So-called jackpotting attacks have gotten increasingly sophisticated—while cash machines have stayed pretty much the same.
At last week's Black Hat and Defcon security conferences, researchers dug through recent evolutions in ATM hacking. Criminals have increasingly tuned their malware to manipulate even niche proprietary bank software to cash out ATMs, while still incorporating the best of the classics—including uncovering new remote attacks to target specific ATMs.
During Black Hat, Kevin Perlow, the technical threat intelligence team lead at a large, private financial institution, analyzed two cash-out tactics that represent different current approaches to jackpotting. One looked at the ATM malware known as INJX_Pure,
first seen in spring 2019. INJX_Pure manipulates both the eXtensions for Financial Services (XFS) interface—which supports basic features on an ATM, like running and coordinating the PIN pad, card reader, and cash dispenser—and a bank's proprietary software together to cause jackpotting.
The original malware samples were uploaded to scanners from Mexico and then later from Colombia, but little is known about the actors using INJX_Pure. The malware is significant, though, because it is tailored to the ATMs of a specific bank, likely in a specific region, indicating that it can be worth it to develop even limited-use or targeted jackpotting malware rather than focusing only on tools that will work around the world.