Malware Intelligence
mins read

The Unabated Reign of ATM Hacking: The 2021 Rajasthan ATM Attack and the Proliferation of Novel ATM Hacking Tools and Techniques

The Unabated Reign of ATM Hacking: The 2021 Rajasthan ATM Attack and the Proliferation of Novel ATM Hacking Tools and Techniques

September 23, 2021
Green Alert
Last Update posted on
February 3, 2024
Beyond Monitoring: Predictive Digital Risk Protection with CloudSEK

Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!

Schedule a Demo
Table of Contents
Author(s)
No items found.

ATM hacking, often known as ATM jackpotting, is the illegal withdrawal of cash from automated teller machines by exploiting their physical or technical vulnerabilities. Given how ubiquitous ATMs are, exploiting them is an attractive scheme for criminals across the world. 

 

Even before the technological advances of the past decade, criminals have been pilfering ATMs using crafty physical methods such as forking, ATM lock picking, stealing entire ATM machines, etc. However, easy access to technology in recent years have allowed criminals to employ tools such as jackpotting, malware, exploits, etc., to achieve their goals. 

 

In this article, we delve into the specifics of the numerous physical and electronic attack vectors used by ATM hackers, highlighting the 2021 Rajasthan ATM hack as an example of the continued proliferation of novel ATM hacking tools and techniques. 

 

The Machinery

A typical ATM is composed of two primary components: a cabinet and a safe. The cabinet is the main body of the ATM which contains its main computer. This computer is connected to all the other devices of the ATM, such as network equipment, card readers, keyboards (PIN pads), and cash dispensers. With merely a plastic door secured by a flimsy lock, the cabinet is practically unprotected. 

 

Furthermore, most ATM manufacturers utilize the same lock for all ATMs of a particular series, and these keys are readily available on the internet, but attackers can also pick them or drill through the weak plastic. Considering that these plastic cabinets house the cash dispenser and the cash acceptor modules,  if they are instead made of steel and concrete, they would be more durable.

 

The Software

Majority of ATMs in the world now run on Microsoft Windows, primarily Windows XP Professional or Windows XP Embedded. Earlier in 2014, 95% of ATMs were still running on Windows XP. According to Wikipedia, a small number of deployments may still be running older versions of the Windows OS, such as Windows NT, Windows CE, or Windows 2000, even though Microsoft currently supports only Windows 8 and Windows 10.

 

To execute properly, the software must communicate with ATM peripherals such as the card reader, the keyboard, and the cash dispenser. XFS (extensions for financial services), a standard for simplifying and centralizing equipment control, facilitates this communication. XFS is implemented differently by every ATM vendor.

 

Physical Methods for ATM Jackpotting

Since most ATM thieves are not particularly tech savvy, they resort to tried-and-tested physical jackpotting methods. To make a quick heist, they primarily use conventional ATM jackpotting techniques, such as shoulder surfing card PINs, brute forcing into the ATM safe, and so on. Some of the common methods include: 

 

  • Skimming: In this method, the magnetic reader fitted into an ATM machine is replaced with a fake one that reads and stores all the information on the magnetic strip of any card that is inserted in the ATM. A normal consumer will have a difficult time detecting this scam because there are dozens of valid swiping devices on the market, making it nearly impossible to tell the difference between a genuine and a fake one. Criminals also install hidden cameras in the ATM booth to capture corresponding ATM PINs. The information obtained this way is later used to create illegal duplicates of ATM cards and defraud card holders. 

 

  • Fake Keyboards: Hackers replace ATM keyboards with fake ones that capture users’ PINs. This technique is also known as a ‘pin-pad overlay’ and is a common attack vector.

 

  • Hidden cameras: Another common and popular trick used by ATM attackers over the past few decades involves fitting small, hidden spy cameras onto an ATM, strategically placed near the keyboards so as to record customers’ ATM PINs. 

 

  • Forking: Here, the attacker inserts their card and initiates a small amount of cash withdrawal. As the cash is being withdrawn, they insert a fork-like tool into the cash dispenser, causing the ATM software to lock up and reset. They then manually pull out cash from the safe via the dispenser passage. The internal trigger of the ATM is confused by this action and loses track of how much money is dispensed, allowing repeated withdrawals.

 

  • Brute Force: Criminals may also simply break into an ATM safe by damaging the cabinet and taking out the desired amount of money.

 

Technical Methods for ATM Jackpotting

Lately, ATM thieves have also begun to employ technology to circumvent ATM security systems. Since they lack the technological training and financial resources required to evade ATM security, they turn to threat actors that sell the finished products required to accomplish this. On cybercrime forums and underground markets, there is a burgeoning ecosystem of actors selling numerous software along with detailed video tutorials on how the software can be leveraged to hack an ATM. 

The most common of these methods are:

 

  • ATM Malware Cards: ATM malware cards sold on the dark web come with the PIN descriptor, trigger card, and instruction guide. Once the ATM malware card is installed in the ATM, it captures card details of customers who subsequently use the ATM. The trigger card is then used to dispense cash from ATMs.


  • USB ATM Malware: Another prevalent method to fraudulently dispense cash from ATM Machines is by infecting them with a malware-hosted USB drive. This method also targets machines that run on Windows XP. The Tyupkin Trojanattack is such an instance.

 

  • Remote ATM Attacks: The hacker disconnects the ATM from the bank’s network and connects it to a special appliance that transfers the data to their own server. ATM networks are usually improperly segmented (separated for security), and a hacker may use such a device to infiltrate multiple ATMs at once, even though the malicious device is only attached to one of them. 

 

The communication between the ATM and the processing servers is either unencrypted or has a low level of encryption. The attacker installs a counterfeit processing centre on the server and delivers fake processor-server responses to the machines, resulting in a cash jackpot.

 

  • The Black Box Attack: The attacker sets the ATM to Maintenance mode and connects a device called a black box (a microcomputer like the Raspberry PI) to control the cash trays. While the attacker is tampering with the ATM, the screen shows a service message like “Maintenance in Progress” or “Out of Service,” although in reality the ATM can still draw cash. This technique was recently employed by a couple of women in Rajasthan to exfiltrate INR 3.2 million from several cities. Here are details of the incident.

 

Investigation of the Rajasthan ATM Hack 2021

 

Timeline of the Incident
Timeline of the Incident

 

On 26 July 2021, the Indian SOG (Special Operations Group) arrested two foreign nationals for illegally withdrawing INR 3.2 million from different ATMs in Rajasthan. The two women who were arrested are residents of Uganda and Zambia. The duo used a device known as Raspberry Pi to hack into the ATM server and siphon off money illicitly from six ATMs in Jaipur, across the areas of Mahesh Nagar, Gopalpura, Nehru Place, and Sanganer, from 16—18 July 2021. 

 

Prior to this incident, the duo had unsuccessfully attempted to tamper with a Bank of Baroda ATM at Keshavpura. This incident was brought to light by the Manager of Bank of Baroda, Mahesh Nagar, when he lodged an FIR regarding the ATM hack on 16 July.

 

About the Hackers

The two women involved in this crime have been identified as Laura Keith and Nan Tongo Alexander, residents of Zambia and Uganda respectively. Both of them have completed their education up to the 11th standard and were residing in an apartment in Delhi. This was their third visit to India and they stayed at the Polo Victory Palace Hotel in Jaipur during the time of the incident. They appear to have been amidst the process of setting up a cybercriminal network in India.  

 

Laura Keith and Nan Tongo Alexander
Laura Keith and Nan Tongo Alexander

 

The Attack 

The duo started their quest on 14 July, by visiting various ATMs in Jaipur. They selected their targets based on:

  • The positioning of the ATM: To ensure they were not accosted or caught while hacking the ATM.
  • The amount of money stored: To make sure the ATMs had been replenished.
  • The technology used: Since their code was only effective on ATMs using older manual settings. 

Their reconnaissance helped them figure out which ATMs could be targeted. The hackers were not only meticulous about their target selection but also about their appearance. They changed their disguises after every hack, making it difficult to identify them in CCTV footage.

 

After hacking 6 ATMs in Jaipur, the duo moved to Udaipur and repeated the same process. 

 

The Attack Vector 

This hack was an intelligent execution of a Man in the Middle (MITM) attack where the hackers used a device named Raspberry Pi to gain control over the ATM’s server. A man-in-the-middle attack occurs when an attacker positions themselves in the middle of a user and a service provider, while discreetly monitoring or even altering the interaction between them.

 

Raspberry Pi
Raspberry Pi

 

 

Raspberry Pi is a series of small single-board computers (SBCs) developed in the United Kingdom by the Raspberry Pi Foundation in association with Broadcom. It’s an affordable computer of the size of a credit card, developed primarily for educational purposes, to facilitate coding among students and in developing countries.

 

It can also be used with a television or a computer display and can perform all of the functions of a desktop computer. It uses a regular keyboard and mouse and is currently being utilized in a wide range of fields, including robotics.

 

In this incident, the felons purchased this device for INR 7,000 from Amazon and modified it into a server. They then visited various ATMs, plugged in the device and replaced the bank’s server port with their own custom server, and connected it to the ATM via Wi-Fi. As a result, the ATM was completely disconnected from the bank’s main server, allowing them to withdraw money without notifying the bank. 

 

However, due to a technical glitch, only ATMs working on the old manual system settings could be exploited by this device and this limited the hackers’ potential targets. 

 

Mitigation Measures

As mentioned, this hack was possible only on ATMs using old manual system settings thereby highlighting the importance of patching and updating the software regularly. 

 

We strongly recommend that banks:

  • Use up-to-date versions of Operating Systems and other software.
  • Audit and update the ATM’s security settings on a regular basis.
  • Make sure to use the most up-to-date ATM security features.
  • Install high-security locks, alarms, cameras, anti-fraud devices, etc., for increased security.

 

Conclusion

ATM hacking has progressed significantly over time. ATM thieves are no longer merely stealing cash from ATMs; they are now trading ATM details and ATM card information for money, or for various hacking tools such as malwares, databases, accesses, etc. The following are advertisements for ATM-related malware and exploits that have been posted by various threat actors across multiple forums.

 

A threat actor looking for collaboration in a phishing campaign targeting Europe mainly Ireland ATM
A threat actor looking for collaboration in a phishing campaign targeting Europe mainly Ireland ATM

 

A threat actor selling an ATM malware that targets NCR and Diebold Nixdorf machines
A threat actor selling an ATM malware that targets NCR and Diebold Nixdorf machines

 

A threat actor is looking to buy POC for ATM malware for a budget of USD 2000
A threat actor is looking to buy POC for ATM malware for a budget of USD 2000

 

References

 

Author

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Adversary Intelligence
February 3, 2024

From Discussion Forums to Malware Mayhem: The Alarming Rise of Abuse on Google Groups and Usenet

Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.

Blog Image
Adversary Intelligence

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Blog Image
Malware
December 29, 2023

Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking

A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Malware Intelligence

min read

The Unabated Reign of ATM Hacking: The 2021 Rajasthan ATM Attack and the Proliferation of Novel ATM Hacking Tools and Techniques

The Unabated Reign of ATM Hacking: The 2021 Rajasthan ATM Attack and the Proliferation of Novel ATM Hacking Tools and Techniques

Authors
Co-Authors
No items found.

ATM hacking, often known as ATM jackpotting, is the illegal withdrawal of cash from automated teller machines by exploiting their physical or technical vulnerabilities. Given how ubiquitous ATMs are, exploiting them is an attractive scheme for criminals across the world. 

 

Even before the technological advances of the past decade, criminals have been pilfering ATMs using crafty physical methods such as forking, ATM lock picking, stealing entire ATM machines, etc. However, easy access to technology in recent years have allowed criminals to employ tools such as jackpotting, malware, exploits, etc., to achieve their goals. 

 

In this article, we delve into the specifics of the numerous physical and electronic attack vectors used by ATM hackers, highlighting the 2021 Rajasthan ATM hack as an example of the continued proliferation of novel ATM hacking tools and techniques. 

 

The Machinery

A typical ATM is composed of two primary components: a cabinet and a safe. The cabinet is the main body of the ATM which contains its main computer. This computer is connected to all the other devices of the ATM, such as network equipment, card readers, keyboards (PIN pads), and cash dispensers. With merely a plastic door secured by a flimsy lock, the cabinet is practically unprotected. 

 

Furthermore, most ATM manufacturers utilize the same lock for all ATMs of a particular series, and these keys are readily available on the internet, but attackers can also pick them or drill through the weak plastic. Considering that these plastic cabinets house the cash dispenser and the cash acceptor modules,  if they are instead made of steel and concrete, they would be more durable.

 

The Software

Majority of ATMs in the world now run on Microsoft Windows, primarily Windows XP Professional or Windows XP Embedded. Earlier in 2014, 95% of ATMs were still running on Windows XP. According to Wikipedia, a small number of deployments may still be running older versions of the Windows OS, such as Windows NT, Windows CE, or Windows 2000, even though Microsoft currently supports only Windows 8 and Windows 10.

 

To execute properly, the software must communicate with ATM peripherals such as the card reader, the keyboard, and the cash dispenser. XFS (extensions for financial services), a standard for simplifying and centralizing equipment control, facilitates this communication. XFS is implemented differently by every ATM vendor.

 

Physical Methods for ATM Jackpotting

Since most ATM thieves are not particularly tech savvy, they resort to tried-and-tested physical jackpotting methods. To make a quick heist, they primarily use conventional ATM jackpotting techniques, such as shoulder surfing card PINs, brute forcing into the ATM safe, and so on. Some of the common methods include: 

 

  • Skimming: In this method, the magnetic reader fitted into an ATM machine is replaced with a fake one that reads and stores all the information on the magnetic strip of any card that is inserted in the ATM. A normal consumer will have a difficult time detecting this scam because there are dozens of valid swiping devices on the market, making it nearly impossible to tell the difference between a genuine and a fake one. Criminals also install hidden cameras in the ATM booth to capture corresponding ATM PINs. The information obtained this way is later used to create illegal duplicates of ATM cards and defraud card holders. 

 

  • Fake Keyboards: Hackers replace ATM keyboards with fake ones that capture users’ PINs. This technique is also known as a ‘pin-pad overlay’ and is a common attack vector.

 

  • Hidden cameras: Another common and popular trick used by ATM attackers over the past few decades involves fitting small, hidden spy cameras onto an ATM, strategically placed near the keyboards so as to record customers’ ATM PINs. 

 

  • Forking: Here, the attacker inserts their card and initiates a small amount of cash withdrawal. As the cash is being withdrawn, they insert a fork-like tool into the cash dispenser, causing the ATM software to lock up and reset. They then manually pull out cash from the safe via the dispenser passage. The internal trigger of the ATM is confused by this action and loses track of how much money is dispensed, allowing repeated withdrawals.

 

  • Brute Force: Criminals may also simply break into an ATM safe by damaging the cabinet and taking out the desired amount of money.

 

Technical Methods for ATM Jackpotting

Lately, ATM thieves have also begun to employ technology to circumvent ATM security systems. Since they lack the technological training and financial resources required to evade ATM security, they turn to threat actors that sell the finished products required to accomplish this. On cybercrime forums and underground markets, there is a burgeoning ecosystem of actors selling numerous software along with detailed video tutorials on how the software can be leveraged to hack an ATM. 

The most common of these methods are:

 

  • ATM Malware Cards: ATM malware cards sold on the dark web come with the PIN descriptor, trigger card, and instruction guide. Once the ATM malware card is installed in the ATM, it captures card details of customers who subsequently use the ATM. The trigger card is then used to dispense cash from ATMs.


  • USB ATM Malware: Another prevalent method to fraudulently dispense cash from ATM Machines is by infecting them with a malware-hosted USB drive. This method also targets machines that run on Windows XP. The Tyupkin Trojanattack is such an instance.

 

  • Remote ATM Attacks: The hacker disconnects the ATM from the bank’s network and connects it to a special appliance that transfers the data to their own server. ATM networks are usually improperly segmented (separated for security), and a hacker may use such a device to infiltrate multiple ATMs at once, even though the malicious device is only attached to one of them. 

 

The communication between the ATM and the processing servers is either unencrypted or has a low level of encryption. The attacker installs a counterfeit processing centre on the server and delivers fake processor-server responses to the machines, resulting in a cash jackpot.

 

  • The Black Box Attack: The attacker sets the ATM to Maintenance mode and connects a device called a black box (a microcomputer like the Raspberry PI) to control the cash trays. While the attacker is tampering with the ATM, the screen shows a service message like “Maintenance in Progress” or “Out of Service,” although in reality the ATM can still draw cash. This technique was recently employed by a couple of women in Rajasthan to exfiltrate INR 3.2 million from several cities. Here are details of the incident.

 

Investigation of the Rajasthan ATM Hack 2021

 

Timeline of the Incident
Timeline of the Incident

 

On 26 July 2021, the Indian SOG (Special Operations Group) arrested two foreign nationals for illegally withdrawing INR 3.2 million from different ATMs in Rajasthan. The two women who were arrested are residents of Uganda and Zambia. The duo used a device known as Raspberry Pi to hack into the ATM server and siphon off money illicitly from six ATMs in Jaipur, across the areas of Mahesh Nagar, Gopalpura, Nehru Place, and Sanganer, from 16—18 July 2021. 

 

Prior to this incident, the duo had unsuccessfully attempted to tamper with a Bank of Baroda ATM at Keshavpura. This incident was brought to light by the Manager of Bank of Baroda, Mahesh Nagar, when he lodged an FIR regarding the ATM hack on 16 July.

 

About the Hackers

The two women involved in this crime have been identified as Laura Keith and Nan Tongo Alexander, residents of Zambia and Uganda respectively. Both of them have completed their education up to the 11th standard and were residing in an apartment in Delhi. This was their third visit to India and they stayed at the Polo Victory Palace Hotel in Jaipur during the time of the incident. They appear to have been amidst the process of setting up a cybercriminal network in India.  

 

Laura Keith and Nan Tongo Alexander
Laura Keith and Nan Tongo Alexander

 

The Attack 

The duo started their quest on 14 July, by visiting various ATMs in Jaipur. They selected their targets based on:

  • The positioning of the ATM: To ensure they were not accosted or caught while hacking the ATM.
  • The amount of money stored: To make sure the ATMs had been replenished.
  • The technology used: Since their code was only effective on ATMs using older manual settings. 

Their reconnaissance helped them figure out which ATMs could be targeted. The hackers were not only meticulous about their target selection but also about their appearance. They changed their disguises after every hack, making it difficult to identify them in CCTV footage.

 

After hacking 6 ATMs in Jaipur, the duo moved to Udaipur and repeated the same process. 

 

The Attack Vector 

This hack was an intelligent execution of a Man in the Middle (MITM) attack where the hackers used a device named Raspberry Pi to gain control over the ATM’s server. A man-in-the-middle attack occurs when an attacker positions themselves in the middle of a user and a service provider, while discreetly monitoring or even altering the interaction between them.

 

Raspberry Pi
Raspberry Pi

 

 

Raspberry Pi is a series of small single-board computers (SBCs) developed in the United Kingdom by the Raspberry Pi Foundation in association with Broadcom. It’s an affordable computer of the size of a credit card, developed primarily for educational purposes, to facilitate coding among students and in developing countries.

 

It can also be used with a television or a computer display and can perform all of the functions of a desktop computer. It uses a regular keyboard and mouse and is currently being utilized in a wide range of fields, including robotics.

 

In this incident, the felons purchased this device for INR 7,000 from Amazon and modified it into a server. They then visited various ATMs, plugged in the device and replaced the bank’s server port with their own custom server, and connected it to the ATM via Wi-Fi. As a result, the ATM was completely disconnected from the bank’s main server, allowing them to withdraw money without notifying the bank. 

 

However, due to a technical glitch, only ATMs working on the old manual system settings could be exploited by this device and this limited the hackers’ potential targets. 

 

Mitigation Measures

As mentioned, this hack was possible only on ATMs using old manual system settings thereby highlighting the importance of patching and updating the software regularly. 

 

We strongly recommend that banks:

  • Use up-to-date versions of Operating Systems and other software.
  • Audit and update the ATM’s security settings on a regular basis.
  • Make sure to use the most up-to-date ATM security features.
  • Install high-security locks, alarms, cameras, anti-fraud devices, etc., for increased security.

 

Conclusion

ATM hacking has progressed significantly over time. ATM thieves are no longer merely stealing cash from ATMs; they are now trading ATM details and ATM card information for money, or for various hacking tools such as malwares, databases, accesses, etc. The following are advertisements for ATM-related malware and exploits that have been posted by various threat actors across multiple forums.

 

A threat actor looking for collaboration in a phishing campaign targeting Europe mainly Ireland ATM
A threat actor looking for collaboration in a phishing campaign targeting Europe mainly Ireland ATM

 

A threat actor selling an ATM malware that targets NCR and Diebold Nixdorf machines
A threat actor selling an ATM malware that targets NCR and Diebold Nixdorf machines

 

A threat actor is looking to buy POC for ATM malware for a budget of USD 2000
A threat actor is looking to buy POC for ATM malware for a budget of USD 2000

 

References