Jackpotting Attacks Against US ATMs

Brian Krebs is reporting sophisticated jackpotting attacks against US ATMs. The attacker gains physical access to the ATM, plants malware using specialized electronics, and then later returns and forces the machine to dispense all the cash it has inside.

The Secret Service alert explains that the attackers typically use an endoscope -- a slender, flexible instrument traditionally used in medicine to give physicians a look inside the human body -- to locate the internal portion of the cash machine where they can attach a cord that allows them to sync their laptop with the ATM's computer.

"Once this is complete, the ATM is controlled by the fraudsters and the ATM will appear Out of Service to potential customers," reads the confidential Secret Service alert.

At this point, the crook(s) installing the malware will contact co-conspirators who can remotely control the ATMs and force the machines to dispense cash.

"In previous Ploutus.D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds," the alert continues. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad. Otherwise, the machine is completely emptied of cash, according to the alert.

Lots of details in the article.

Posted on February 1, 2018 at 6:23 AM • 24 Comments

Comments

Dan HFebruary 1, 2018 7:52 AM

"The Secret Service alert says ATMs still running on Windows XP are particularly vulnerable, and it urged ATM operators to update to a version of Windows 7 to defeat this specific type of attack."

If only OS/2 was still dominating the ATM market...

Dan HFebruary 1, 2018 7:59 AM

"In previous Ploutus.D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds,"

If the firewall has 3 access attempts in 5 seconds that fail then you block that IP. Why not have the ATM stop dispensing cash if it dispenses 40 bills in 23 seconds? If it's still dispensing more bills after 23 seconds then they know it is a problem.

fredFebruary 1, 2018 9:28 AM

Sticking with XP is a stupid decision. I can't help but to think the cost certifying a new product to meet regulations is hurting innovation here. If I'm correct, regulations are causing the very security problems they are designed to solve.

ScissorsFebruary 1, 2018 9:39 AM

@fred,
To build on that thought, ATMs have the opposite problem most of the Internet of Things has: no regulation at all. This underscores the need to regulate wisely (not too much, not too little, not in stupid ways).

Impossibly StupidFebruary 1, 2018 9:47 AM

@Dan H

Why not have the ATM stop dispensing cash if it dispenses 40 bills in 23 seconds?

Maybe they normally do have those sorts of checks in place, but the attack bypasses them. The bigger question is why a machine as simple as an ATM gets built with a full-blown OS (of any kind) and apparently very little in the way of hardware failsafes. If security mattered at all, there's no way anyone with half a brain would leave it all up to software (and COTS at that). Look for ATM fees to go up even further as we see this type of attack more and more.

keinerFebruary 1, 2018 9:57 AM

@fred,scissors

Never heard that banks are out of money. Never. Heard a lot on wrong decisions made out of pure greed or to safe a penny...

vas pupFebruary 1, 2018 10:00 AM

@all:
I was guessing that all ATMs in US and other developed countries do have video security camera which could capture image of attacker when (s)he physically get access to ATM internals. Just make capturing image angle of the camera wider.
Or I am wrong on that?

jcFebruary 1, 2018 10:05 AM

@Scissors

Nice haircut, not too long, not too short, but if you ask a barber, you always — err, umm, oh, I think those ATM robbers just substituted a garrote for that pair of scissors.

WayneFebruary 1, 2018 10:32 AM

RE: XP.

A friend works for Diebold on ATMs, I expect he's going to be busy after this. He says that the ATM owner, i.e. the bank, is responsible for the ATM OS. So the banks are the ones being morons about continuing to run XP. I don't know how accurate that is as he's just starting the job.


And Krebs has posted an updated: One gang, there may be more, has been arrested. They would partially disassemble the ATM, remove the HD, take it outside and the malware would be remotely loaded. HD is reinstalled, jackpot. By the ones actually running the scam installing the malware remotely, they know how much money is in the ATM to be spat out.


And no, you can't put the computer inside the money vault. The computer is secured in its own area that the ATM technician has keys to and presumably only the bank techs might, the money is in a vault that only the guards and armored car drivers have.

Petre PeterFebruary 1, 2018 10:35 AM

This shouldn't increase ATM fees since future ATMs need less features of the operating system not more. Since complexity is not a friend of security, then lowering the number of OS features needed in ATMs, should also lower the price of ATM fees.

hmmFebruary 1, 2018 11:14 AM

Physical access is step 1-2 of this attack. Read and appreciate that.

XP is of course a joke but that's not the point. If they can get to an interface or a drive physically they might as well just physically get to the cash dispenser 1-2 feet in.

CallMeLateForSupperFebruary 1, 2018 12:38 PM

@Dan H
"If only OS/2 was still dominating the ATM market."

OMG! I am *not* the only living being who knows what OS/2 is? Well, there goes my book deal. ;-)

JeremyFebruary 1, 2018 2:10 PM

@Dan H

> "If the firewall has 3 access attempts in 5 seconds that fail then you block that IP. Why not have the ATM stop dispensing cash if it dispenses 40 bills in 23 seconds? If it's still dispensing more bills after 23 seconds then they know it is a problem."

Imagine someone has built a dam on a river, holding back some huge amount of water. Then they tell you that if there's a flash flood, it might apply so much pressure that it breaks the dam, and all the water will flow through.

So you say "why not have the dam stop letting the water through if the flow rate is more than a certain amount?"

The ATM already has safeguards to stop the cash from being let out, and the crooks have already broken those safeguards. It's not that the dam is too stupid to realize that it should stop the water, it's that the dam lacks the ability to stop the water, because we're talking about a scenario where the dam has already been broken.

k15February 1, 2018 2:32 PM

If you see odd behavior that could possibly be related to this, who would you report it to?

AlejandroFebruary 1, 2018 2:40 PM

"...the ATM continuously dispensed at a rate of 40 bills every 23 seconds," ...(until).... the machine is completely emptied of cash..."


Every time I go to the ATM I have that fantasy, too.

65535February 1, 2018 4:20 PM

@ Wayne and others

I have to agree the majority of your comments.

“They would partially disassemble the ATM, remove the HD, take it outside and the malware would be remotely loaded. HD is reinstalled, jackpot.”

A clear security SNFU.

That is what I understand. That is not easy and can be spotted by camera’s and individuals. I don’t think adding Win7 to Win10 would do much against the malware except possibly add bloatware and ASLR which is poorly enabled on Win machines. I will say there some hardened security templates that could have been used. But, if you can open a computer it is game over in general.

“Microsoft's Windows Vista (released January 2007) and later have ASLR enabled for only those executables and dynamic link libraries specifically linked to be ASLR-enabled.[22] For compatibility, it is not enabled by default for other applications. Typically, only older software is incompatible and ASLR can be fully enabled by editing a registry entry "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages",[23] or by installing Microsoft's Enhanced Mitigation Experience Toolkit.”-Wikipedia

https://en.wikipedia.org/wiki/Address_space_layout_randomization#Implementations

As a couple of Kreb’s commenter’s note:

“1…2… then 3. The XFS protocol that the ATM computers use to speak with the cash dispenser does not authenticate. Meaning that you can hook a mini-pc up to the cash dispenser and send the XFS command to dispense and that’s it.”- JellyKid
January 30, 2018 at 1:40 pm

Anybody care to explain the XFS protocol?

https://krebsonsecurity.com/2018/01/drug-charges-tripped-up-suspects-in-first-known-atm-jackpotting-attacks-in-the-us/#more-42410

As I understand the attackers hit a standalone old NCR-Diebold Nixdorf machine in the Midwest where economic condition are poor.

‘All of the known ATM jackpotting attacks in the U.S. so far appear to be targeting a handful of older model cash machines manufactured by ATM giant NCR-Diebold Nixdorf…"-Kerbs

'“Often the malware requires entering of codes to dispense cash,” reads an FBI affidavit (PDF). “These codes can be obtained by a third party, not at the location, who then provides the codes to the subjects at the ATM. This allows the third party to know how much cash is dispensed from the ATM, preventing those who are physically at the ATM from keeping cash for themselves instead of providing it to the criminal organization. The use of mobile phones is often used to obtain these dispensing codes.”’-Krebs

https://krebsonsecurity.com/2018/01/drug-charges-tripped-up-suspects-in-first-known-atm-jackpotting-attacks-in-the-us/#more-42410

Thus, the Poutus.D malware has complex features that let the “controller of the gang” know exactly the amount withdrawn and to sanction [sometimes brutally] their buddies who try to skim some of that cash. Krebs explains the malware is customize able for other machines, OS types,and features.

hmmFebruary 2, 2018 1:13 AM

If ASLR is all that's keeping cash in cash machines, ATM-based civilization is screwed.

x2bike4uFebruary 2, 2018 9:15 AM

The banks put up with the losses. The cost of remediation is probably a lot more than what they are loosing through these attacks.

MiaFebruary 2, 2018 4:05 PM

@Dan H

If the firewall has 3 access attempts in 5 seconds that fail then you block that IP. Why not have the ATM stop dispensing cash if it dispenses 40 bills in 23 seconds? If it's still dispensing more bills after 23 seconds then they know it is a problem.

Some ATMs only dispense $20 bills, and 40 of them is only $800. Some people do withdraw cash in those amounts, e.g. to pay building contractors (or even employees, at very small companies). A web search shows some US banks with $2000-$3000 ATM cash limits, so perhaps it could stop after that much—unless they intentionally allow overrides (maybe for preferred customers or if people call first).

AnonFebruary 2, 2018 10:18 PM

@hmm beat me to it, but essentially:

They would partially disassemble the ATM, remove the HD, take it outside and the malware would be remotely loaded. HD is reinstalled, jackpot. By the ones actually running the scam installing the malware remotely, they know how much money is in the ATM to be spat out.

The ATM security failed when they were able to pull the HD out. Does it even matter what the OS is?

Next step will be a custom *nix build that can drive the ATM hardware directly.

Attacking Windows XP here is pretty irrelevant I'd suggest!

CashlessFebruary 4, 2018 3:34 AM

After reconditioning these machines for 6 months as a student one summer, This is probably easier than you think. The HDD's are 40GB IDE unencrypted and on there is a folder with the dispenser test scripts. One operates the dispenser on each note bank. This script can be run at any time regardless and does not communicate anything about it being run. Some machines operated on Windows NT4 as well.

We were shown all the physical vulnerabilities as it was assumed back then they were 'too secure' to be remotely hacked. My favorite was the use of lighter gas. This was squirted into the cash slot and it would settle at the bottom of the safe. This was then lit with a fuse and it would blow the front door right off.

The door also had a pane of glass inside the mechanism that would break and double-lock if drilling out of the lock was attempted. No chance against gas though.

A Winner Is MeFebruary 8, 2018 5:13 PM

Sometimes when I withdraw money from the ATM, I jump up and down shouting "I WON!!! I WON!!!" when the money comes out.

Maybe I oughta stop doing that for a while until the dust settles on this one.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.