How Vulnerable Are Your ATMs?

Attackers are increasingly hacking into banks’ networks to gain access to the IT infrastructure connected to their ATMs. They then push malware onto the ATMs that allows a low-level gang member to walk up and enter a preset numerical sequence into the ATM to make it dispense all of its money in what’s known as a “jackpotting” or “cashing out” attack. Such attacks also allow them to steal card data from ATM machines.

For attackers, the appeal is simple: It’s safer and easier than walking into a bank with a gun and trying to rob it.

Many remote attacks that install malware on ATMs begin with a phishing attack against a bank employee. Network-based attacks require more intelligence than physical attacks, however this tactic allows cybercriminals to extract cash on command from multiple ATMs. These remote-access attacks can also bypass existing defenses, such as firewalls, VPNs, or network segmentation that might be in place.

How It’s Happened

One spree in July 2016 targeted 41 ATMs in Taiwan, resulting in the theft of $2.7 million in cash. Police said attackers installed malware on 22 ATMs manufactured by Wincor-Nixdorf – now known as Diebold Nixdorf – run by Taiwan’s First Commercial Bank.

The attackers first hacked into the bank’s London-based networks. Then they accessed the bank’s voice recording system and stole the domain administrator’s account credentials, used the credentials to gain VPN access to the bank’s Taiwan branch, mapped the company’s intranet topology, identified the ATM software updating system and figured out the required administrator credentials.

From there, the attackers logged into the ATM update server, set up a fake update package to the distribution management system, and uploaded it to the ATMs as if it were a real update. The package instructed the ATMs to enable their telnet service, which the attackers used to remotely access the ATMs and upload three pieces of malware, including a test program that criminals standing in front of an ATM validated.

Once the hackers confirmed that the ATMs were ready for the attack, they uploaded and ran modified vendor test tools that dispensed the maximum number of banknotes that the machine was capable of.

From there they moved on to other ATMs and repeated the process. After each ATM had been jackpotted the remote hackers wiped the malicious programs off the victimized ATM and logged off.

Banks may be unaware they’ve been hacked until money goes missing. Some types of malware are also designed to delete themselves from an ATM after they’ve been used to jackpot it, effectively dissolving most traces of the criminal activity.

Physical Attacks Continue To Be Top Threat

There’s been significant growth in remote ATM attacks and other types of “logical” attacks that involve malware, but physical attacks remain the most common type of ATM attack.

Some of the most popular ways to steal cash from an ATM

Ports: Crack open the ATM case and load jackpotting malware via USB or another access port. Sometimes gangs will use two teams – one installs the malware, while another waits to jackpot numerous infected ATMs in one fell swoop, often overnight or during a weekend.

Black Box: Physically access the ATM and plug in a purpose-built black-box to override security controls, then proceed as above.

Skimmer: Install a skimmer glued into the mouth of the card reader or in the form of a fake PIN pad, glued over the real one. These skimmers can read and store the data stored on cards’ magnetic stripes, as consumers feed their cards into machines, and in some cases broadcast the data to a waiting attacker via Bluetooth.

Ram Raid: Ram the ATM or its enclosure using a vehicle, then attack the ATM with hammers or other tools to steal the cash it stores.

Robbery: Rob an ATM technician who comes to service or refill the device.

Explosives: If all else fails, open the ATM shutter and pump it full of explosive gas, then light a fuse and run until it rains money.

It’s important to keep up to date with all of the threats banks face. If you have questions about phishing prevention training or network security call ITPAC today.