ATM Jackpotting: How Spear Phishing Started $1 Billion Dollar in Bank Heists

The Heists

In 1963, in Buckinghamshire, UK, Royal Mail train traveled on the tracks to Glasgow carrying high value packages.  Like an Ocean’s movie, a gang of 15 hacked into the rail track controls to stop the train in a remote area. Once at rest, the gang took over the train and removed the goods – to the tune of £.2.6 million.  

In 2005, in Fortaleza, Brazil, a bank stood securely in the city center.  Like an Ocean’s sequal, a gang rented a commercial property less than a football field away posing as a legitimate business. Over three months they dug a tunnel underneath the vault, and over the weekend they tunneled through a reinforced vault of the Banco Central branch.  The gang took home 3.5 tons of Brazilian Real ($70 million USD).

Photo by Phu Cuong Pham on Unsplash

In 2017, in southern California, an ATM secured to the side of a building sat full of cash. 

A Venezuelan gang sat nearby, waiting for the cash to flow without breaking a sweat, unlike the hard work of bank robbers in the past.  The gang hacked into the ATM and installed malware that told the machine to release all of its cash. By January of 2018 the group stole nearly $4 million over 125 attacks.

Because That’s Where the Money Is

Bank robberies inspire some of the best stories, books, and films- from old westerns to modern video games like ‘Payday: The Heist.’ We all know the Willie Sutton quote from 1952, “I rob banks because that’s where the money is,” and while the methods have changed drastically over time, the targets remained the same.  

What is Jackpotting?

These ATM attacks are relatively new for the USA. The attack is called Jackpotting. Jackpotting refers to the installation of malicious software and hardware onto ATMs. The malware is installed by physically connecting to the ATM, or through standard social engineering techniques like Spear-phishing. By spear-phishing a bank employee they are able to infect the victim’s machine and provide access to the network.  By moving through the network, hackers were able to compromise and control the servers controlling ATM networks. They would next trigger the ATM to spit cash out at a predetermined time where foot mules would collect the cash, or transfer funds to other accounts/cryptocurrencies.

Although new to the USA, these attacks have impacted institutions around the globe for years.  In March of 2018, the European Union Agency for Law Enforcement Cooperation (Europol) arrested the leader of a gang that stole more than $1.2 billions from banks around the world.

Access By Spear Phishing

Spear phishing is a growing concern for businesses both small and large.    Spear phishing is an attack in which attackers spoof an email address targeting a specific organization or individual.  Unlike traditional phishing attacks, these targeted attacks are sophisticated in that they use timely and personal information so that the victim does not recognize the threat.  For example, a hacker may know that a CEO is traveling for the week. He may spoof an email from the CEO to CFO requesting a wire transfer to help with travel.  Since the CFO knows the CEO is traveling, and commonly requires cash, they are likely to make the transfer without raising question. These attacks happen daily – this article shares similar attacks to small businesses, churches, and even grandmas.

Social engineering attacks like spear phishing have one thing in common – people.  With people and employees being the common denominator of social engineering attacks, it makes sense that teaching these employees how to recognize potential threats is the best way to prevent successful attacks.  

Cybersecurity Awareness

A growing best practices for businesses of all sizes is establishing a cybersecurity awareness training program for employees that includes both annual cyber awareness and simulated phishing attacks.  Simulating attacks provides a safe way to test and to teach employees how to recognize phishing attacks.  Beyond best practices, employee awareness training is often required for compliance with industry standards like PCI DSS, HIPAA and Sarbanes-Oxley, customers during the third party risk assessments, and state regulations like GDPR, New York Cybersecurity Requirements for Financial Services Companies, Texas Health Privacy Law, Massachusetts Data Security Law, and a growing list of government regulations.

People and employees can sometimes be overlooked as an important player in the cybersecurity game, even though they play a significant role.  Most threats target employees as an entry point into a business, or an entry point into their customers organizations. That means they can be the first/last line of defense. It’s also important to understand that even the best IT infrastructure won’t prevent a well meaning employee from clicking a malicious link, or providing their password over the phone to someone claiming to be from IT.  Employees must be trained to raise awareness, and leaders must be trained to support their direct reports to ensure cybersecurity best practices are followed from the top, middle, and lowest levels of an organization.

There are 5 quick steps to identifying a phishing email.  

  1. Check the sender to see if the email is coming from the business email address that you expect, and not an easily impersonated free email service like John.Doe@gmail.com
  2. Hover over the links in the email to see if they are directing you to the website you expect
  3. Look for spelling or grammar errors that often indicate an email was written by a non-native speaker
  4. Complete a sanity check by asking yourself if the request makes sense
  5. Call the sender when you’re in doubt – a manual 2 Factor Authentication process if you will

Cybersecurity risks are increasing, and social engineering attacks are not going away.  Preparing your organization, employees, and family of the risks and how to recognize them will go a long way.  What may seem obvious to one person, may save the identify of another.

About Me

Jon Santavy is the CEO of Wuvavi (www.wuvavi.com) – the world’s leading cybersecurity awareness platform for small and medium sized business.  Through innovative training, simulated phishing attacks, and the right analytics, Wuvavi customers create a culture of awareness in their organization.