Jackpotting Attacks Hitting U.S. ATMs Per Secret Service



ATM manufacturers sent notices to banks late last week warning that "jackpotting" attacks have come to the U.S.

It was nearly eight years ago at the Black Hat computer security conference that Barnaby Jack identified flaws in the design of some automated teller machines (ATM) that made them vulnerable to hacks.

Jack, a New Zealand-based hacker, has since passed, but his research, namely how he got an ATM to spit out bill after bill on stage – a trick he dubbed “jackpotting,” remains the stuff of information security legend.

While those types of attacks never really went away they could become a lot more commonplace in the near future according to advisories sent by ATM manufacturers to banks last week.

Diebold Nixdorf, the largest provider of ATMs in the U.S., warned banks on Friday it was aware of new, U.S. attacks. Specifically the company said it was informed by US authorities of "potential Jackpotting attacks moving from Mexico to the United States" targeting Opteva brand ATMs with advanced function dispenser slots.

Researchers with IOActive - the same firm that Jack was the director of security research for in 2010 - warned about critical flaws in Opteva ATMs that could let attacker vend money from machines, last summer.

Cybersecurity reporter Brian Krebs broke the news and shared a .PDF of the advisory over the weekend. Diebold Nixdorf’s advisory wasn’t the only one to go out on Friday; NCR Corporation, which has its own line of ATMs, also warned customers that it had received reports from the Secret Service and "other sources" about jackpotting attempts, according to Krebs.

“This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences,” the NCR alert read, according to Krebs.

The Secret Service published a press release (.PDF) on the topic as well, warning that drive-thru ATMs and ATMs in pharmacies and big box retailers were being targeted by attackers. The law enforcement agency said little else of the attacks other than the fact that it learned of the attacks through a partner in its Electronic Crimes Task Force (ECTF) network.

In order to carry out an attack vendors say a cybercriminal would have to gain physical access to the ATM hard drive. Previously attackers have managed to do this by picking locks, physically damaging ATMs with drills, or by securing legitimate keys that can open the ATM chassis.

In its advisory Diebold Nixdorf encouraged banks to ensure ATM compartments are properly locked, monitored, and running the latest firmware.

While neither vendor went on record about what strain of malware attackers are using to hack ATMs, Krebs – who cites a “source close to the matter,” says cybercriminals have been using Ploutus.D, a type of jackpotting malware that dates back to 2013.

As of last fall, Ploutus accounted for more than $64M in losses according to researchers who published a paper and presented research at Virus Bulletin into the behavior of Latin American ATM thieves. Ploutus was one of four families Fabio Assolini and Thiago Marques, researchers with Kaspersky Lab discussed, alongside Prilex, Green Dispenser and Ice5.

Researchers with FireEye published a deep dive on the malware in January 2017, calling it one of the "most advanced malware families" they had seen in the last few years. According to Daniel Regalado a money mule would need a master key to open the top part of an ATM, a physical keyboard to connect to the machine, and an activation code to dispense money from the machine. It would only take minutes for an attacker to make off with thousands of dollars, the researcher said at the time.

ATM photo via mobili's Flickr photostream, Creative Commons

Chris Brook

Do You Know Your Data's Worth?

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with nearly a decade of experience writing about information security, hackers, and privacy. Prior to joining Digital Guardian he helped launch Threatpost.