ATM 'Jackpotting' Delivers Quick Cash Paydays For Hackers Warns US Secret Service

ATMs can be a blessing and a curse to financial institutions. On the one hand, they can process financial transactions quickly, allowing the machines to serve more people over a span of time than a human teller. However, ATMs are often the target of hackers, many using skimmers to obtain debit card numbers for later nefarious spending sprees. Now, the Secret Service is warning that an existing type of ATM attack, jackpotting, is finally beginning to make its way to the United States.

Jackpotting has been prevalent at banking institutions across Europe and Asia, but not so much in the U.S. It involves using malware and a direct physical connection to an ATM to force it to shoot out large sums of money quickly. With previous attacks in other countries, ATMs were forced into dispensing roughly 40 bills every 23 seconds. Even more concerning is that the ATM will dispense money at this rate until it is completely empty, or until the cancel button is pressed.

atm red

The U.S. Secret Service is sending out warnings to ATM operators (and manufacturers) stating that criminals are adopting new techniques that could make jackpotting become a big problem here at home. Brian Krebs, who first reported on the jackpotting, says that the strain of malware being installed on ATM's is called Ploutus-D. It was first discovered coursing through Latin America back in 2013, and at the time targeted Diebold ATMs. FireEye wrote in January 2017:

Once deployed to an ATM, Ploutus-D makes it possible for a money mule to obtain thousands of dollars in minutes. A money mule must have a master key to open the top portion of the ATM (or be able to pick it), a physical keyboard to connect to the machine, and an activation code (provided by the boss in charge of the operation) in order to dispense money from the ATM. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk.

According to Krebs and the Secret Service, Diebold ATMs are again the target this time around, with Opteva 500 and 700 Series machines being the primary victims.

“The targeted stand-alone ATMs are routinely located in pharmacies, big box retailers, and drive-thru ATMs,” writes the Secret Service in leaked confidential memo. “During previous attacks, fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATMs operating system along with a mobile device to the targeted ATM.”

So how exactly are thieves gaining physical access to the ATMs? According to the Secret Service, the criminals are using endoscopes -- usually reserved for medical procedures -- to sneak a peek inside the machines for a laptop connection point. However, thieves would still have to somehow pick the lock (or somehow have access to the key) to the machine to gain internal access.

“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” said NCR, another ATM manufacturer that has not been hit by these jackpotting attacks -- yet. “This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”