Cybercriminals are at it again, and this time they’re hanging out at the ATM. But they’re not stealing from anyone’s bank account directly, just removing all the money the machine is holding. Many ATMs can access up to $20,000 or more in cash, so it’s possible for cyber attackers to grab a lot of dough, especially if they attack multiple ATMs.
Cash spitting out everywhere!
Back in 2010, at the Black Hat cybersecurity convention in Las Vegas, the late “Barnaby Jack,”a New Zealand computer security expert, showed the audience exactly how it could be done. But Barnaby Jack was a good guy and didn’t do anything illegal—he’d only provided the demonstration. Cybersecurity professionals often demonstrate cyber attacks on their own equipment or some others they’d used with permission. He bought two ATMs and put loads of cash into them. And sure enough, he was able to hack two different machines to shoot all of their money, no problem. It looked pretty cool and people were shocked.
In the cyber attack on the first ATM, Jack accessed the machine with his own computer using the network it was connected to. And on his own computer, Jack used a program called Jackpot to go through weaknesses in how the ATM’s software was designed, and he sent the machine a signal that made it shoot out all of its cash.
In the cyber attack on the second ATM, he used his USB stick which contained special malware. The malware was installed onto the ATM, and from the screen and buttons people interface with to use the ATM normally, Jack was able to make the second ATM also dump money at the crowd. This type of technology-based attack is called “jackpotting”—you know like when someone hits the jackpot on a casino’s slot machine. But slot machines are designed to only occasionally jackpot, while ATMs are only supposed to give people money they actually have available in their account. As a result, the two companies—Tranax and Triton—who made the ATMs used in the Black Hat demonstration learned to make their software more effective.
Endoscopes are used to rob ATMs!
The first verifiable real jackpotting attacks were conducted on American ATMs last January. When U.S. law enforcement became aware of the problem, the Secret Service sent a memo to various financial institutions. It said: “The targeted stand-alone ATMs are routinely located in pharmacies, big box retailers, and drive-thru ATMs. During previous attacks, fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATMs operating system along with a mobile device to the targeted ATM.”
Cyber attackers are able to figure out how to physically connect their laptops to the ATMs with a medical device called an endoscope. Medical doctors use endoscopes to look inside a patient’s body, cyber attackers are using endoscopes to look inside of an ATM to see where they can connect a cable to their computer. It’s all very sneaky!
These cybercriminals couldn’t escape the law!
Soon after January, a couple of new cybercriminals started a jackpotting crime spree which ran from February to March 2018. Christian Eduardo Zerpa-Ruiz, 32 and Ragde Hussein Pinto-Coronado, 24, have both been accused of being members of a Venezuelan crime syndicate. During the two months, the dastardly duo hit ATMs in Indiana, Kentucky, and Wisconsin, stealing a collective load of cash worth about $125,000 from four machines. The younger man, Pinto-Coronado, would remove the hard drive from an ATM, while Zerpa-Ruiz would check if the coast was clear and operate their getaway vehicle.
By March 15th, 2018, they tried to rob a fifth ATM in St. Joseph, Michigan that contained more than $43,000. But a team of agents from the Federal Bureau of Investigation, the United States Secret Service, and the St. Joseph Township Police Department was hot on their trail. Trying to rob that last ATM was their fatal mistake, and both gentlemen were immediately arrested. Zerpa-Ruiz was in the U.S under a tourist visa, whereas Pinto-Coronado was in the country illegally.
Finally, as of November 13, both cybercriminals were sentenced to federal prison for conspiracy to commit bank larceny. The man caught removing ATM hard drives, Pinto-Coronado, got a 15-month prison sentence, whereas the getaway driver Zerpa-Ruiz got a whopping 52-month sentence. That’s more than four years! Perhaps Zerpa-Ruiz was actually the mastermind of the operation? Both young men were also ordered to pay restitution. How much restitution wasn’t reported, but it’s probably a hell of a lot of money.
In a press release from the U.S. Department of Justice: “In imposing the sentences, (U.S. District) Judge Janet Neff characterized the crime as a ‘chillingly sophisticated’ use of technology that ‘strikes at the integrity of the financial system of the entire country.’ “In her words, she was astounded and troubled that Zerpa-Ruiz and Pinto-Coronado were able to ‘come into the country and attack the financial system in this way.’
U.S. Attorney Andrew Birge goes on to say, “Criminals continue to exploit new types of technology to attack our nation’s financial institutions. But one thing remains the same—they will be caught, and they will go to prison. We will vigorously prosecute these cases, and continue to work with law enforcement to develop countermeasures to prevent these types of crimes in the future.”
‘Today’s sentencings demonstrate that attempts to attack our nation’s financial systems through technological exploitation will be met by the full force of federal law enforcement,’ said Timothy R. Slater, Special Agent in Charge, Detroit Division of the FBI. ‘The FBI and our law enforcement partners will continue to protect the integrity of our banking institutions against schemes to compromise it, and bring to justice those who perpetrate these crimes.’”
So jackpotting is probably the new style of bank robbery. But convenience stores, bars, restaurants, and other small businesses ought to be careful too, because their facilities often have third-party (non-bank) ATMs, a popular target for attacks. While ATM manufacturers and Microsoft (ATMs usually run Windows) need to continuously work to make their products more secure, banks and shops should also be careful to check if their ATM technicians are actually legit.
And thank the gods you’re at home about to eat Thanksgiving dinner instead of worrying about this!