Posts Tagged: Diebold Opteva


27
Jan 18

First ‘Jackpotting’ Attacks Hit U.S. ATMs

ATM “jackpotting” — a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand — has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States.

To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics — often a combination of both — to control the operations of the ATM.

A keyboard attached to the ATM port. Image: FireEye

On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as “logical attacks,” hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they’d heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.

On Jan. 26, NCR sent an advisory to its customers saying it had received reports from the Secret Service and other sources about jackpotting attacks against ATMs in the United States.

“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” the NCR alert reads. “This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”

The NCR memo does not mention the type of jackpotting malware used against U.S. ATMs. But a source close to the matter said the Secret Service is warning that organized criminal gangs have been attacking stand-alone ATMs in the United States using “Ploutus.D,” an advanced strain of jackpotting malware first spotted in 2013.

According to that source — who asked to remain anonymous because he was not authorized to speak on the record — the Secret Service has received credible information that crooks are activating so-called “cash out crews” to attack front-loading ATMs manufactured by ATM vendor Diebold Nixdorf.

The source said the Secret Service is warning that thieves appear to be targeting Opteva 500 and 700 series Dielbold ATMs using the Ploutus.D malware in a series of coordinated attacks over the past 10 days, and that there is evidence that further attacks are being planned across the country.

“The targeted stand-alone ATMs are routinely located in pharmacies, big box retailers, and drive-thru ATMs,” reads a confidential Secret Service alert sent to multiple financial institutions and obtained by KrebsOnSecurity. “During previous attacks, fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATMs operating system along with a mobile device to the targeted ATM.

Reached for comment, Diebold shared an alert it sent to customers Friday warning of potential jackpotting attacks in the United States. Diebold’s alert confirms the attacks so far appear to be targeting front-loaded Opteva cash machines.

“As in Mexico last year, the attack mode involves a series of different steps to overcome security mechanism and the authorization process for setting the communication with the [cash] dispenser,” the Diebold security alert reads. A copy of the entire Diebold alert, complete with advice on how to mitigate these attacks, is available here (PDF). Continue reading →


11
Aug 15

Chip Card ATM ‘Shimmer’ Found in Mexico

Fraud experts in Mexico have discovered an unusual ATM skimming device that can be inserted into the mouth of the cash machine’s card acceptance slot and used to read data directly off of chip-enabled credit or debit cards.

The device pictured below is a type of skimmer known as a “shimmer,” so named because it acts a shim that sits between the chip on the card and the chip reader in the ATM — recording the data on the chip as it is read by the ATM.

This card 'shimming' device is made to read chip-enabled cards and can be inserted directly into the ATM's card acceptance slot.

This card ‘shimming’ device is made to read chip-enabled cards and can be inserted directly into the ATM’s card acceptance slot.

The chip reading component includes the eight gold rectangular leads seen on the right side of this device; the electronics that power the data storage on the shimmer can be seen in black at the top of the image.

According to information from Damage Control S.A., a security and investigations company based in Mexico, this device was found inside a Diebold Opteva 520 with Dip reader (the kind of card reader that requires you to briefly insert your card and then quickly remove it). The device is inserted from the outside of the ATM and no access is required to the ATM internals. Damage Control, which disseminated the information via a service called CrimeDex, didn’t say whether this shimmer was accompanied by a component to steal card PINs, such as a hidden camera or PIN pad overlay.

Here’s a look at what this thing looks like while it’s sitting inside a compromised ATM’s reader (notice how the chip-reading components shown in the first image are obscured in this one by the ATM’s chip reader): Continue reading →


18
Dec 12

Point-of-Sale Skimmers: No Charge…Yet

If you hand your credit or debit card to a merchant who is using a wireless point-of-sale (POS) device, you may want to later verify that the charge actually went through. A top vendor of POS skimmers ships devices that will print out “transaction approved” receipts, even though the machine is offline and is merely recording the customer’s card data and PIN for future fraudulent use.

This skimmer seller is a major vendor on one of the Underweb’s most active fraud forums. Being a “verified” vendor on this fraud forum — which comes with the stamp of approval from the forum administrators, thus, enhancing the seller’s reputation — costs $5,000 annually. But this seller can make back his investment with just two sales, and judging from the volume of communications he receives from forum members, business is brisk.

This miscreant sells two classes of pre-hacked wireless Verifone POS devices: The Verifone vx670, which he sells for $2,900 plus shipping, and a Verifone vx510, which can be had for $2,500. Below is a video he posted to youtube.com showing a hacked version of the vx510 printing out a fake transaction approval receipt.

From the seller’s pitch: “POS is ‘fake’ and stores D+P [card data and PIN], prints out approved receipt or can be setup for connection error. Software to decrypt the data is provided. It keeps d+p inside memory for manual retrieval via USB cable.”

These types of hacked POS systems, known as “offline POS skimmers” in the Underweb, are marketed for suggested use by miscreants employed in seasonal or temporary work, such as in restaurants, bars or retail establishments.

Continue reading →