Walt Manning, CFE
President, Techno-Crime Institute
A man and a woman walk up to an ATM located in the back of a small drug store. The machine is tucked away in a seating area for people waiting on prescriptions to be filled. They are dressed as ATM technicians and even have a company logo over the shirt pockets of their uniforms. The man carries a small toolbox, while the woman holds a clipboard.
They know from previous visits that the video surveillance cameras are pointed at the front checkout counter and at the pharmacy counter. None of the cameras show activity near the ATM. They also know that the cash has been refilled recently, so the internal safe should be relatively full.
The woman checks information on the clipboard, compares it to information on the ATM, and nods to her partner. He pulls out a key ring, which contains various master keys that work on most ATMs. Being familiar with this specific model, he successfully opens the access door with the first key he tries.
The woman then hands the man a small endoscope attached to a smartphone. He inserts the end with the camera into the machine until he locates what he needs. He then removes the endoscope and attaches the smartphone to a USB port inside the machine and leaves the smartphone there. They then close and relock the machine, leaving an “out of order” sign on the ATM so nobody will withdraw any of the cash. They leave the building.
About an hour later, a teenager approaches the ATM. She pulls out a cell phone and sends a text message to the smartphone inside the ATM. The message sends a command to the computer controlling the ATM. Seconds later the machine begins spitting out money, which the teenager puts into a small shoulder bag. Nobody in the store notices that the ATM is discharging money at the rate of 40 bills every 23 seconds. This continues for several minutes until the ATM is empty.
The young woman hurries out, since she has several more ATMs to visit and is on a tight schedule. She leaves the “out of order” sign in place to ensure that it will take some time before anyone reports that the machine is out of service.
This is an example of ATM “jackpotting.” The average ATM can hold as much as $200,000. If an organized group has the intelligence to target the most vulnerable machines, with the right equipment and timing, simultaneously executed in multiple cities, a tidy profit is likely.
In July of 2016, hackers in Taiwan stole more than $2 million from ATM machines using this type of attack. This has occurred over the past couple of years in Asia, Europe and Central America, but had not been seen in the U.S. until recently. In November of 2016, the FBI issued warnings to financial institutions in the U.S. that they might be targets of this type of theft.
How it works
The fraud appears to primarily target ATMs manufactured by Diebold Nixdorf, and involves obtaining some type of physical access to the device. A connection is then made, using either an external device or installing an additional piece of equipment that allows access to the internal computer controlling the ATM. The most prevalent version infects the ATM with malware named Ploutus.D.
The thieves can then program the machine to dispense currency when a certain code is input into the ATM keypad, at a specific time or via an SMS text message as previously described.
Other ATM hacks have been conducted by stealing access credentials from company employees, and using those to alter the software on the ATM via remote updates. The attacker can then install malware onto the ATM system or allow remote control of the machine by other methods.
Fireye, a computer security firm, examined the Ploutus.D malware. They warned that a small change to the code could allow it to infect 40 different ATM brands used in more than 80 countries.
According to a report from Symantec, almost 95% of ATMs still run on outdated versions of the Windows XP Operating System, with software that either cannot be updated or has never been patched.
Measures to prevent ATM jackpotting might include:
- Updating the operating system of the machine to a newer and more secure version
- Constructing the machines to provide the same level of security for the interior components as for the part that protects access to the cash
- Locking down the machine’s software to prevent other devices from being connected to the ATM
- Better securing or removing remote access capability from the machine
- Installing CCTV surveillance cameras to monitor activities around the ATM
Fraudsters are always looking for new ways to commit techno-crimes, and these will continue to evolve. Detailed tutorials showing how to commit ATM jackpotting schemes are available on the darknets.
Be ready and stay informed by reading ACFE Insights. Visit our website at https://technocrime.com for more information about fighting techno-crime.