Attacks targeting ATMs, called “jackpotting,” which have been seen in Europe and Asia for some time, have now reached the US, according to a recent alert from the US Secret Service obtained by Brian Krebs.
One of Krebs’s sources reported that the Secret Service is warning about the appearance in the US of ATM malware known as Ploutus.D, which has been actively in use for ATM jackpotting since 2013.
The Secret Service alert also warns that ATMs running Windows XP are “particularly vulnerable” and advises updating them.
Yes, there are still ATMs running Windows XP.
And yes, people still need reminding that it’s time to update – even extended support for the stripped-down Windows XP Embedded ended more than two years ago.
How the attack works
Jackpotting attacks usually happen in two stages.
First, an attacker performs some basic reconnaissance to figure out a way in to the ATM – usually a model with a front-facing panel, as it’s easier for the attacker to access.
Next, the attacker connects a computer up to the ATM, and either swaps out the hard drive entirely or gains access to the ATM’s software and operating system.
In order to evade suspicion, the attacker may pose as an ATM technician so they can hook up the computer to the ATM out in the open.
Once connected to the machine, the attacker will deploy malware that puts the ATM under their control while appearing to be out of service.
In the second stage, which can happen at a later and less conspicuous time, attackers return to the compromised ATM and command it to quickly dispense all its cash – this usually happens within just a few minutes, according to the report by Krebs.
ATMs remain a tantalizing target
Jackpotting isn’t the only reason that cybercrooks might show up in the vicinity of your local ATM – there’s also card skimming and “casher crew” raids for financial institutions to worry about.
There’s a common thread running through these attacks: they’re not solo operations, as they usually have multiple criminals coordinating the various steps to hit the ATMs and get away with the cash as quickly as possible.
Right now it’s not clear how widespread the new jackpotting attacks are in the US, but it’s clearly something the Secret Service isn’t taking lightly.
Spryte
So how does a consumer know if an ATM running Windows XP?
Paul Ducklin
If you see Clippy trying to help you do a transaction, then you know for sure.
(Seriously: unless you are familiar with the model, or happen to be looking at the screen when it reboots, you’re probably never going to know.)
Tom
I take it that the cash box in ATM’s is secure but not the control computer?
Paul Ducklin
Well, the attack doesn’t pop open the actual safe itself, so in that sense it’s still secure…but if you can instruct the cash box to empty itself tidily through the banknote slot in the ATM then I guess you might as well say that the cash box isn’t secure at all :-)
(Unlike those ATM attacks where the crooks use propane gas to blow the cash box open, this attack is stealthy, silent, and doesn’t leave you with a melted blob of worthless polymer/pile of charred paper [*] instead of actual money.)
[*] Delete depending on whether your country has plastic notes or not.
Bill
If they are swapping out the hard drive why does the OS matter?
Paul Ducklin
Depends what they are able (or most easily able) to change. I am not sure how these things are organised internally – perhaps the easily-swappable part is just applications and not tne Windows core itself? Or perhaps the easiest/most timely way to pull off the Trojanisation process is get an existing disk image and leave most of it intact, just modifying a few files and swapping in a lightly modified image restored onto a new disk? Swapping out everything, OS and all, might be much trickier (or require more reverse engineering to make sure the network recognises the new device without raising an alarm).
Just a guess, though…