“Jackpotting” Hackers Target U.S. ATMs

PUBLISHED: 6:51 PM 30 Jan 2018
UPDATED: 6:51 PM 30 Jan 2018

Hackers Use ATM “Jackpotting” To Steal Money, Secret Service Warns

This is the first time that thieves have used this technique in the U.S.

The Secret Service is warning the nation's financial institutions that they must protect themselves from a specific threat known as "jackpotting," a malware attack on an ATM machine.

The Secret Service began warning financial institutions this week that American ATMs were at risk. “Jackpotting,” a term used to describe the act of physically hacking into an ATM, is becoming increasingly common. The high-risk crime has been terrorizing European and Asian banks for years while American operations remained unmolested.

That’s now changing. The Secret Service admitted that there had been at least six jackpotting attacks this week.

The attacks are unusual in that the criminal needs direct physical access to the ATM.

“The targeted stand-alone ATMs are routinely located in pharmacies, big-box retailers, and drive-thru ATMs,” reads a Secret Service memo obtained by KrebsOnSecurity.

“During previous attacks, fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATMs operating system along with a mobile device to the targeted ATM.”

The Secret Service hinted that organized criminal gangs are responsible for the ATM attacks. They’re using jackpotting malware dubbed “Ploutus.D.” Typically, an endoscope is inserted into the machine, allowing the criminal to look at its hardware. Once the right spot is located, they connect the ATM’s computer to their own laptop via a cord.

If the scheme is successful, the ATM starts pumping out cash, exactly as though the criminal has hit a jackpot. At this point, the thugs are completely in control. The ATM will dump its contents until it’s empty, after which it will appear out of order until it’s serviced.

“What is interesting about these attacks is that they require considerable physical access to the ATM itself, meaning that there is a high risk of getting caught, and there are far less complex attack vectors that could have been chosen,” Leigh-Anne Galloway, a cybersecurity resilience lead at Positive.com, said in a statement.

“The attack can mostly be mitigated by limiting physical access to the ATM, the service area, and requiring physical authentication by maintainers.”

The evolving world of technology produces new threats almost every day. The good guys aren’t the only ones who are becoming more advanced.

“We have seen quite an increase in logical attacks over the last couple of years and this is certainly one of the most novel. ATMs are still a critical link in communities, providing access to banking services for many people who may have never visited a branch itself,” Galloway added.

Experts say that the Ploutus.D software forces ATMs to dispense cash at a rate of 40 ills every 23 seconds. The process is fast, with criminals usually working in groups. One man works the ATM while another at a remote location controls the hack.

The “money mule”, the operator who collects the cash, is usually lower on the totem pole. The job is extremely high-risk as it requires the operator to physically manipulate the ATM.

“From there, the attackers can attach a physical keyboard to connect to the machine, and [use] an activation code provided by the boss in charge of the operation in order to dispense money from the ATM,” cybersecurity expert Daniel Regalado wrote.

“Once deployed to an ATM, Ploutus makes it possible for criminals to obtain thousands of dollars in minutes. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk.”

It’s a daring crime, but the potential payoffs are massive. The Secret Service estimates that at least  $1 million has been stolen in American jackpotting attacks. After the mule leaves with the cash, another operator typically comes along to clean up any leftover equipment.

The criminals seem to be targeting specific ATMs. The malware is most effective against Diebold ATMs running a Windows XP operating system. A simple system update may be enough for banks to protect themselves. 

“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” reads an alert from ATM giant NCR Corp.

“This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”

The government says that most of the cases in America occurred in New England the Pacific Northwest.

The Secret Service’s jackpotting investigation led the agency to conclude that a coordinated set of attacks was likely to occur within the next few weeks. Financial institutions were warned that the threat is imminent.