is effective only on Diebold Nixdorf front-load AFD-based Opteva machines. Theoretically, rear-loaded machines could be at risk, as well, but they would be “extremely difficult to attack with this MO,” the Diebold Alert said.
However … before heaving a sigh of relief that their ATMs are not affected by the current threat, deployers should consider that criminals are highly adaptive and opportunistic.
Indeed, security firm FireEye observed in a recent blogthat the Ploutus-D malware seen in recent jackpotting attacks would require only minimal recoding in order to target 40 different ATM vendors in 80 countries.
NCR Corp., for one, is urging its customers not to take that chance. The company sent out its own alert on Jan. 26, advising that the Secret Service advisory “should be treated by all ATM deployers as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”
Diebold and NCR have both issued guidelines to help customers secure all of their ATMs against malware threats (see sidebars). Both also have said that they will address the issue in greater detail during February webinars.
ATM Marketplace also contacted Nautilus Hyosung to learn what measures the company is taking in light of the newly emerged U.S. malware threat, but as of publication, has not received information about its prevention and mitigation plans.