Thieves Target ATMs In First US Jackpotting Attacks

Attackers have been getting ATMs to illegally dispense cash by tampering with their internal electronics, US Secret Service warns.

Diebold Nixdorf and NCR, two of the worlds largest ATM vendors, are warning their US customers about recent so-called jackpotting attacks where cybercriminals force terminals to illegally dispense large amounts of cash by tampering with their internal electronics.
In its customer alert, Diebold Nixdorf said that US Secret Service had informed the company on Jan. 26 about jackpotting attacks moving from Mexico to the US for the first time. The attack that the Secret Service memo described was the same as one that Diebold Nixdorf had warned customers about in November 2017, said the alert, which the company made available to Dark Reading.
According to the ATM maker, attackers are removing the top hat of its Opteva front-load ATM terminals and replacing original hard disks with previously prepared replacement disks that contain an unauthorized image of the ATMs software.
In order to pair the new disk with the terminal, the attackers have to first reset its communications — a multi-step process that requires them to press and hold a button inside the ATMs locked safe. CCTV footage of the attacks shows the criminals using an industrial endoscope to look inside the safe so they can locate the button and then use an extension to press it down till the pairing is complete.
All Diebold Nixdorf front-load Advanced Function Dispenser (AFD)-based Opteva ATMs are vulnerable to the attack. Rear-load Opteva models are also vulnerable, but would be extremely difficult to attack using the current approach, the company said.
The attack circumvents the ATMs physical security and authorization features to allow dispensers to be paired with rogue hard drives, the vendor said. As the ATMs that are currently being targeted are older, legacy Diebold units, its important to remind financial institutions to keep their security up to date, the company said in a statement.
In an emailed comment, NCR said it, too, had alerted customers of its ATM machines about the jackpotting attacks and offered guidance on how to protect against them. Though the attacks have targeted non-NCR systems so far, they represent the first logical attacks against ATMs in the US and therefore should be taken seriously by everyone.
In a January 26
press statement
, the US Secret Service described the attacks as mainly targeting stand-alone ATMs of the sort routinely found in pharmacies, big box retailers, and drive-through locations. Criminals range from individual suspects to large organized groups, from local criminals to international organized crime syndicates, the Secret Service statement said.
KrebsOnSecurity
, which was first to report on the new attacks, said the thieves behind it appear to be using a new version of a jackpotting malware tool called Ploutus.D to steal money from cash dispensers. The blog quoted an unnamed source at the Secret Service saying that the crooks behind the jackpotting campaign have begun sending out so-called cash out crews to attack and compromise front-loading Diebold machines.
Once a terminal has been paired with a rogue hard drive, members of the crew contact co-conspirators who then take remote control of the ATM and force it to dispense cash. In previous attacks involving Ploutus-D, attackers have been able to force compromised ATMs to spit out up to 40 currency bills every 23 seconds, Krebs on Security said.
Attacks targeting ATMs are not new. As far back as 2010, a researcher with IOActive
demonstrated
how attackers could compromise ATMs and force them to dispense wads of cash. In 2016, a suspected Russian operation
stole more than $2 million
from ATMs, likely using just their smartphones.
Hands-On Hack
Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, says what makes the jackpotting attacks interesting is the level of access criminals need to pull it off. What is strange in this scenario is the level of physical access obtained by the attackers, she says. The only real benefit of this may be from infecting further machines without the bank becoming aware.
But even then, compromised ATMs would display an out-of-service notification, she says.
Attackers can steal money from ATMs using less complicated methods than jackpotting, she notes. There are actually remote attacks that dont rely on physical access to the inside of the ATM, and travel via infection of a banks core network, she says.
Modems used for communications can also have vulnerabilities. If the ATM is connected to the network via a modem, it is possible to find vulnerabilities in modems, which would allow an attacker to gain access, Galloway says.
For ATM operators, the attacks highlight the need for proper risk management, says Alan Brill, senior managing director, cybersecurity and investigations for Kroll. The reports of the incidents suggest that certain older stand-alone ATMs are being targeted, he says. Successful attacks require access to the ATM to [install] the malware and in at least some cases, a button had to be pushed, for which the bad guys used an endoscope.
Endoscopes fully equipped with lights and tools that could be used to press a button in the innards of an ATM are available on many sites for under $20, Brill says.
There are a few common-sense ways of managing the risk of jackpotting attacks, he notes. Unexpected visits by ATM technicians, for instance, should be a red flag. Stand-alone ATMs should be in a location that is visible to employees and covered by a security camera. Tamper-evident tape can be used to close off openings that would allow an attacker to insert an endoscope into a terminal.
ATM owners should also always know who to contact when theres a problem, and to authenticate the person whom they are calling.
When taking precautious against threats like jackpotting, its also best to implement security against other threats as well, such as skimming.There’s an overlap in security so that protecting against one form of attack can help mitigate the risk of multiple forms of attack, Brill notes.
Related Content:
The Future Of ATM Hacking
Crooks Hack Taiwan ATMs With Smartphone, No Bank Card, Steal Millions
ATM Machine Malware Sold on Dark Web
Slideshow: Barnaby Jack Hits The Jackpot With ATM Hack

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Thieves Target ATMs In First US Jackpotting Attacks