ATM / POS Fraud , Fraud Management & Cybercrime , Incident & Breach Response
Feds Charge Two ATM Jackpotting Malware Suspects
US Secret Service Alert: ATM Attackers Are Dressing Like Diebold TechniciansTwo men suspected of being part of a criminal scheme that uses malware to "jackpot" ATMs and commit bank fraud have been arrested in Connecticut.
See Also: Gartner Guide for Digital Forensics and Incident Response
On Monday, Spanish citizen Alex Alberto Fajin-Diaz, 31, and Argenys Rodriguez, 21, of Springfield, Massachusetts, appeared in Connecticut federal court before U.S. Magistrate Judge Donna F. Martinez, who ordered them to be detained. Both have been charged in a federal criminal complaint with bank fraud, stemming from the use of malware designed to drain ATMs of their cash, in what's known as a cash-out or jackpotting attack.
While jackpotting attacks have been seen in other countries, they've only recently arrived in the United States. In recent weeks, the U.S. Secret Service has issued alerts to ATM operators, warning that attackers using Ploutus.D malware have been targeting standalone ATMs in box-big retailers and pharmacies. ATM manufacturers NCR and Diebold Nixdorf have also issued alerts (see First ATM 'Jackpotting' Attacks Hit U.S.).
The U.S. Secret Service says that since December, it's received reports of ATM jackpotting attacks occurring in the Miami, Washington and New York areas. Last month, a U.S. Secret Service special agent told Reuters that a coordinated group of attackers, which might be tied to international organized crime groups, had stolen more than $1 million via jackpotting attacks against U.S. ATMs.
Two Men Arrested With $9,000 in $20 Bills
Attackers now appear to be going farther afield.
On Jan. 27, police in the Connecticut town of Cromwell responded to an alert from investigators at Citizens Bank of an apparent theft in progress from a drive-up ATM. The first officer on the scene said he found the two men in a two-door white Honda Accord just 50 feet from the ATM, and no other vehicles in the vicinity.
"Cromwell Police encountered Fajin-Diaz and Rodriguez near an ATM that had been compromised with jackpotting malware and was in the process of dispensing $20 bills," the Department of Justice says.
Police stopped the men, who were in the car. "A search of Fajin-Diaz and Rodriguez's vehicle, which had a license plate that was assigned to another vehicle, revealed tools and electronic devices consistent with items needed to compromise an ATM machine to dispense its cash contents. Faji-Diaz and Rodriguez also possessed more than $9,000 in $20 bills," a Justice Department statement says.
If convicted of the bank fraud charge, Fajin-Diaz and Rodriguez each face a maximum prison sentence of 30 years.
ATM Jackpotting Spree
Federal, state and local law enforcement agencies have been investigating recent jackpotting attacks on ATMs in the Connecticut towns of Hamden and Guilford, as well as in Providence, Rhode Island.
In the affidavit, U.S. Secret Service Agent Molly Reale writes that multiple cash-out teams appear to operate in coordination.
The U.S. Secret Service appears to have received intelligence or tip-offs tied to the cash-out attacks. "On Jan. 26, the U.S. Secret Service received information that individuals were planning in the next 10 days to activate cash-out teams to attack certain Diebold ATM machines using malware," Reale writes.
An affidavit was submitted to court on Jan. 31 to provide probable cause for a criminal complaint that charges Fajin-Diaz and Rodriguez with bank fraud.
The affidavit says that on Jan. 22, attackers infected a Citizens Bank ATM in Providence with malware and drained it of more than $50,000 in cash.
Robbers Dressed as ATM Technicians
"Video surveillance revealed that on Jan. 22, two men appeared at the ATM dressed in what appeared to be Diebold technician uniforms and accessed the interior of the ATM machine. The subjects spent several minutes conducting activities inside the ATM consistent with protocols used to install malware in ATMs. The suspects then closed and secured the ATM before leaving," Reale writes.
"Additional surveillance footage showed what appeared to be two other males approach the ATM and remain for a considerable amount of time, which I believe to be consistent with them obtaining cash that was being ejected from the ATM. Pictures of these suspects do not appear to match the physical description of Fajin (sic) and Rodriguez," Reale writes.
But she adds in the affidavit that the latter two suspects appeared to driving a two-door white Honda Accord, although the vehicle did not have the same license plate as the car which Fajin-Diaz and Rodriguez were driving on Jan. 27.
On Jan. 27, the affidavit says, video surveillance at the Citizens Bank in Cromwell shows two men, apparently dressed as ATM technicians, accessing the interior of the ATM, after which the feed was interrupted. But Reale writes that footage supplied by Citizens Bank "showed a dark colored SUV and white two-door Honda Accord at the ATM machine for an extended period of time." It says the SUV left before police arrived.
First on the scene was Officer Brooks, who stopped the Honda Accord, driven by Rodriguez, according to the affidavit. "Officer DiMaio arrived on scene approximately 30 seconds after Officer Brooks arrived," she writes, noting that he heard the ATM making beeping noises.
"As Officer DiMaio approached the ATM, he heard it making sounds that an ATM makes when it is about to dispense money. Officer DiMaio saw the ATM dispense a stack of $20 bills - later learned to be 40 $20 bills. Officer DiMaio seized the $20 bills and secured them in his vehicle," she writes.
Black Box Recovered
When police searched the vehicle, they found not only the large quantity of $20 bills but also "a black electronic device" that "resembled [an] Apple TV" as well as large quantity of cables and wires and tools, Reale writes. "These tools and electronic devices are consistent with items needed to compromise an ATM machine to dispense its cash contents."
An investigation of the Citizens Bank drive-up ATM by a police detective who's also an ATM technician found a foreign cable inside the ATM, connected to an ATM component, Reale writes. The detective also found that the ATM screen was displaying "a picture that was also foreign to the setup of the ATM" and recovered a "deep insert ATM skimming device test sheet" from inside the ATM (see Hackers Practice Unauthorized ATM Endoscopy). Officers also discovered a wireless keyboard with a USB cord attached, Reale adds.
Update
On Feb. 6, NCR issued a security alert titled "Mandatory Platform Component Update for S1 and S2 Currency Dispenser" that it says was developed "following black box attacks against NCR ATMs with S1 Currency Dispensers in Mexico in Q3 2017."
NCR says the platform update includes two changes designed to block black box attacks:
- "The physical authentication mechanism used to authorize encrypted communications to the dispenser has been strengthened to protect against an attacker using endoscope technology in an attempt to manipulate dispenser electronics from outside the safe. Additionally, further authentication mechanisms have been added as configuration options.
- "A vulnerability in the anti-roll back protection has been corrected."