06:30 PM
Connect Directly

Thieves Target ATMs In First US 'Jackpotting' Attacks

Attackers have been getting ATMs to illegally dispense cash by tampering with their internal electronics, US Secret Service warns.

Diebold Nixdorf and NCR, two of the world's largest ATM vendors, are warning their US customers about recent so-called jackpotting attacks where cybercriminals force terminals to illegally dispense large amounts of cash by tampering with their internal electronics.

In its customer alert, Diebold Nixdorf said that US Secret Service had informed the company on  Jan. 26 about jackpotting attacks moving from Mexico to the US for the first time. The attack that the Secret Service memo described was the same as one that Diebold Nixdorf had warned customers about in November 2017, said the alert, which the company made available to Dark Reading.

According to the ATM maker, attackers are removing the top hat of its Opteva front-load ATM terminals and replacing original hard disks with previously prepared replacement disks that contain an unauthorized image of the ATM's software.

In order to pair the new disk with the terminal, the attackers have to first reset its communications — a multi-step process that requires them to press and hold a button inside the ATM's locked safe. CCTV footage of the attacks shows the criminals using an industrial endoscope to look inside the safe so they can locate the button and then use an extension to press it down till the pairing is complete.

All Diebold Nixdorf front-load Advanced Function Dispenser (AFD)-based Opteva ATMs are vulnerable to the attack. Rear-load Opteva models are also vulnerable, but would be extremely difficult to attack using the current approach, the company said.

The attack circumvents the ATMs' physical security and authorization features to allow dispensers to be paired with rogue hard drives, the vendor said. "As the ATMs that are currently being targeted are older, legacy Diebold units, it's important to remind financial institutions to keep their security up to date," the company said in a statement.

In an emailed comment, NCR said it, too, had alerted customers of its ATM machines about the jackpotting attacks and offered guidance on how to protect against them. Though the attacks have targeted non-NCR systems so far, they represent the first logical attacks against ATMs in the US and therefore should be taken seriously by everyone.

In a January 26 press statement, the US Secret Service described the attacks as mainly targeting stand-alone ATMs of the sort routinely found in pharmacies, big box retailers, and drive-through locations. "Criminals range from individual suspects to large organized groups, from local criminals to international organized crime syndicates," the Secret Service statement said.

KrebsOnSecurity, which was first to report on the new attacks, said the thieves behind it appear to be using a new version of a jackpotting malware tool called Ploutus.D to steal money from cash dispensers. The blog quoted an unnamed source at the Secret Service saying that the crooks behind the jackpotting campaign have begun sending out so-called "cash out crews" to attack and compromise front-loading Diebold machines.

Once a terminal has been paired with a rogue hard drive, members of the crew contact co-conspirators who then take remote control of the ATM and force it to dispense cash. In previous attacks involving Ploutus-D, attackers have been able to force compromised ATMs to spit out up to 40 currency bills every 23 seconds, Krebs on Security said.

Attacks targeting ATMs are not new. As far back as 2010, a researcher with IOActive demonstrated how attackers could compromise ATMs and force them to dispense wads of cash. In 2016, a suspected Russian operation stole more than $2 million from ATMs, likely using just their smartphones.

Hands-On Hack

Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, says what makes the jackpotting attacks interesting is the level of access criminals need to pull it off. "What is strange in this scenario is the level of physical access obtained by the attackers," she says. "The only real benefit of this may be from infecting further machines without the bank becoming aware."

But even then, compromised ATMs would display an out-of-service notification, she says.

Attackers can steal money from ATMs using less complicated methods than jackpotting, she notes. "There are actually remote attacks that don't rely on physical access to the inside of the ATM, and travel via infection of a bank's core network," she says.  

Modems used for communications can also have vulnerabilities. "If the ATM is connected to the network via a modem, it is possible to find vulnerabilities in modems, which would allow an attacker to gain access," Galloway says.

For ATM operators, the attacks highlight the need for proper risk management, says Alan Brill, senior managing director, cybersecurity and investigations for Kroll. "The reports of the incidents suggest that certain older stand-alone ATMs are being targeted," he says. "Successful attacks require access to the ATM to [install] the malware and in at least some cases, a button had to be pushed, for which the bad guys used an endoscope."

Endoscopes fully equipped with lights and tools that could be used to press a button in the innards of an ATM are available on many sites for under $20, Brill says.

There are a few common-sense ways of managing the risk of jackpotting attacks, he notes. Unexpected visits by ATM technicians, for instance, should be a red flag. Stand-alone ATMs should be in a location that is visible to employees and covered by a security camera. Tamper-evident tape can be used to close off openings that would allow an attacker to insert an endoscope into a terminal.

ATM owners should also always know who to contact when there's a problem, and to authenticate the person whom they are calling.

When taking precautious against threats like jackpotting, it's also best to implement security against other threats as well, such as skimming."There’s an overlap in security so that protecting against one form of attack can help mitigate the risk of multiple forms of attack," Brill notes.

Related Content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
1/30/2018 | 1:46:10 PM
Update: Suspects apprehended
Update... According to Brian Krebs today, the suspects were allegedly caught after (1) getting themselves pulled over, which lead to (2) police smelling marijuana in their car, leading to a search that, in addition to marijuana, yielded discovery of (3) "several backpacks full of cash".

How can people be so smart and so stupid?
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
(ISC)2 Report: Glaring Disparity in Diversity for US Cybersecurity
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/15/2018
Voice-Operated Devices, Enterprise Security & the 'Big Truck' Attack
Menny Barzilay, Co-founder & CEO, FortyTwo Global,  3/15/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.