Complex Made Simple

Fear for your fiat: ATM jackpotting not yet in UAE but it’s coming

Today, ATM attacks in the UAE, are rare and mostly unsophisticated. This is about to change. Should you fear for your cash?

In 2013, criminals penetrated internal systems at a bank in the UAE, coming away with $5 million Terminal related fraud attacks in Europe rose from 13,511 to 18,217 incidents, mainly driven by ATM transaction reversal fraud attacks Criminals have increasingly tuned their malware to manipulate even niche proprietary bank software to cash out ATMs

No matter where you live, when you use an Automatic Teller Machine (ATM) machine, we get nervous. Is someone going to attack you, or steal your pin code and wipe out your bank account?  

You are right on all fronts and someone could pinch your money while you’re sound asleep.

With ATMs, you’re literally trusting this machine to safeguard your hard-earned cash but it’s just a computer running on likely a Windows OS. Hackers could point a vulnerable ATM to a hacker-controlled server, or use a special black box, among various ways to steal sensitive data such as account information, credit card numbers, or PINs. It’s called Jack Potting.

Is this happening in the United Arab Emirates (UAE)?

Several unsophisticated, often comical ATM thefts in the UAE were reported. 

A gang of four were once charged with stealing a cash machine after dragging the ATM from a supermarket entrance in Dubai and hauled it onto a waiting vehicle.

They came away with a total of 2615 Dirhams for their effort. The machine itself cost 28,000 Dirhams. 

In another incident, two men were arrested in Abu Dhabi after trying to steal cash from inside an ATM in Ghayathi industrial area.

More seriously, in 2017, Dubai Police arrested a man for allegedly stealing millions of dirhams from customer bank accounts using forged ATM cards.

So, should you be worried about ATM jackpotting, often called Logical attacks, in the UAE? 

Read: Hackers for hire costing business millions and helping keep cybersecurity unemployment at 0%

The 2013 incident

In 2013, criminals penetrated internal systems at a bank in the UAE. The hackers raised the withdrawal limits on prepaid MasterCard debit accounts issued by the UAE’s RAKBANK and by using prepaid cards, the thieves were able to take money without draining the bank accounts of individuals, which might have set off alarms more quickly. With five account numbers in hand, the hackers distributed the information to individuals in 20 countries who then encoded the information on magnetic-stripe cards. The cashing crews made 4,500 A.T.M. transactions worldwide, stealing $5 million.

No other major incidents were recorded since that time, according to our research, but recently, a new August 18, 2020 warning surfaced. 

The Federal Bureau of Investigation (FBI) has warned global banks that cybercriminals are ready to begin a choreographed attack called an “ATM cash-out,” according to the ‘Krebs on Security’ website.

Criminals would gain entry to networks using malware, gaining customer information, and allowing the theft of funds from ATMs, the website reported.

ATM criminals honing their skills

A European Payment Terminal Crime Report covering 2019 reports that terminal fraud attacks were up 35%.

Terminal related fraud attacks rose from 13,511 to 18,217 incidents, mainly driven by an 87% increase in ATM transaction reversal fraud attacks.

A total of 140 ATM malware and logical attacks were reported in the ‘cash out’ or ‘jackpotting’ categories. In 118 attacks equipment typically referred to as a ‘black box’ was used, and malware was used in the other 22 attacks.

Jackpotting attacks keep getting more sophisticated. 

In the decade since the hacker Barnaby Jack famously made an ATM spit out cash onstage during the 2010 Black Hat security conference in Las Vegas, so-called jackpotting has become a popular criminal pastime, with heists netting tens of millions of dollars around the world.   

Criminals have increasingly tuned their malware to manipulate even niche proprietary bank software to cash out ATMs, while still incorporating the best of the classics—including uncovering new remote attacks to target specific ATMs.

ATM maker Diebold Nixdorf issued an alert about a different type of malware, saying that an attacker in Europe was jackpotting ATMs by targeting its proprietary software.

In actual criminal jackpotting, hackers can often simply use physical attacks or exploit an ATM’s digital interfaces by inserting a malicious USB stick or SD card into an unsecured port.  

Major ATM heists and attempts

Very recently, CISA, Treasury, FBI, and USCYBERCOM identified malware and indicators of compromise (IOCs) used by the North Korean government in an ATM cash-out scheme, referred to by the U.S. Government as “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. 

BeagleBoyz, which is a part of a larger North Korean advanced persistent threat (APT) group known as Hidden Cobra, APT 38 and Lazarus Group, have attempted to steal nearly $2 billion since at least 2015 in countries including Brazil, India, Japan, Mexico, Ghana, South Africa, Spain, and others.

BeagleBoyz lure victims into downloading malware such as “FASTcash,” which targets AIX servers used by financial institutions. Once the malware is on an institution’s servers, it can “intercept financial request messages and reply with fraudulent, but legitimate-looking, affirmative response messages to enable extensive ATM cash outs,” the alert says.

In one 2016 incident, the group attempted to steal $1 billion from the Bank of Bangladesh. They were stopped but still made off with $81 million.

A brazen $3 million heist from the ATMs of Bangladesh’s Dutch-Bangla Bank has been traced to Russian-speaking cybergang Silence, a sure sign that the criminal network is branching out from its home country.

The cyber-crime gained access to the bank’s infrastructure through a phishing e-mail, unlocking access to the ATM network through a remote proxy server.

 Antwerp-based savings bank Argenta has fallen victim to what is believed to be Belgium’s first jackpotting attack

Read: Why banking on GCC e-wallets is an easy money decision

Can anything be done? 

Mike Weber of Coalfire Labs says some of the company’s recommendations are best practices that aren’t necessarily tailored to thwarting attacks that bypass an ATM’s computer.

Although encrypting the hard drive is a best practice, “if an attacker were to gain access to these Windows 7 or Windows 10-based systems, there are hardware attacks that can be carried out through Direct Memory Access enabled ports that would still allow an attacker to defeat the encryption.”  

But Weber says using the most secure configuration of encrypted communications, including physical authentication, is an appropriate move. “Device authentication should be mandatory in a high-security environment,” he says.

Diebold Nixdorf issued warnings to ATM owners on how to protect their machines following a jackpotting alert issued by the Secret Service in 2018.