Jackpotting, an older ATM theft technique, could show security operations team members what to look out for when it comes to Internet of things (IoT) attacks in general, and even election machine vulnerabilities.
This technique first entered the U.S. cybersecurity lexicon in 2018, when Brian Krebs warned of attacks at American ATMs. Jackpotting, Krebs explains, is “a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand.”
The target was usually stand-alone ATMs, almost always from those manufactured by Diebold Nixdorf, an American multinational financial and retail technology company. Criminals needed physical access to the ATM. Then, they used a jackpotting malware called Ploutus.D and special electronics to take over the machines. When done right, jackpotting offered a very large and very fast payout, like a slot machine gone wild, but with paper money instead of quarters.
While jackpotting does happen in the United States, this type of cyber theft is more common in Europe and Asia where ATMs are less protected. Still, it is a complicated crime to commit, since the nature of the crime requires physical proximity to the machine to both set up the crime and grab the cash. Sure, the ready cash is the big draw, but even in places with minimal law enforcement, why do criminals make the effort?
It boils down to out-of-date operating systems on ATMs. It is not uncommon to find unsupported Windows OS on ATMs (or other internet-connected devices). Windows XP is still very popular in this area, even though it was retired in 2014. To remain hidden in the background, criminals rely on cash mules to retrieve the money.
Malware for jackpotting has expanded into families as well, with the related WinPot and Cutlet Maker both available for sale on the dark web for a few hundred dollars.
Jackpotting’s New Twist
In cybersecurity years, 2018 was a long time ago. While jackpotting is still around, it has evolved into more sophisticated and dangerous forms. Two years ago, it was all about turning ATMs into personal slot machines. Today, cybercriminals are focused on software.
After a recent rash of jackpotting attacks in Europe, a Diebold Nixdorf formal statement notes, “Some of the successful attacks show a new adapted Modus Operandi on how the attack is performed. Although the fraudster is still connecting an external device, at this stage of our investigations it appears that this device also contains parts of the software stack of the attacked ATM.”
In other words, the criminals are using Diebold Nixdorf’s own proprietary software to help enable attacks.
“The black box variant of jackpotting does not utilize the software stack of the ATM to dispense money from the terminal. Instead, the fraudster connects his own device, the black box, to the dispenser and targets the communication to the cash-handling device directly,” the Diebold Nixdorf release adds.
As Ars Technica reports, the good news is, so far, the new jackpotting attack isn’t stealing ATM card data, just the money. But the bad news, which has much farther-reaching implications, is that “attackers appear to have their hands on proprietary software that makes attacks more effective.”
How Jackpotting Connects to Proprietary Software and Cybersecurity
ATMs are part of the large collective that make up the IoT. Jackpotting criminals who are using Diebold Nixdorf’s proprietary software stacks as a possible attack vector should provide a wake-up call for IoT in general.
Reports about the ATM jackpotting using software stacks show a commonality: the criminals targeted Diebold Nixdorf cash machines. Why? The simple answer is that most ATMs are Diebold and they are found all over Europe. More fortuitous for the criminals, however, is that because the proprietary software is used across all the machines, this tactic can be used with reliability over and over again.
This also goes for IoT devices. Every IoT device used in corporate facilities or in homes — which is especially important as millions of people continue remote work — uses the manufacturer’s proprietary software. This, in turn, means you may be dealing with dozens of different software systems to protect, patch and update. That in itself is a chore.
Therefore, if cyber criminals have access to parts of an IoT device’s software stack, they can use it to better facilitate attacks on that specific device. If the IoT device is connected to the corporate network, it offers an open door to hackers. Ten IoT devices in an office could provide the gateway to ten different groups of cybercriminals who may all have different agendas.
The Trouble With Voting Machines
It’s not just business data and networks that are at risk. IoT controls smart cities and critical infrastructure. And devices don’t even have to be connected to the internet to be targeted. Just as Diebold is a top brand of ATMs, it was a top maker of American voting machines. Although Diebold is no longer in the voting machine business, older machines tend to stay in the field.
“It is well known that current voting systems, like any hardware and software running on conventional general-purpose platforms can be compromised in practice,” reports Defcon Voting Village after a 2019 study covered by Wired. “However, it is notable — and especially disappointing — that many of the specific vulnerabilities reported over a decade earlier … are still present in these systems today.”
Expect criminals to build on the use of proprietary software to make the next round of attacks easier and more financially viable. Also be aware of how those same tactics can move from ATMs to other IoT devices, taking advantage of poor cybersecurity practices.