Jackpot!

Lorenzo Franceschi-Bicchierai, whose name I will only type once out of fear of butchering it in later appearances, wrote a wonderful article for Vice describing the recent rise then decline of “jackpotting” ATMs. Hackers in Europe have been distributing and implementing a malware that hijacks ATM process, and literally spits out money. While these attacks spiked recently, they are seemingly on the decline, and a lot of that has to do with the level of physical manipulation that is needed to get the malware running on an ATM. In 2017 “hackers stole 1.4 million Euro ($1.5 million)” which means this is no small operation. That large of a sum meant that immediate attention needed to be brought to the subject, and particular interest on the distribution of the malware.

Jackpotting, as described by the article is a “technique where cybercriminals use malware or a piece of hardware to trick an ATM into ejecting all of its cash”. Sounds like something ripped out of an early 2000’s heist movie. Things get more Hollywood when you see the UI for the malware, which totes “cartoon images of a chef and a cheering piece of meat” alongside operations to “CHECK HEAT” and “start cooking!”. The childish nature of the UI aside, the malware is no joke. In a stage demonstration of similar malware by Barnaby Jack, if the hackers get access to the USB port found inside the targeted ATMs, they simply click a button and can make off with millions. It’s unfortunately that simple. The difficult part of the hack is revealing the USB port, which requires flipping open the ATM face plate. This barrier would keep most criminals at bay, considering how conspicuous this looks. Of course, some criminals are braver than others, which has led to the over 80 accounts of jackpotting taking place in Germany recently.

This type of malware, which is purely criminal, and requires cunning to pull off, is frightening. The article goes into detail on purchasing the malware, stating it is available for $1,000 and even comes with a manual written in both Russian and English. While there is inherent risk in any crime, the nature of having to access a physical USB port and then now highlighted attention of the act should curtail many would be millionaires, despite the low entry cost. The malware takes advantage of the aging operating systems used in ATM machines, which is a tale as old as time. Unless these attacks become more prevalent, especially in the USA, there will be little desire from the ATM manufactures to spend the large amount of money to update all of their ATMs. Banks will need to hope that the security risk of being caught opening the machine is enough to keep their money safe, but with the rise of anti-facial recognition masks and the like, I can see that wall being knocked down sooner than later.

Source Article: https://www.vice.com/en_us/article/7x5ddg/malware-that-spits-cash-out-of-atms-has-spread-across-the-world