The malware which has spread across the world infecting ATMs to blow out all the money is “Cutlet Maker Malware”. One such incident took place at 10am on a late November morning in Freiburg, Germany. The incident came into light when a bank employee noticed something was wrong with a bank ATM. The ATM had been hacked with a piece of malware called “Cutlet Maker” that is designed to make ATMs eject all of the money inside them. Alongside cartoon images of a chef and a cheering piece of meat Cutlet Maker’s control panel read: “Ho-ho-ho! Let’s make some cutlets today!”. In Russian language, a cutlet not only means a cut of meat, but also a bundle of cash.
Investigation of Motherboard and the German broadcaster Bayerischer Rundfunk have uncovered new details of so-called “jackpotting” attacks on ATMs in Germany in early 2017. Jackpotting is a technique where cybercriminals use malware or a piece of hardware to trick an ATM into ejecting all of its cash, such that there are no stolen credit cards required. This is done by hackers by installing the malware onto an ATM by physically opening a panel on the machine to reveal a USB port.
Due to this there are some cases, where the specific bank and ATM manufacturer have been affected. Jackpotting attacks have decreased in the region in the first half of this year, but multiple sources said the number of attacks in other parts of the world has gone up including regions like: the U.S., Latin America, and Southeast Asia. This issue impacts banks and ATM manufacturers across the financial industry. The U.S. is quite popular in such kind of ATM attacks. BR and motherboard granted multiple sources, including law enforcement officials, anonymity to speak more candidly about sensitive hacking incidents.
Cutlet maker:
During the annual Black Hat cybersecurity conference in 2010, the famous researcher Barnaby Jack demonstrated live on stage his own strain of ATM malware. There the ATM displayed the word “JACKPOT” and ejected a steady stream of bank notes.
Among many attacks, in the Freiburg instance no cash was stolen, the law enforcement official said. But Christoph Hebbecker, a prosecuting attorney for the German state of North Rhine-Westphalia, said his office is investigating the incidents. The list includes 10 incidents that took place between February and November 2017, including attacks in which thieves did make off with bundles of cash. In total, hackers stole 1.4 million Euro ($1.5 million), said by one of the officials.
Officer ‘Hebbecker’ added that because of the similar nature of the attacks, he believes that they are all linked to the same criminal gang. In some of the cases, the prosecutors have video evidence, but they have no suspects. “The investigations are still going on,” Hebbecker said in an email in German. Multiple sources said that a number of the 2017 attacks in Germany impacted the bank Santander. Two sources said they specifically involved the Wincor 2000xe model of ATM, made by the ATM manufacturer Diebold Nixdorf.
One of the Santander spokesperson said in an emailed statement, “Protecting our customers’ information and the integrity of our network is at the core of our principles. Our experts are involved at every stage of product development and operations to protect our customers and the banks from fraud and cyber threats. Focusing on protecting data and operations is what prevents them from commenting on specific security issues.” Officials in Berlin said they had faced 36 jackpotting cases since spring 2018. resulting in several thousand Euro being stolen. They declined to name the specific malware used.
According to recent news authorities have recorded 82 jackpotting attacks in Germany across different states in the past several years, according to police spokespeople. However, not all of those attacks resulted in successful cash-outs. It’s necessary to remember ATM jackpotting is not limited to a single bank or ATM manufacturer, though. The other attacks impacted banks other than Santander. Those were simply the attacks their investigation identified. This is across all vendors; this is not dedicated towards a specific machine, nor towards a specific brand, and definitely not a region said Redecker.
The only security issue ino ATMs is that many of them are, in essence, aged Windows computers. “The macines are very old and, slow” the source familiar with ATM attacks said. ATM manufacturers have made significant security improvements to their devices. But that doesn’t necessarily mean all ATMs across the industry will be up to the same standard. The responsibility on securing access to the ATMs falls on the banks too.
In order to execute jackpotting attack, you will have to have access to the internal components of the ATM. So, this prevents that first physical attack on the ATM goes a long way toward preventing the jackpotting attack. David N. Tente,the executive director of USA, Canada & Americas at the ATM Industry Association (ATMIA), said in an email. Redecker said he’s been seeing attacks across the globe since 2012, with Germany suffering its first jackpotting attacks in Berlin in 2014. During 2017 attacks, researchers at the cybersecurity firm Kaspersky published research showing Cutlet Maker for sale on hacking forums since May of that year. It seemed like anyone with a few thousand dollars could buy the malware, and jackpot the ATMs themselves. “The hackers are selling these developments malware to just anybody they want to,” David Sancho, senior threat researcher at cybersecurity firm Trend Micro, and who works with Europol on jackpotting research, said. That has led to enabling smaller outfits or enterprising criminals to start targeting ATMs, he added.
“Potentially this has the potential to affect any country in the world,” said Sancho. Motherboard spoke to one cybercriminal claiming to sell the Cutlet Maker malware. “Yes, I’m selling it and it costs $1000,” they wrote in an email, adding that they can offer support on how to use the tool as well. The seller provided with screenshots of an instruction manual in Russian and English language, which steps potential users through how to empty an ATM. Sections of the manual include how to check how many banknotes are inside the ATM, and installing the malware itself. The European Association for Secure Transactions (EAST), is a non-profit organization that tracks financial fraud. Although in a recent report published this month, it’s worth stressing that EAST’s report only covers Europe. ” This happens in parts of the world where they don’t tell anybody about it,” the source familiar with ATM attacks added. “It’s increasing, but the biggest problem is that nobody wants to report this.”
Lowering of the barrier of the entry to ATM malware has arguably driven to some of the spike in jackpotting attacks. In middle of January 2018, the Secret Service began warning financial institutions of the first jackpotting attacks in the U.S. Although those used another piece of ATM malware called Ploutus.D. “Globally, jackpotting attacks are increasing according to 2019 survey,” Tente wrote in an email. In conclusion to this, “There are many attacks happening, but a lot of the time they are not publicized.”
