ATM Jackpotting

ATM Jackpotting

Author: Jessica Amado, Head of Cyber Research, Sepio Systems

Straight to the source

ATM Jackpotting - “The love of money is the root of all evil”; a statement that attackers continuously prove to be true.

While numerous attack methods bring malicious actors financial rewards, few can be as direct as going straight to the source.

I am talking about ATMs, the metal boxes storing wads of cash found on almost every corner. For cybercriminals who possess the necessary capabilities, why wouldn’t they want to hack into an ATM and gain access to those wads of cash?

Hitting the jackpot

ATM jackpotting is known as a logical ATM attack, of which there are two main methods: malware-based and black box. Both methods require physical access to the ATM and the use of hardware attack tools, known as rogue devices. In the former, a USB device, laden with ATM-specific malware such as CutletMaker or Ploutus D, is inserted into the ATM’s USB port. The malware forces the ATM to dispense cash which the attacker comes to collect. The latter is a man-in-the-middle (MiTM) attack whereby a black box – often a Raspberry Pi – is attached to the ATM’s internal cash dispenser. The black box sends commands to the cash dispenser, instructing it to distribute money.

According to a report by Positive Technologies, 69% of ATMs are vulnerable to black box attacks. In the end, the outcome of both methods is the same; the ATM rapidly spits out cash. By rapidly, I mean up to forty bills every 20 seconds.

While this might sound like something out of a movie, ATM jackpotting is not a fictional storyline. It is a real threat that cannot, and should not, go ignored. Just last month, two individuals were arrested for jackpotting attacks in Europe which saw them steal over $273,000. Such attacks, however, are not only confined to the European continent as ATMs are found all over the globe.

“As we have seen with every other form of ATM crime, no region should expect that they are immune,” says Owen Wild, a senior director at ATM manufacturer NCR Corp. Africa is no exception; there are more than 50,000 ATMs on the continent, with just under 30,000 of those located in South Africa alone. ATM risks do not go unnoticed, and, in 2020, the South African government released a statement warning people about ATM fraud.

Open access

Hardware-based jackpotting attacks are especially threatening forms of ATM fraud since rogue devices go undetected by existing security software solutions. In other words, whether it is a malicious USB or Raspberry Pi, the target entity will not know it’s there. These tools are types of rogue devices known as spoofed peripherals. They are manipulated on the Physical Layer to impersonate legitimate HIDs and get recognized as such by security software due to a lack of Physical Layer visibility.

In addition to insufficient information security, ATMs make appealing targets for hardware-based attacks due to a lack of physical security at many locations. Jackpotting attacks require the perpetrator to gain physical access to the ATM to insert the rogue device, and the absence of adequate surveillance makes such access easily attainable.

Though many ATMs operate inside bank branches where security guards and staff are present, numerous ATMs are offsite and, therefore, more exposed. CCTV does almost nothing to prevent an attack in the moment, and cybercriminals have no trouble hiding their faces to avoid identification.

PLATINUM

Innovators

Seeing the invisible

Sepio Systems’ Hardware Access Control (HAC-1) solution provides Physical Layer visibility to ensure we see what other software solutions don’t. HAC-1 has detected several rogue devices at ATMs belonging to top tier banks in South Africa. Not only does this validate our ability to provide deeper visibility and prevent hardware-based attacks, but it undeniably substantiates the fact that ATMs are getting targeted on the African continent.

HAC-1 enhances security by identifying, detecting, and handling all IT/OT/ IoT devices – managed, unmanaged, or hidden. Using Physical Layer fingerprinting technology and Machine Learning, HAC-1 calculates a digital fingerprint of all hardware assets and instantly detects vulnerable devices and switches present within the organization’s infrastructure. Moreover, HAC-1’s policy enforcement mechanism and Rogue Device Mitigation capabilities support a Zero Trust Hardware Access approach by instantly blocking unapproved or Rogue hardware through integrated solutions.

HAC-1 requires no hardware resources and does not monitor any traffic; within 24 hours, we can provide organizations with complete asset visibility and identify previously undetected rogue or vulnerable devices.

Don’t let attackers use your ATMs as a slot machine – there’s Vegas for that.