Last month, Forbes contributor Lee Mathews reported on the recent wave of ‘Jackpotting’ attacks on ATMs in the United States. Jackpotting is where a hacker installs malware on an ATM causing it to spit out all its money.
Since legendary hacker Barnaby Jack demonstrated the ease of jackpotting at a Black Hat conference in 2010, people have been expecting such attacks to eventually hit the US.
With the US Department of Justice’s recent arrest of two men involved in this malfeasance on US soil, it’s now clear that jackpotting is a real threat here. The question remains, however: just how big?
Will hackers hit all the ATMs, or is it a simple matter to prevent further attacks? And why were ATMs still so vulnerable to this attack, eight years after jackpotting came to the attention of the ATM manufacturers as well as their customers?
And perhaps the most important question of all: what does the jackpotting trend mean for cybersecurity in general?
This story begins, as so many hacking stories do, on the Dark Web – hidden areas of the Internet where criminals do business.
A simple search on a malware portal turns up Cutlet Maker – the core malware package that instructs certain ATMs to spit out their dough. “Cutlet Maker requires almost no advanced knowledge or professional computer skills from the criminal,” reports Konstantin Zykov, developer and security researcher at Kaspersky Lab. “Cutlet Maker interacts with the ATM’s software and hardware, encountering almost no security obstacles at all.”
Zykov even has a theory about the malware’s odd name. “A Russian slang term ‘Cutlet’ (котлета) means ‘a bundle of money,’” he posits, “suggesting that the criminals behind the malware might be native Russian speakers.”
The creators of the malware sell their software on the Dark Web, but they also want a cut of the proceeds. They accomplish this via activation codes that they tie to ATM IDs. “The malware is very sophisticated,” explains Samir Agarwal, VP, Products and General Manager, Security and Endpoint at Accelerite. “The bad guys need an activation code for the malware to control the ATM’s cash dispenser, just like a license key for any legitimate software.”
The attackers work in pairs, typically by hitting an ATM at a retail location, as they tend to be less secure than ATMs at banks.
The first attacker dresses in a technician’s uniform complete with a fake identification badge, and opens the ‘top hat’ (exterior casing) of the ATM, typically with a crowbar. For some machines, they use an endoscope to find the ATM’s diagnostic port, where they plug in a flash drive.
In other cases, they simply remove the ATM’s hard drive, replacing it with a drive that contains the operating system for the ATM along with the malware. The attacker might also disable the antivirus on the ATM’s hard drive and install the malware on it before replacing it in the machine.
To avoid suspicion, the first hacker walks away from the ATM. A few minutes later, their accomplice, the ‘mule,’ approaches the machine. The first hacker remotely causes the ATM to dispense the cash – often tens of thousands of dollars – and the mule collects the money and walks away.
Once the mule has taken the cash, the first hacker resets the ATM to its normal operation.
From Cutlet Maker to Ploutus.D
The Secret Service recently identified similar malware it calls ‘Ploutus.D.’ “Discovered for the first time in Mexico back in 2013, Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message. From there, the attackers can attach a physical keyboard to connect to the machine,” explains Daniel Regalado, Principal Security Researcher at ZingBox. “Ploutus makes it possible for criminals to obtain thousands of dollars in minutes.”
A recent advisory from ATM manufacturer NCR points out that all ATMs may be vulnerable. “NCR has received reports from the U.S Secret Service and other sources of logical (jackpot) attacks on ATMs in the US,” the advisory says. “While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue.”
While NCR is not (yet) aware of hackers compromising its machines, the ATM malware affects certain models of Diebold Nixdorf ATMs – in particular, machines that haven’t been properly secured. “The attack mode involves a series of different steps to overcome security mechanisms and the authorization process for setting the communication with the dispenser,” explains a security alert from the manufacturer available on the Krebs on Security website. “This communication authorization needs to be used when the mainboard or the hard disk has to be exchanged for legitimate reasons.”
In many cases, hackers must switch hard drives in order to run Ploutus.D. “In order to pair this new hard drive with the dispenser, the dispenser communication needs to be reset, which is only allowed when the safe door is open,” the Diebold Nixdorf alert continues. “In order to initiate the dispenser communication additionally a dedicated button inside the safe needs to be pressed and held. With the help of an extension, which is inserted into existing gaps next to the presenter, the button is depressed. According to customer CCTV footage the criminals use an industrial endoscope to achieve this.”
Diebold Nixdorf then recommends a number of commonsense countermeasures, including limiting access to the ATM, updating its firmware, monitoring its behavior for suspicious patterns – and perhaps most obviously, updating the operating system, as most compromised ATMs still run Windows XP.
The Bigger Picture
Since Jackpotting has been on the radar since 2010, and the fix can depend upon updating the ATM’s operating system, then why are so many ATMs in this country so vulnerable? “The ATM manufacturers do offer choices: physical security, encryption, etc.,” Accelerite’s Agarwal explains. “At the end of the day, it’s a question of cost.”
Banks are well-known for carefully balancing risks and the cost of mitigating them, as they do for credit card fraud – but in the case of jackpotting, independent ATM service companies or even the merchants themselves are responsible for the machines.
In such cases, installing monitoring software can be a useful deterrent. “Catch the attacker taking out the hard disk. A sensor would detect this and signal an automatic shutdown,” Agarwal says. “Rebooting the ATM would create another shutdown.”
Banks, merchants, ATM manufacturers, and service companies must also understand their reputational risk. “Negative publicity is not good for any bank,” Agarwal points out. “Merchants who have ATMs on their premises also care about the bad publicity. Manufacturers and service companies see their images tarnished even if it is no fault of their own. Worse still, the consumer, while not directly impacted, is left with the fear if their data was somehow stolen.”
All of these parties must also understand that as targets go, ATMs appear to be high value to a certain class of criminal. Yet, while a fully stocked ATM might yield a $50,000 haul, compromising an endpoint to a corporate network might lead to tens of millions of dollars of losses.
ATMs, therefore, represent a ‘canary in a coal mine’ of sorts – a high value endpoint that attracts attacks. If a financial institution, say, cannot adequately protect its ATMs, then its overall enterprise cybersecurity is likely to be questionable. “If it could happen to an ATM, it could happen to other devices,” Agarwal points out.
Given the exploding number and variety of devices that connect to corporate networks today, the vulnerability of ATMs should be a wakeup call, as many such endpoints have weaker security than the machines that dispense cash. Don’t be fooled – a bagful of currency is small potatoes.