This weekend, reports on “jackpotting” automatic teller machines (ATM) in the U.S. appeared after the Secret Service, historically tasked to counter financial fraud, issued warnings based on some initial reporting. Such attacks require the attackers to gain physical access to the ATM, avoid security cameras, and use specialized hardware and software to trick the systems to disperse cash illegitimately.
These attacks are certainly alarming, especially in light of the fact that jackpotting has not seemed to affect ATMs in the U.S. in the past. A good question to ask is “what indicators told us this was coming?” Intelligence analysis holds great promise in answering such questions.

Many think that good intelligence involves finding a smoking gun. Sometimes this happens. At CYR3CON we have previously identified very specific and leading intelligence for many attacks throughout 2017 (i.e. see this Slate article relating to our findings from WannaCry). But sometimes the indicators are more subtle, as we discussed in the case of third party risk earlier this month. The key is finding the trail of breadcrumbs, determining where they are leading, and then asking “what actions” do we need to take. The following shows a series of discussions identified on the deepweb / darkweb and we note why they are of potential relevance to the recent attacks.

Spread from neighboring regions. A variant of the 2013 Ploutus.D malware is thought to be responsible for the recent ATM jackpotting attacks in the U.S. Interestingly enough, this same malware became wide-spread in Latin America throughout 2017. The infections were first identified in January of 2017 – leading to Spanish-language hacker conversations noted by CYR3CON throughout the following month. As the new variant of this malware spread to Mexico, the volume of conversations again spiked in the fall.

Relevance: As jackpotting attacks often utilize specialize hardware. Hence, for this type of attack, geography may have more significance as it requires physical devices that can more easily be transported across land boarders.

New skimmer for NCR and Diebold ATM’s. In November through December on 2017, we also saw a new skimmer made available for NCR and Diebold ATM’s. This particular skimmer kit included a “Camkit” — likely tools to help attackers avoid detection while installation (as skimmers, like jackpotting, require an individual to actually visit the ATM). It is interesting to note that as the discussions wore on for these particular skimmers, parallel discussions of hackers purchasing such kits only to reverse engineer and sell knock-offs also started to appear.

Relevance: While skimming is not the same as jackpotting, they are affecting the same systems — meaning that the available Camkits can be used for both. Further, the “success” of the skimmer discussed in late 2017 (in terms of hackers creating “knock-off” skimmer products) shows that the community was actively exploring possibilities for these platforms — which included the Diebold Optiva — which was specifically discussed for skimmers and later one of the targets for jackpotting.
Jackpotting Guide. Also in December 2017, a wide-ranging “handbook” on various criminal activities was released. The author stated it was a compilation of various manuals and tutorials he collected over a period of time. Such guidebooks are periodically released by hackers and criminals as currency — a way to establish credibility within the shadowy communities of the darkweb — often to encourage trust in later financial transitions. But his one set itself apart in that it included a specific chapter on jackpotting.

Relevance: While hacker/criminal guidebooks come and go, they often become well-disseminated within underground communities. A guidebook featuring a chapter on jackpotting is somewhat less common, and may prove fodder for ideas within the community.

Consider the full picture. When considered individually, each of the aforementioned incidents don’t directly to point to jackpotting attacks in the U.S. However, when each in considered in context, a picture pointing to the threat begins to emerge. Using intelligence for risk mitigation is not always about finding the ‘smoking gun’ — sometimes it’s about understand trends to predict how a threat can evolve.

Paulo Shakarian is CEO of CYR3CON , a cybersecurity company that specializes in identifying cyber-threats in their earliest stages, leveraging both human analysts and advanced machine learning capabilities. In 2017, CYR3CON was named finalist in PwC’s Cybersecurity Day, the Arizona Technology Council’s “Startup of the year”, and MD5 Starts Austin in addition to winning a Defense Innovation Challenge award.