The Ripper Malware Jackpotting an ATM Near You
September 30, 2016
There is a term, or two, for the type of attack that the malware Ripper performs. It’s called “jackpotting” or a “cash out” attack. This happens when malware is planted in an ATM and allows thieves to send it commands to, well, dispense cash. It happened in Taiwan not long ago and recently, it also happened in Thailand. Three groups of men throughout six Thai provinces managed to steal roughly the equivalent of $350,000 from 21 ATMs. While “pocket change” compared to the $2.2 million in the Taiwanese machines, it demonstrates a continuing and disturbing trend.
According to experts, one reason this works is that many ATMs are still running on embedded versions of Windows XP, which is no longer supported by Microsoft. ATMs are computers and therefore are susceptible to the same types of attacks that can hit any organization’s network. Unfortunately, it is not known how this malware made its way onto the ATMs. However, the cash is dispensed after a payment card is inserted into the card slot and authenticates with the malware that was previously installed.
The best defense for those in charge of ATM security, is upgrade any of these outdated machines with newer technology that has fewer vulnerabilities and that run on products that are still supported by manufacturers. It’s also important to keep all systems updated with security and critical patches when they are made available. This doesn’t apply only to the desktops and laptops, but also applies to those ATMs.
Yes, it might be expensive and time consuming to do this, but with millions of dollars in cash at stake, it’s worth it. Criminals know what an effort this is, which is why they are having success.
Ripper involves taking advantage of the common APIs that many of the ATMs use to communicate with the hardware. Ripper is sophisticated enough to use the public specifications that are used on many brands. Although this particular attack happened on NCR machines, researchers found that it is also effective on machines by two other vendors. However, the researchers (from FireEye and NCR) have not identified the others. So to be on the safe side, regardless of the brand at your institution(s), it’s a great idea to get it up-to-date.
© Copyright 2016 Stickley on Security



