Content, Americas, Breach, Channel markets, Malware

ATM Jackpotting Cyber Heists Hit U.S. Cash Machines

Cyber gangsters are prepping to steal huge amounts of cash from U.S. ATMs using malware that directs the machines to instantaneously jet out money in so-called “jackpotting” attacks, a new cybersecurity report said.

Updated Monday, 7:40 p.m ET: The attacks are already under way. So far, more than than $1 million has been hijack from ATM machines across the United States, a senior U.S. Secret Service official told Reuters on Monday.

The jackpotting heists, reminiscent of a winning slot machine (except for the bold thievery, flashing lights and ding-dings), have previously been confined to Asia, Europe and Mexico but now pose a serious threat to U.S. banks, according to Brian Krebs, who writes the security blog Krebs on Security. The gangs are said to be using sophisticated jackpotting malware called Ploutus.D first deployed in attacks four years ago, the report said.

ATM Jackpotting Warning

Apparently, the U.S. Secret Service has jumped on this quickly, already cautioning some U.S. financial institutions about stepped-up, organized jackpotting attacks occurring in the last 10 days on certain models of Diebold Nixdorf standalone ATMs. And, this may be just an early foray: According to a Krebs source, the culprits may be preparing to hit more front-loading Diebold cash machines, many of which are located inside big retail outlets and drive-thru banks.

At this point, it’s unclear how much money has been stolen or which cash machines are in the gang’s sights. But anxiety is building: As a precautionary move, both Diebold and NCR last week alerted customers to the robbery threat, Krebs said.

“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” the NCR alert read (via Krebs). “This (the Diebold attack) represents the first confirmed cases of losses due to attacks in the U.S. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”

How do the burglars pull it off? They linchpin to the whole thing is the cyber robbers must first gain physical access to the ATM to infect the machine with malware and/or special electronic devices that allows them to control its innerworkings. In some prior attacks, crooks posing as ATM technicians attach a laptop mirroring the targeted machine’s operating system and a mobile device to also set up remote access.

A Secret Service alert read by Krebs detailed the potential haul: “In previous Ploutus.D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad. Otherwise, the machine is completely emptied of cash.”

ATM Jackpotting History

Jackpotting, first seen in Mexico in 2013, appears to be the next level up from skimming devices used on ATM machines to steal personal bank card information. Methodology and technology aside for the moment, jackpotting presents a threat far more ominous to the banking industry than skimming, owing to the large amounts of on-demand cash involved.

As cases in point, in 2016 a Jackpotting gang stole $13 million from Japanese ATMs in three hours, the Washington Post said, citing a Fortune story. Later that year loose cash was spotted fluttering around dozens of First Commercial Bank ATMs in Taipei, Taiwan. Thieves had reportedly carried away some $2 million in cash.

Krebs said that the Secret Service has advised banks running ATMs on Windows XP to upgrade to Windows 7.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.