ATM manufacturers Diebold Nixdorf and NCR Corp. issued security alerts to banks on ATM jackpotting attacks, which are being detected for the first time in the United States. The warning follows a U.S. Secret Service alert that cybercriminals are using various techniques that force ATMs to “spit out” cash. In the criminal underground, this term is also known as ATM jackpotting.
The ATM jackpotting attacks first occurred in Russia, and later spread to Europe, Asia, Latin America, and Mexico. Security reporter Brian Krebs obtained a security alert from Diebold Nixdorf on January 27, which stated that the U.S. ATM jackpotting attacks are similar to other attacks that occurred in Mexico in October 2017. The similarities suggest that the same people have moved its operations north of the U.S.-Mexico border.
ATM jackpotting attacks can be conducted in a number of ways but cybercriminals require physical access to the machine to install malware on the ATM’s computer. The malware responds to commands entered via the PIN pad or by a USB keyboard attached to the ATM, allowing the perpetrator to issue commands to the ATM’s internal cash dispenser and empty out the bill-storage cassette.
According to a Diebold Nixdorf security alert released in October 2017, criminals gain physical access to the ATM’s backside, which allows them access to the machine’s internals. They replace the ATM’s hard drive with a tainted one and use an industrial endoscope to press a reset button inside the ATM. The list of known malware used in jackpotting attacks include ATMii, ATMitch, GreenDispenser, Alice, Ripper, Skimer, and SUCEFUL.
The recent jackpotting incidents involved the use of malware known as Ploutus (detected by Trend Micro as TSPY_PLOUTUS.A). According to a research paper entitled, “Cashing in on ATM Malware” by Trend Micro and Europol’s European Cybercrime Center (EC3), Ploutus was first reported in September 2013, when it was discovered attacking ATMs in Mexico. A redesigned variant called Ploutus.B, which adds more functions, was discovered soon after. In recent cases, a mobile phone was physically installed inside the ATM’s housing. The device received cash withdrawal commands through SMS and then forwarded to Ploutus.B, minimizing direct physical interaction between the malware operator and the ATM. In October 2015, a variant called Ploutus.C appeared; this version controlled a specific software framework that managed ATMs regardless of the vendor. In January 2017, TSPY_PLOUTUS.A emerged which adds a module to manage the ATM remotely.
The number of ATMs is predicted to increase to 4 million by 2021. The ATM Industry Association (ATMIA) indicates that there are between 475,000 and 500,000 ATMs operating in the United States. In the future, there will be cardless cash transactions enabled by Near Field Communication (NFC), Bluetooth, and iBeacon-enabled mobile phones. However, these convenient technologies also presents new risks, making it even more important to secure the physical and network security of ATMs.
Physical and network-based malware attacks on ATMs are rising. Trend Micro research shows that there is a common denominator in ATM malware: XFS (extensions for financial services) middleware. Middleware providers use the XFS standard to create client-server architecture for financial applications on Microsoft Windows platforms. Financial applications through the XFS manager using XFS APIs communicate with peripherals like PIN pads, cash dispenses, and receipt printers. The middleware connects ATMs regardless of the make, model, or vendor. Exploiting the universality of XFS to “jackpot” ATMs equates to a huge ROI for malware developers as it allows them to conduct multiple campaigns.
To mitigate the risks posed by ATMs to banks and consumers, security administrators in the financial sector should remember these few things:
- Keep the operating system, software stack, and security configuration up-to-date.
- Apply timely patches to corporate network infrastructure and ATMs.
- Use whitelisting technology to protect the environment as most machines are “fixed function devices.”
- Introduce intrusion prevention and breach detection mechanisms to identify malicious system behavior to protect ATMs during operation.
- Ensure real-time monitoring of security relevant hardware and software events.
- Deploy and actively use anti-malware solution on technician’s notebooks and USB devices.
- Train service technicians to handle USB removable media devices with due care.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.