Dark Web and ATM Hacking

The dark web, which is a component of the deep web, is the nesting ground of online, as well as offline criminal activities. Though most of us have a general understanding of the dark web, we are still unaware of the specific activities it facilitates, and how it affects us on a daily basis.

ATMs are a common part of our everyday lives, yet we know little about how ATMs can be exploited, by even the most novice of attackers. At CloudSEK, we have unearthed a range of techniques and devices, that are used and sold on the dark web, for the purpose of hacking ATMs. 

There used to be a time when hacking an ATM required sophisticated skills and tools. Not anymore. We have encountered amateurs with rudimentary skills, who have hacked ATMs, using the tools and tutorials available on dark web marketplaces. This is possible because the devices sold on the dark web come with detailed instruction manuals. And most of these devices can be operated remotely, using an Antenna, to target systems that run on basic Windows XP. 

ATM Malware Card

On the dark web, anybody can buy an ATM Malware Card, that comes with the PIN Descriptor, Trigger Card and an Instruction Guide. This manual provides step-by-step instructions on how to use the card to suspend cash from ATM machines. Once the ATM Malware card is installed in the ATM, it captures card details of all the customers who subsequently use the ATM. The Trigger card is then used to dispense cash from ATMs.

(Fig.1: Screenshot of dark web shopping site: ATM Malware Card with product description)
(Fig.1: Screenshot of dark web shopping site: ATM Malware Card with product description)

The image above, shows the product description provided on dark web marketplaces, to advertise the features and benefits. This malware mainly targets ATM machines that run on Windows XP. This card is capable of drawing out all the money that is available in the affected machine; which could amount to as much as $500,000. The product description is so detailed that even a layman can use it to hack an ATM. 

USB ATM Malware 

Another prevalent method to fraudulently dispense cash from ATM Machines, is by infecting them with a Malware hosted USB drive. This method also targets  machines that run on Windows XP. 

 

(Fig.2: Screenshot of dark web shopping site: USB ATM Malware with product description)
(Fig.2: Screenshot of dark web shopping site: USB ATM Malware with product description)

This image describes the product in simple words, with details about what files are contained in the USB drive, and instructions on how to use it to orchestrate an attack.

ATM SKIMMER SHOP (ALL IN ONE)

Apart from individual sellers, there are also online shops that sell such products. One such shop is the ATM Skimmer Shop (all in one), that offers ATM hacking appliances such as EMV Skimmers, GSM Receivers, ATM Skimmers, PoSs, Gas Pumps, Deep Inserts, etc. 

(Fig.3: Screenshot of ATMSKIMMER Shop on the dark web)
(Fig.3: Screenshot of ATMSKIMMER Shop on the dark web)

The same shop also offers prepaid credit cards with high balances at different price points. The shop also updates and stocks itself with the latest cracking devices released in the market, such as POS Terminals, Upgraded Antenna, custom-made ATM Skimmers, RFID Reader/Writer, etc. This shop was previously available on the surface web, but is now available only on the dark web. Here, hacking devices that need be physically attached to ATM machines, such as the ATM Insert Skimmer or Deep insert, are also sold

 

(Fig.4: Screenshot of dark web shopping site: Deep Insert with product description)
(Fig.4: Screenshot of dark web shopping site: Deep Insert with product description)

The image above describes the benefits of using an insert skimmer to hack an ATM. It is advertised as a “plug and play” product, implying that it is a ready-to-use product. 

Anyone who has access to the dark web and this shop, can order any of their products, hassle-free. Another such online shopping site is the Undermarket that claims to sell bank fullz and physical bank cards on their platform. 

(Fig.5: Screenshot of Undermarket forum posts suggesting the availability of Fullz)
(Fig.5: Screenshot of Undermarket forum posts suggesting the availability of Fullz)

There are underground hacking forums that discuss and sell tutorials on how to hack bank accounts using Botnets, and other such topics. Forums such as Optimus Store, sell these malicious files for $100. 

(Fig.6: Screenshot of dark web forum: Files that aid hacking put for sale)
(Fig.6: Screenshot of dark web forum: Files that aid hacking put for sale)

A recently uncovered, active ATM Jackpotting method that uses a malware, is called Ploutus-D. It works by compromising components of a well-known multivendor ATM software, to gain control over hardware devices such as dispensers, card readers, and pin pads. It allows the hacker to suspend all the cash from affected machines, in a few minutes. The source code for this malware, along with instructions on how to use it, are sold on the dark web.

(Fig.7: Screenshot of shopping site on the dark web: Ploutus-D added to cart)
(Fig.7: Screenshot of shopping site on the dark web: Ploutus-D added to cart)

 

Be Vigilant

As hacking tools and techniques become ubiquitous, it is important to be aware and vigilant, by understanding new and sophisticated trends in hacking, and how you can defend yourself against them. 

About XVigil

XVigil Solutions provide organizations unified supervision across the internet, their brand, and their infrastructure. It yields analytics and actionable intelligence, needed to tackle external threats, by deploying comprehensive security scans and monitors.

See how XVigil has helped businesses across the globe combat digital risks: https://cloudsek.com/customers/

Learn more about XVigil: https://cloudsek.com/

Written by :

Rakesh Krishnan works mainly as a Researcher on Dark Web and has a keen interest in Information Security. He actively focuses on the latest threats in the Cyber World and regularly tweets about his latest findings.