CyberWire Daily - ATM hacks on the rise. [Research Saturday]
Episode Date: September 1, 2018Threat researcher Marcelle Lee from LookingGlass Cyber Solutions joins us to share her research on the growing threat of ATM hacks in the U.S. The research can be found here: https://www.lookingglas...scyber.com/blog/atm-hacking-you-dont-have-to-pay-to-play/  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Well, I think most people realize, of course, that there's ATMs everywhere.
That's Marcel Lee. She's a threat researcher with Looking Glass Cyber Solutions.
The research we're discussing today is titled ATM Hacking. You don't have to pay to play.
You really can't go into a convenience store without seeing one. They're in colleges,
they're in workplaces sometimes, obviously at banks. They're everywhere. And they're not just owned by banks, but I discovered that you can personally buy an ATM and set it up someplace.
And it's a way to make money off of fees and whatnot.
I set one up in my house for my teenage kids.
I feel like I would backfire on you.
I might as well. I mean, we're already there. Yeah, we've got everything. We've got everything but the cards.
So, you know, right now it's just known as my wallet.
cards. So, you know, right now it's just known as my wallet. So. Yeah. So ubiquity is definitely a thing. They are certainly an everyday part of life at this point in time. And I'm sure there's
some of us who are old enough to remember the days before ATMs were prevalent. You had to actually
like go to the bank to get money. I'm kind of dating myself by saying this, but... No, me too. I mean, it was barbaric, right? To actually talk to the actual human being to get
your money. It was crazy times. Yes.
So obviously, you have this unattended device that's full of cash. That's certainly going to
attract the bad guys. So I suppose ATMs have been a target since they were available.
Yeah, they have been. Although, interestingly, the ATM hacking was observed much more in Europe
and then parts of like South and Central America than it has been in the US. And I don't know
really the reason why for that. But we're definitely seeing an uptick on these types of ATM attacks in the States. So it's on the rise.
And as you saw in the blog post, I had a little screenshot there of a press release that the
Secret Service put out about this, just because it is becoming such a concern.
So let's walk through the various types of attack and who they target,
because not all the attacks are the same. There's some variety here.
So walk us through what we're dealing with. There are a variety, as you said, and it really
ranges from a totally destructive attack where somebody essentially blows up an ATM machine and
just takes the cash out. People have been known to physically remove an atm from a site and then throw it in the back of
their pickup truck and drive off to some more convenient place to break into it without being
observed by other people that's sort of like what i would consider the very low tech end of the scale
but then there's also certainly what we would consider more of a logical attack where you're connecting malware to an ATM or
basically infecting an ATM with malware. And that can be done a couple of different ways. It can be
done in person where you insert a USB or maybe even a CD, kind of depends on the age of the ATM
and the malware, of course. Or you also have the skimming.
So the ATM skimming is more,
it's going to steal customer information
as opposed to actually stealing cash from the ATM.
There's so many different vectors.
It's kind of amazing.
And they're not that hard, really, any of them to do.
I read a statistic somewhere that it's 10 times more profitable to break into an ATM
than it is to physically go into a bank branch and rob it. So it's probably safer to not have to
go in guns blazing to a branch. I suppose it's a nonviolent crime. You don't have to
stick somebody up and probably also not dealing
with an exploding dye pack possibility. Although I have heard that ATMs have mechanisms in them
that if they're physically tampered with, that they can spray the money with dye defensively.
Have you run into that in your research? You know, I actually haven't come across that at all.
You know, what I've found really is that ATM machines predominantly
are older. They have older operating systems. The hardware itself is old. So that seems like it
might be something relatively new that might be found, say, in an urban area where they're probably
more likely to be updating things. But yeah, I hadn't come across that, but it makes sense.
Yeah. Well, let's talk also about the skimmers
and dig in here i think that that's something that we hear about a lot and and it seems as though
the sophistication of the skimmers the ability for them to be disguised to camouflage to fit in
has really grown over time yeah and the interesting thing about skimmers is you can buy a skimmer like
you can go online today and buy a skimmer device. They're not illegal unless you are actually using them in conjunction with some kind of
fraud activity.
But skimmers are, they're built to just basically fit over the actual skimmer with the ATM.
So there's really two things, right?
There's the legit skimmer, which can either be replaced with a not legit skimmer, or you can get an
overlay that goes over the legit skimmer and basically is sucking off the information that
way. So two things are possible there. And really, it just depends. So if they've actually
replaced a skimmer, that's going to be harder to detect. But if it's an overlay, that's where you
could tug on it and see, is it loose? Does it come off? If the skimmer comes that's going to be harder to detect. But if it's an overlay, that's where you could
tug on it and see, is it loose? Does it come off? If the skimmer comes off in your hand,
that's probably not an ATM that you want to actually use. And I've been known, and these
aren't ATMs, of course, but gas stations are kind of notorious for this skimming device addition.
So pretty much anytime I get gas, you can always see me tugging on the thing before I
put my card in the slot. I do the same thing. It's become a habit now. And I don't know what I would
do if one came off in my hand. I guess I'd find a different gas station. Yeah, I would be super
excited because it would be awesome for research purposes. Have you found one yet or so far so good?
No, I haven't. But I will say I was in a a 7-eleven one day and i went to go get cash
because actually i was buying a computer from some guy off of craigslist or something
you're just looking for trouble marcel
anyway so i was going in to get cash and the atm machine was just in the process of rebooting.
And I was so excited because I got to watch the whole startup process and see the Windows operating system launch in the background,
which that could be a whole other thing to talk about for sure.
Like, why is it Windows?
And then watching it launch into the scripts that start the actual ATM software.
And I'm just standing
there watching this in a 7-Eleven with people coming and going and nobody paid any attention
at all. So that's kind of the thing, you know, with these ATMs, people just, you know, depending
on where they're located, nobody's really monitoring what's going on when you're standing
in front of them. Right. And I suspect that that's, if you were looking to gather that intel,
you could probably do that just by unplugging the box and plugging it back in. You could watch that whole boot routine.
Absolutely. Super easy to do.
So let's talk about some of the logical attacks, some of the malware-based attacks, rather than smashing and grabbing or skimmers or things like that. Take us through some of the research that you've found. What are people doing on that side of things? There's a variety of different ATM malware.
At Looking Glass, we did a deep dive on some malware called Cutlet Maker. And this was a
report that went out to our customers earlier this year. And the blog kind of launched from that.
But Cutlet Maker, it's kind of an amusing piece of malware. And
I say that obviously with a caveat that malware is not really amusing, but the GUI interface for
this one, I think I have a picture in the blog and it's like a funny little chef saying,
ho, ho, ho, let's make some cutlets today. So it turns out that cutlets are just like we would think of, like a chicken cutlet is a dish or whatever.
And these are very popular in Russia.
But then after I researched sort of the background of the word, it also turns out that the word cutlet in Russian, which is like kuchuleta, I don't speak Russian, obviously, but it means like big wads of cash. So that explained kind of
what cutlets have to do with ATMs. So that was the connection that I saw. And because of that
Russian terminology, it kind of leads me to believe that this might've been built by somebody
who was a Russian speaker. So with the cutlet Maker, you attach the malware or connect the malware
through USB. So you basically access the USB port, which is pretty much on the front of the ATM
underneath the panel. Oh, is that right? Yeah, it's not hard at all. So there's no key, you have
to unlock the panel, you can pry it off and there's your USB port. Exactly. And even if there
is a key, those keys are pretty generic.
And if it fits into one ATM, it's going to fit into others.
And I mean, we can talk also about this more, but getting parts and things like that for
different ATM machines is very easy.
The stuff is for sale everywhere on the internet, or you can buy yourself your own atm on ebay or wherever
there's atms like online stores so it's not hard to like if you wanted to practice this at home or
mess around with the different parts that stuff is it's available so anyways once you plug uh
basically a usb hub into that port and then to that you're going to attach a keyboard because you need a keyboard for this and then a thumb drive with the malware on it and that's what starts the infection process
so you launch the malware and it comes up with this gui screen and there's three pieces of
separate malware or software that you need to use together. So there's the Cutlet Maker,
executable, but then there's something called CodeCalc, which is literally just a code generator.
And then another program called Stimulator, which basically tells you what's in each of the cassettes
in the ATM machine. So the cassette is where the cash sits.
So it'll tell you, you know, there's four cassettes
and each cassette has X amount of dollars in it.
Or the one we were looking at actually referenced rubles, not dollars.
So I guess it just depends on where you are, of course.
Right.
So once you launch the GUI interface and you enter the code
based on this code calculator, it's almost like a token kind of thing.
And then you check to see what's available through that stimulator program.
And then you hit a button that dispenses the cache.
So it's relatively simple.
And it happens fairly quickly, too.
So that particular malware was built for WinCore and Nixdorf ATM machines. And this ATM malware
is geared towards a specific manufacturer just because you have to
know how it operates and just the cassette configuration
and all that. Now, have they patched that?
Do the manufacturers keep up with these sorts of things? In the research
I did, it would appear the answer would be no.
And there's many reasons for that.
There's so many ATM machines, as we've already discussed.
I had a number somewhere that like 3 million ATM machines.
Yeah, I think that's right.
So there really isn't a lot of benefit for, say, a financial institution to update an ATM versus the cost involved with
doing so. They're not typically networked in a way that makes it easy to just push out a patch
or an update or something. Somebody's going to basically have to physically visit that ATM.
So just in terms of scaling that, if some tech has to go out to every single ATM, that's going to take a long time.
And it's not even just maybe doing a patch or an update.
A lot of these machines are running really, really old operating systems.
So you really would have to do a total revamp.
And then is the actual ATM software going to work?
Maybe, maybe not. So it's a pretty big undertaking to actually
do those kind of like updates or patches, which is why the malware continues to be used because
nobody's really preventing it. And so it's a numbers game for the banks where it's,
I guess the frequency of these machines being hit and being emptied out is low enough that it costs less to just let that happen rather than having to go out and update and patch millions of machines.
Exactly. And, you know, maybe we'll see that reverse if we are having more ATM attacks happening like here in the States.
But I don't know. You know, it's hard to predict which way that would go. But it is an interesting thing.
I read somewhere 95% of all the ATMs were running like Windows XP.
And this is as of, I think it was like 2014, 2015.
It's hard to find like super current stats on ATMs.
But most of the research I had come across was from a couple of years ago.
But yeah, Windows XP, as we know, is not supported
at all and extremely vulnerable to all sorts of things. It's a big issue. Yeah, it's an interesting
situation. Like my initial thoughts are, well, why would they be allowing this to happen? But I guess,
as we said, if there's that many machines out there and they're not easy to update,
I guess it's a matter of slowly over time, these machines
being replaced. I mean, is there a push for newer machines or are there newer machines out there
that can be accessed remotely that as the inventory of machines out there get replaced?
I've not actually seen that yet because just the idea of networking an ATM like that also has its
own issues, right?
Because then you're looking at more network type attacks coming in.
Whereas now, because of how they're configured, you can't really access an ATM easily via the network.
So that's kind of like, you know, which is going to be the better option if you make them network so they're easily accessible for updates and stuff.
Are you just opening like a new vector infection?
People can come up with attacks to do things that way.
Right.
Now, is there any sense that the banks are worried about this?
I mean, I can imagine there's if I got my card skimmed at my local bank, that would certainly hurt what I thought of that organization. And,
you know, are they out there trying to prevent that reputational damage?
I don't think that it's really viewed as a reputational issue, at least not here in the
States. And even if your credit card gets skimmed or whatever, like, I feel like it's such a common
thing these days that nobody, like, I don't know, it happens to me so many times. I'm kind
of immune to it now. I'm not immune, but inured to it, I guess is the word I'm looking for.
But even so, if my card gets hacked someplace, I'm not going to blame my bank. I'm going to blame
wherever it happened. And chances are, I might not even know where it happened. So it's just
more of a nuisance that you deal with and move on.
I mean, it's an interesting thing.
You're right that I think people tend not to blame the bank.
I find myself very often, you know, using analogies when it comes to a lot of this malware,
using analogies related to the medical system.
And I think even if I get a flu shot,
if I get the flu, I don't really blame my doctor.
We all just kind of say,
well, maybe I decreased the odds of myself getting the flu,
but if I get the flu, well, sometimes you get the flu.
And I feel like perhaps that's where we are
when it comes to these card breaches
or getting your credit card stolen.
We're all out there.
And if you're using it, there's odds that someone might get it sooner or later.
And that's just one of those annoyances of modern life, I suppose.
Yeah, absolutely.
The part that gives me pause as a consumer is that obviously there's a cost associated with all this loss.
And the banking industry industry it's not probably
going to be absorbing that cost right it gets passed on to the consumer in terms of like increased
fees and and things like that so ultimately it does kind of hit our bottom line but it's like
the cyber thing and nobody's like really at fault it feels like, except for some mystery hacker someplace that nobody actually knows who it is.
Yeah, I do find it a little frustrating when, for example, the gas stations don't have the chip and pin technology yet.
So if there's someone that I interact with all the time, like I would love to use the payment system on my phone, something like Apple Pay, which has an encrypted token.
So that's more secure than swiping my card.
I would love the option to do that.
But you have gas stations, for example, here in the United States seem to be lagging behind.
They say, oh, it's coming, it's coming.
But in the meantime, it's not as safe as it could be, even with the technology that's available.
Yeah, I don't know i feel like we're very backwards here in the states and i don't know if it's just push
back because of the cost of having to retrofit or replace things but if anybody's been to europe
in the past like few years it's like they've been doing chip and pin for a while it's nothing new
over there in fact if you turn up with a credit card that doesn't have a chip, then they're not always quite sure like what to do with it, I discovered.
Oh, interesting.
Yeah. So it is much more secure. And I mean, personally, I use the mobile payment app on my
phone wherever I can. And I always wish it was more available. Like you said, like at a gas
station would be awesome. But yeah, it's just not prevalent at all.
Do you have any general advice for folks,
both on the banking side of things
and the consumer side of things?
What are the ways,
I'm sure we all interact with these machines
fairly regularly.
Are there any of these general hygiene tips
that you have,
ways that we can reduce the chances
of us falling victim to these?
Well, yes. And more from the consumer side of things. And this is really just sort of ATM
safety in general, right? But if you're frequenting an ATM that's actually at a bank
or some financial institution, it's a well-lit ATM, it's got video cameras, all that good stuff,
it's less likely that that particular ATM is going
to have malicious activity going on. Actually, it's kind of funny. I was just thinking this
morning on downtown Annapolis. This is not there anymore. But years ago, there used to be an ATM
machine that was literally in the wall in an alleyway off of Main Street, if you're familiar
with downtown Annapolis, how that's set up. And so I don't know who thought to put an ATM machine in an alley, but that would be
a perfect place to do some malware. So yeah, it's just, you know, it's the same kind of tips
for any kind of ATM safety. And just the simple things like tugging on that skimmer to see if it
comes off.
And then just being vigilant about watching your card transactions.
A lot of people don't even pay attention, so they might not notice if there has been some malicious activity on their accounts.
Yeah. Covering yourself when you punch in your pin so people can't look over your shoulder.
Yes, absolutely. And those are pretty standard things.
But yes, that would be my advice.
And I don't really have advice for banks
other than consider using not a Windows operating system
in your ATM machines.
Right, right.
Just a thought.
Our thanks to Marcel Lee
from Looking Glass Cyber Solutions for joining us.
The research we discussed today is titled ATM Hacking.
You don't have to pay to play.
It's on the Looking Glass website in the blog section.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.