ATM "jackpotting" is the exploitation of physical and software vulnerabilities in ATM machines that result in the machines dispensing cash. These attacks can happen at any time and typically take very little time so culprits can quickly commit the crime. ATM jackpotting uses the elements of both physical crime and cybercrime to get an ATM to dispense cash. The offenders use a portable device to physically connect to the ATM. This "rogue" device can be a laptop, a smartphone or a tablet PC. They also use malware to target the machine's cash dispenser and force it to dispense cash.
Furthermore, attackers will often use deception to limit risk, like dressing as service personnel to avoid scrutiny while selecting easier targets, such as ATMs in isolated locations or unprotected by human security guards. With physical access to a machine, ATM jackpotting enables the theft of the machine's cash reserves, which are not tied to the balance of any one bank account. Successful thieves who remain undetected can potentially walk away with all the cash that was stored in the machine at that time.
The rogue device plays an important role in executing ATM jackpotting attacks. The device essentially mimics the ATM's internal computer. It is either directly connected to the cash dispenser or to the ATM's network. A direct connection allows the device to order the ATM to dispense cash. Connecting to the network allows it to capture the cardholder data passing between the ATM and the bank's centralized transaction processing center. Some criminals also use a portable, malware-infested USB device that is plugged into the machine's USB port. Doing so installs the malware on the ATM's hard drive and enables the attacker to take control of the system to steal its cash. Two of the most commonly used ATM malware families are Ploutus and Anunak.
Discovered in the wild in 2013, Ploutus enables criminals and money mules to bypass an ATM's security measures and physically control it in order to steal its money. That can be accomplished in just a few minutes either by attaching an external keyboard to the machine or remotely via SMS messaging. Because Ploutus can be remotely controlled after its installation on the ATM's internal computer, criminals can use it to steal cash at will. Moreover, the malware can operate undetected so that it can persist in the system and potentially cause significant losses for banks and their customers.
Anunak malware, also known as Carbanak malware, is a backdoor based on Carberp malware that allows attackers to remotely control the infected ATM and cash out large amounts of money at will. The malware includes capabilities like key logging and desktop video capture that allow them to steal both ATM data and cash. Carbanak is also used for espionage.
In 2010, Barnaby Jack, a New Zealand-born hacker, provided a demonstration of ATM jackpotting at the Black Hat Security Conference. A few years later, attackers targeted 450 ATM's in Mexico. They infected the ATM's with Ploutus malware and stole over $40 million in what turned out to be one of the world's first large-scale jackpotting attacks. A series of attacks were noted in Ukraine in 2015, believed to be the brainchild of the Carbanak cybercrime group. A rash of ATM jackpotting also broke out in Latin America in 2017. Carbanak is also believed to be behind ATM jackpotting attacks in Taiwan in 2016 as well as other types of attacks on banks in at least 40 countries between 2013 and 2018.
Following those incidents, attacks occurred in Europe, Asia and the United States in 2018. In January 2018, the U.S. Secret Service warned ATM manufacturers that ATM jackpotting attacks using Ploutus malware had been discovered in the U.S. Following the warning, two well-known ATM manufacturers, NCR and Diebold Nixdorf, issued advisories to their customers. As software and tech become more accessible, ATM jackpotting is becoming more prevalent at the local level.
No comments:
Post a Comment