Hitting the Jackpot
It is more than ten years since the late hacker and cybersecurity researcher Barnaby Michael Douglas Jack demonstrated to an enraptured audience how he could compromise automatic teller machines. Jack’s presentation took place on July 28, 2010, at the Black Hat USA conference in Las Vegas. Unlike the famous slot machines of Las Vegas, the two ATMs on stage with Jack could be made to dispense cash until they were empty—every time. Reliably and repeatedly.
It’s fitting that the term jackpotting was coined in what is likely the world’s most famous gambling town. It’s used to describe attacks that target ATMs and empty them. The other common ATM attack is skimming, in which users’ PIN numbers and the data from their cards are copied and used to create cloned cards.
Jackpotting is on the increase, resulting in tens of millions of dollars being lost each year. Hundreds of thousands of ATMs have been hit in Asia and Europe, and attacks are increasing in the U.S. Some estimates say ATMs of 100 different banks in 30 countries have been hit since 2016, netting the various threat actors in the region of $1 billion.
These large-scale operations are sophisticated. They require planning, surveillance, a small army of ground-troops or mules, some knowledge, some malware, and some equipment. Gone are the days when you chain the ATM to your truck and drive away with it.
Now you can use a Raspberry Pi.
The Modus Operandi
An ATM is effectively a computer in a strengthened enclosure linked to drawers full of money. Regrettably, the operating system inside the computers isn’t as hardened as the enclosure the computer sits in. Most run on Windows 7, although Windows XP is also common. These are outdated operating systems that should have been retired a long time ago. Their vulnerabilities are plentiful and well understood by cybercriminals.
Malware packages can be bought on the dark web to exploit the vulnerabilities in these operating systems and to interact with the ATM software. They have names like atmspitter, cutlet maker, green dispenser, fast cash, and pylon. Prices range from around $200 to $1000 dollars, depending on the make and model of the ATMs you’re targeting. Some of the malware packs contain compromised proprietary software belonging to the ATM manufacturers.
You’ll also spend about $150 for the bits of equipment you’re going to need, including your Raspberry Pi.
Step 1: Where Are the Targets?
The ATMs in a city are mapped and studied. Good targets are the ones with high use, because these are loaded with the most money. Ideal targets are high-value ATMs in areas of poor or no surveillance.
Attacks are usually scheduled for days such as Black Friday or Valentine’s Day when ATMs are loaded with up to 20 percent more money than usual. ATMs are also loaded with extra money in the weeks leading up to Christmas because many will have received their annual or Christmas bonus in their pay.
Step 2: What Are the ATM Makes and Models?
Knowledge of the ATM hardware lets you buy the appropriate malware and the appropriate key to open the ATM enclosure. Some manufacturers put their name on the ATM somewhere, which makes identification easier. The big names in ATM manufacturing are Diebold Nixdorf, Wincor Nixdorf, NCR, Triton, and Hitachi-Omron.
Photographing the ATM lets you get assistance from dark web contacts or Google image search to determine the make and model. Once you are armed with the versions of ATMs you are going to compromise, you can search dark web markets—and even clear web outlets such as Ali Baba and eBay—for ATM maintenance keys.
Prices for these start at $10 and rise to about $50. You’ll use the key to open the ATM and access the USB ports.
Step 3: Install Malware
The USB ports on ATMs are restricted and will only accept a connection from a keyboard or a mouse. This is to allow servicemen to perform maintenance on the units. You will have loaded the malware onto your Raspberry Pi, and obtained a battery so that it can run as a portable unit.
The malware is written in a way that convinces the ATM that the Raspberry Pi is a keyboard. Stored commands tumble out of the Raspberry Pi into the ATM, and the ATM dutifully follows them.
Step 4: Jackpot
It’s possible to cause an ATM to spit out banknotes at a rate of 40 bills in 20 or so seconds, or roughly 120 in a minute. If they’re $100 dollar bills that’s $12,000 per minute.
Jackpot indeed.
Variations on a Theme
Large-scale jackpotting hits many ATMs at once, which means you need to have a lot of people on the streets performing these attacks and bringing you the money. These are the cheap mules at the lower end of the criminal spectrum. With a bit of coaching and training, these low-level operatives are capable of doing the physical side of the attack, and the malware does the rest.
It’s cheaper to equip a mule with a Raspberry Pi than a laptop, and a Raspberry Pi is easier to conceal on your person. Sometimes the Raspberry Pi is fitted with a $70 global system for mobile communications (GSM) receiver so that it accepts commands via SMS text message.
Another variant is to insert a USB memory stick into the ATM and reboot it off an operating system in the memory stick. When the ATM has booted, you can install the malware directly into the ATM’s currently dormant operating system. When you reboot the ATM using its regular operating system you can control the malware by inserting a specially created card, or via a secret key combination on the ATM’s keypad.
ATMs contain remote access software so that they can be supported and maintained remotely. If you can compromise this software, you can control your collection of zombie ATMs remotely. All your mules have to do is be at the right place at the right time to pick up the money.
We Don’t Know The True Scale
There’s a belief that a lot of ATM theft goes unreported, so we don’t really know the true scale of the problem. We do know two things, however. The first is that the jackpotting we do know about is already massive. The second is, it’s going to continue to grow.
Until the ATM manufacturers take ATM security seriously cybercriminals are going to view ATMs as boxes full of money just waiting to be emptied.