Many dream of a lottery millionaire prize; easy money raining from the sky. However, some do not believe in luck and have thought of getting better than differently.
They are cybercriminals or, rather, slightly more ingenious thieves than usual, who get ATMs to start spitting money. It’s the scam called jackpotting.
In November 2017, an employee of the bank in Freiburg, Germany, witnessed a surreal scene. As he approached his office ATM, he began to take out all the cash it contained. At the same time, on the screen appeared the animation of a chef cooking escalopes.
The curious episode was due to malware that produces the jackpotting effect. In English, the original name of the program is Cutlet Maker. It is also a Russian pun to indicate not only battered meat, but also a wad of banknotes. The malware must be inserted directly into the cashier’s hardware via a USB input located below the machine panel. In this way, it is possible to withdraw all effective content without the use of cards or other specific instruments.
What is jackpotting?
The name jackpotting comes from the distant 2010, when the first prototype malware of its kind was born. New Zealand hacker Barnaby Jack presented it during a hands-on demonstration on stage at the annual Black Hat cybersecurity conference. The audience present stood to be applauded when they saw the ATM literally starting to spit money while the image of a jackpot appeared on the screen.
Since then, the malware has evolved considerably, while Barnaby Jack died in strange circumstances. But this is another story. Lately, we have spoken again about jackpotting because, according to a survey conducted by the magazine ‘Motherboard’ and the German chain ‘Bayerischer Rundfunk’, the scam continues to reap casualties. In particular, in 2017 in Germany criminals would have managed to pocket one million euros. The Berlin authorities are talking about 36 cases recorded in the city since the spring of 2018.
One of the most affected banks in Germany would be Spain’s Santander and, in particular, the Wincor 2000xe ATM model, produced by Deibold Nixdorf. But it should be noted that they are not the only ATMs that the program can violate. As a representative of ATMIA (ATM Industry Association) told ‘Vice’ magazine: “Globally, in 2019, our research indicates an increase in jackpotting attacks.”
Cutlet Maker is a not very complex software, available on the TOR network for about a thousand dollars. However, this technique has become quite obsolete and only works with old machines. This is why today the attacks affect much more of Latin America, Southeast Asia and the United States. ATMs in these countries support older technologies and are easier to hack. Basically, they are old computers equipped with Windows.
ATMs are safer in Europe
While the use of this malware is still widespread in other parts of the world, the best European standards for banking security have paid off. To be effective, jackpotting must be physically inserted into the hardware, a complicated operation with the current armored structures and you almost always need an accomplice inside the office. Most banks in Europe have already taken precautions, both through the use of physically protected ATMs and cybersecurity software capable of detecting the presence of the malicious program.
Without having completely disappeared, this kind of action in Europe is already quite rare compared to other parts of the world. According to the EAST (European Association for Secure Transactions), in the first six months of 2019 the successful attacks carried out through jackpotting or malware techniques have been only 35. And of these, criminals have taken out a pittance of 1,000 euros in total. In short, the association says, for the second year in a row in Europe there has been a substantial failure of this technique.
But no one here is left with their arms crossed. Although jackpotting is still circulating, criminals who want to empty ATMs are changing their techniques. For many years, the first culprit, both by number of attacks and by the amount of money stolen, was the infamous skimmer, a device capable of reading and, in some cases, storing, the magnetic stripe data of credit cards. However, the most popular technique today is Transaction Reversal Fraud (TRF).
The other techniques for stealing money from the ATM
The TRF exploits the system bugs from ATMs and is much more effective than malware, as there is no need to have great tools to force the machine. The technique is to withdraw money with a card normally registered. Once the machine returns the card, waiting for the tickets to be issued, the offender forcibly keeps the card in the slot for the operation to be cancelled. In this way, the money is returned to the owner’s account. At the same time, with any instrument, such as a spatula or a screwdriver, the thief can force the window from which the banknotes are issued.
The money, in fact, is still in that compartment, as it was about to be issued before the transaction was cancelled. Therefore, the criminal manages to withdraw, by force, the banknotes, even though that sum has been charged back into his account. Attacks of this type are becoming more frequent and are replacing malware as they are much easier to carry out.
These two techniques, skimmer and TRF, cost European banks between 250 and 350 million euros each year. And for thieves they have the advantage of leaving no traces, so they can be carried out many times. The EAST warns that TRF attacks have become the predominant form of fraud at European ATMs, with more than 5,000 cases in the first half of 2019, compared to just under 2,000 in the past year, and account for 45% of all ata committed.