Iron boxes with money standing on the streets of the city cannot but attract the attention of lovers of quick money. And if earlier purely physical methods were used to empty ATMs, now more and more skillful tricks associated with computers are being used. Now the most relevant of them is a "black box" with a single-board microcomputer inside. We will talk about how it works in this article.
The chief of the International Association of ATM Manufacturers (ATMIA) singled out "black boxes" as the most dangerous threat to ATMs.
A typical ATM is a collection of ready-made electromechanical components housed in a single enclosure. ATM manufacturers build their iron creations from a bill dispenser, card reader, and other components already developed by third-party vendors. A sort of LEGO constructor for adults. The finished components are housed in an ATM enclosure, which typically consists of two compartments: an upper compartment ("cabinet" or "service area") and a lower compartment (safe). All electromechanical components are connected via USB and COM ports to the system unit, which in this case acts as a host. On older models of ATMs, you can also find connections via the SDC bus.
Evolution of ATM carding.
ATMs with huge amounts inside invariably beckon carders to themselves. At first, carders exploited only gross physical flaws in ATM security - they used skimmers and shimmers to steal data from magnetic stripes; fake pin-pads and cameras for viewing pincodes; and even fake ATMs.
Then, when ATMs began to be equipped with unified software that works according to uniform standards, such as XFS (eXtensions for Financial Services), carders began to attack ATMs with computer viruses.
Among them are Trojan.Skimmer, Backdoor.Win32.Skimer, Ploutus, ATMii and numerous other named and unnamed malware, which carders add to the ATM host either via a bootable USB flash drive or via a TCP port for remote control.
ATM infection process.
Having captured the XFS subsystem, the malware can issue commands to the banknote dispenser, without authorization. Or give commands to the card reader: read / write the magnetic stripe of a bank card and even extract the transaction history stored on the chip of the EMV card. EPP (Encrypting PIN Pad; encrypted pinpad) deserves special attention. It is generally accepted that the pincode entered on it cannot be intercepted. However, XFS allows you to use the EPP pinpad in two modes: 1) open mode (for entering various numeric parameters such as the amount to be withdrawn); 2) safe mode (EPP switches to it when you need to enter a pincode or encryption key). This XFS feature allows the carder to carry out a MiTM attack: intercept the safe mode activation command that is sent from the host to the EPP, and then tell the EPP pinpad, that work should be continued in open mode. In response to this message, EPP sends keystrokes in clear text.
The principle of the "black box".
In recent years, according to Europol, ATM malware has evolved significantly. Carders no longer need to have physical access to an ATM to infect it. They can infect ATMs through remote network attacks using the bank's corporate network. According to Group IB, in 2016 in more than 10 European countries, ATMs were susceptible to remote attacks.
ATM attack via remote access.
Antiviruses, blocking firmware updates, blocking USB ports and encrypting the hard drive - to some extent protect the ATM from virus attacks by carders. But what if the carder does not attack the host, but connects directly to the periphery (via RS232 or USB) - to a card reader, pin-pad or cash dispenser?
The first acquaintance with the "black box"
Today, tech-savvy carders do just that, using so-called cash dispensers to steal cash from an ATM. Black boxes are specifically programmed single board microcomputers like the Raspberry Pi. “Black boxes” empty ATMs cleanly, in a completely magical (from the point of view of bankers) way. Carders connect their magic device directly to the banknote dispenser; to extract all available money from it. Such an attack bypasses all security software deployed on the ATM host (antiviruses, integrity control, full disk encryption, etc.).
Raspberry Pi based black box.
Major ATM makers and government intelligence agencies, faced with multiple black box implementations, warn that these dodgy computers are prompting ATMs to spit out all available cash; 40 banknotes every 20 seconds. Also, intelligence agencies warn that carders most often target ATMs in pharmacies, shopping centers; and also at ATMs that serve motorists "on the go".
At the same time, in order not to shine in front of the cameras, the most cautious carders take on the help of some not too valuable partner, a mule. And to prevent him from assigning the "black box" to himself, use the following scheme. The key functionality is removed from the "black box" and a smartphone is connected to it, which is used as a channel for remote transmission of commands to the cut-down "black box" via IP-protocol.
Modification of the "black box", with activation via remote access.
How does it look from the bankers' point of view? On the recordings from video cameras, something like the following happens: a certain person opens the upper compartment (service area), connects a "magic box" to the ATM, closes the upper compartment and leaves. A little later, several people, seemingly ordinary customers, come to the ATM and withdraw huge amounts of money. The carder then returns and removes his little magic device from the ATM. Usually the fact of an ATM attack by a “black box” is discovered only after a few days: when the empty safe and the cash withdrawal journal do not match. As a result, the employees of the bank can only scratch their heads.
Where do “black boxes” come from?
ATM vendors and subcontractors are developing debug utilities to diagnose the ATM hardware - including the electromechanics responsible for cash withdrawals. These utilities include ATMDesk, RapidFire ATM XFS. The figure below shows a few more such diagnostic utilities.
ATMDesk control panel.
RapidFire ATM XFS control panel.
Thousands of ATMs are potentially vulnerable to such attacks. On the way to a genuine processing center, the cardrer inserts his own, fake one. This fake processing center instructs the ATM to issue banknotes. At the same time, the carder sets up its processing center in such a way that cash withdrawal occurs regardless of which card is inserted into the ATM - even if its validity period has expired, or it has zero balance. The main thing is for the fake processing center to "recognize" her. As a fake processing center, there can be either a handicraft or a processing center simulator, originally designed for debugging network settings (another gift from the "manufacturer" - to carders).
The following figure shows a dump of commands for issuing 40 banknotes from the fourth cassette - sent from a fake processing center and stored in ATM software logs. They almost look real.
Dump of the commands of the fake processing center.
Good luck, and just good luck, friend!
This article is written for educational purposes only. The author did not publish this article for malicious purposes. If readers would like to use the information for personal gain, then the author is not responsible for any harm or damage caused.
The chief of the International Association of ATM Manufacturers (ATMIA) singled out "black boxes" as the most dangerous threat to ATMs.
A typical ATM is a collection of ready-made electromechanical components housed in a single enclosure. ATM manufacturers build their iron creations from a bill dispenser, card reader, and other components already developed by third-party vendors. A sort of LEGO constructor for adults. The finished components are housed in an ATM enclosure, which typically consists of two compartments: an upper compartment ("cabinet" or "service area") and a lower compartment (safe). All electromechanical components are connected via USB and COM ports to the system unit, which in this case acts as a host. On older models of ATMs, you can also find connections via the SDC bus.
Evolution of ATM carding.
ATMs with huge amounts inside invariably beckon carders to themselves. At first, carders exploited only gross physical flaws in ATM security - they used skimmers and shimmers to steal data from magnetic stripes; fake pin-pads and cameras for viewing pincodes; and even fake ATMs.
Then, when ATMs began to be equipped with unified software that works according to uniform standards, such as XFS (eXtensions for Financial Services), carders began to attack ATMs with computer viruses.
Among them are Trojan.Skimmer, Backdoor.Win32.Skimer, Ploutus, ATMii and numerous other named and unnamed malware, which carders add to the ATM host either via a bootable USB flash drive or via a TCP port for remote control.
ATM infection process.
Having captured the XFS subsystem, the malware can issue commands to the banknote dispenser, without authorization. Or give commands to the card reader: read / write the magnetic stripe of a bank card and even extract the transaction history stored on the chip of the EMV card. EPP (Encrypting PIN Pad; encrypted pinpad) deserves special attention. It is generally accepted that the pincode entered on it cannot be intercepted. However, XFS allows you to use the EPP pinpad in two modes: 1) open mode (for entering various numeric parameters such as the amount to be withdrawn); 2) safe mode (EPP switches to it when you need to enter a pincode or encryption key). This XFS feature allows the carder to carry out a MiTM attack: intercept the safe mode activation command that is sent from the host to the EPP, and then tell the EPP pinpad, that work should be continued in open mode. In response to this message, EPP sends keystrokes in clear text.
The principle of the "black box".
In recent years, according to Europol, ATM malware has evolved significantly. Carders no longer need to have physical access to an ATM to infect it. They can infect ATMs through remote network attacks using the bank's corporate network. According to Group IB, in 2016 in more than 10 European countries, ATMs were susceptible to remote attacks.
ATM attack via remote access.
Antiviruses, blocking firmware updates, blocking USB ports and encrypting the hard drive - to some extent protect the ATM from virus attacks by carders. But what if the carder does not attack the host, but connects directly to the periphery (via RS232 or USB) - to a card reader, pin-pad or cash dispenser?
The first acquaintance with the "black box"
Today, tech-savvy carders do just that, using so-called cash dispensers to steal cash from an ATM. Black boxes are specifically programmed single board microcomputers like the Raspberry Pi. “Black boxes” empty ATMs cleanly, in a completely magical (from the point of view of bankers) way. Carders connect their magic device directly to the banknote dispenser; to extract all available money from it. Such an attack bypasses all security software deployed on the ATM host (antiviruses, integrity control, full disk encryption, etc.).
Raspberry Pi based black box.
Major ATM makers and government intelligence agencies, faced with multiple black box implementations, warn that these dodgy computers are prompting ATMs to spit out all available cash; 40 banknotes every 20 seconds. Also, intelligence agencies warn that carders most often target ATMs in pharmacies, shopping centers; and also at ATMs that serve motorists "on the go".
At the same time, in order not to shine in front of the cameras, the most cautious carders take on the help of some not too valuable partner, a mule. And to prevent him from assigning the "black box" to himself, use the following scheme. The key functionality is removed from the "black box" and a smartphone is connected to it, which is used as a channel for remote transmission of commands to the cut-down "black box" via IP-protocol.
Modification of the "black box", with activation via remote access.
How does it look from the bankers' point of view? On the recordings from video cameras, something like the following happens: a certain person opens the upper compartment (service area), connects a "magic box" to the ATM, closes the upper compartment and leaves. A little later, several people, seemingly ordinary customers, come to the ATM and withdraw huge amounts of money. The carder then returns and removes his little magic device from the ATM. Usually the fact of an ATM attack by a “black box” is discovered only after a few days: when the empty safe and the cash withdrawal journal do not match. As a result, the employees of the bank can only scratch their heads.
Where do “black boxes” come from?
ATM vendors and subcontractors are developing debug utilities to diagnose the ATM hardware - including the electromechanics responsible for cash withdrawals. These utilities include ATMDesk, RapidFire ATM XFS. The figure below shows a few more such diagnostic utilities.
ATMDesk control panel.
RapidFire ATM XFS control panel.
Thousands of ATMs are potentially vulnerable to such attacks. On the way to a genuine processing center, the cardrer inserts his own, fake one. This fake processing center instructs the ATM to issue banknotes. At the same time, the carder sets up its processing center in such a way that cash withdrawal occurs regardless of which card is inserted into the ATM - even if its validity period has expired, or it has zero balance. The main thing is for the fake processing center to "recognize" her. As a fake processing center, there can be either a handicraft or a processing center simulator, originally designed for debugging network settings (another gift from the "manufacturer" - to carders).
The following figure shows a dump of commands for issuing 40 banknotes from the fourth cassette - sent from a fake processing center and stored in ATM software logs. They almost look real.
Dump of the commands of the fake processing center.
Good luck, and just good luck, friend!
This article is written for educational purposes only. The author did not publish this article for malicious purposes. If readers would like to use the information for personal gain, then the author is not responsible for any harm or damage caused.
