Bottom Line: Up Front, You Lose.
This advanced attack against ATM machines by third parties is a kind of electronic holdup. Unfortunately, it’s been proven successful – for the bad guys. Banks are out the money, the bandits get away, and it can be quite a while before the breach is detected. It’s called “jackpotting” because the bad guys aren’t going after individuals and their bank accounts but are more interested in the big pot that the ATM machine holds. The first reported signs of this in the US were discovered in the January / February 2018 time frame. So, you are thinking to yourself, this is a new phenomenon, right? Not quite. This attack has already made its way through Europe and Mexico, with the hack first shown in the MIT Technology Review and Black Hat conference in 2010. The US is just waking up to this and is well behind the power curve in protecting against these known vulnerabilities that open them up to hacks and cyber-attacks.
The Game: Two Strategies
One strategy players use in this multi-tiered attack starts with gaining physical access to the ATM machine itself. Let’s face it, chances are you wouldn’t even look twice if you saw someone dressed as an ATM repairman servicing the machine. Bad guys count on this and as simple as it sounds, it works. Most folks just walk on by while the attacker uses a “Borescope” (which connects to a mobile phone, available on Amazon for $30USD) to look inside the ATM machine’s cabinet. They do this so they can directly interface with the ATM’s computer.
Then, using either a stolen master key to the ATM cabinet or another type of entry to open the ATM, the attackers set the ATM to an “out of service” state to keep people from using that machine. At this point, the attacker injects malware into the ATM’s computer. The malware is called “Ploutus” and has different variants that have gotten more and more complex over time. Once the malware has infected the ATM, the attacker leverages an input device to interact with the malware running. This could be a physical keyboard or a cell phone that is connected directly to the ATM’s USB port and is set to tethering mode. This allows the attacker to either directly interact locally with the ATM (keyboard) or from anywhere via cell phone to interact with the “Ploutus” malware. If the cell phone tethering mode is chosen, because the cell is using the ATMs USB port, that port is also charging the cell phone battery. Talk about a sleeper cell waiting to be activated! The malware allows the attacker to dispense all its money in a single command and your ATM machine was just cleaned out by bad guys acting in plain sight.
Now here’s method two: This again is a multi-tiered attack that starts with gaining physical access to the ATM machine. The attacker will need to open the ATM cabinet or find where the network connection is servicing the ATM. Once established, the attacker has an external device that reproduces the ATMs processing center connection. The attacker physically disconnects the network cable from the ATM itself and attaches it to the fraudulent device that replicates the processing center. That ATM is now under the control of the attacker. Two things to point out about this type of attack: 1) This device can be removed after the attack is completed, leaving no signs of interference or compromise, and 2) If other ATMs are present with the compromised one, it’s possible to control all of them at once if they are all using that same network port to connect to the same processing center.
One last thing to talk about here: Many ATM manufacturers have provided updated security guidance about these attacks and ways to mitigate them to banks and owners of ATM machines, but it’s on the owner of the ATM to execute. That being said, there are still a lot of ATM machines running Microsoft Windows XP/Embedded and others running Windows CE around the US. None of these would still be considered a modern and secure operating system. In short, the majority of ATMs in this configuration are VERY vulnerable to Jackpotting.
Protecting the House: #StayCurrent
Software such as 1E’s Tachyon platform can find the ATMs on your network that is susceptible to these styles of attack and can create a baseline of a known “good machine configuration” and block any type of software being installed without the proper authority. It’s done through the use of “one-time use codes” for the purpose of installing or making any changes to the ATM’s internal computer. Tachyon can search your ATM network for threats, report, and resolve in real time. 1E can also work with you to get these ATM machines updated to a modern and secure operating system at scale with the Windows Servicing Suite.
