Cash machines in the US are being hacked to spew hundreds of dollar bills – a type of theft dubbed "jackpotting" because the ATMs look like slot machines paying out winnings.
A gang of miscreants have managed to steal more than $1m from ATMs using this attack, according to a senior US Secret Service official speaking to Reuters on Monday.
Typically, crooks inject malware into an ATM to make it rapidly dole out large sums of money that doesn't belong to the thieves. Anyone aware of the work by security researcher Barnaby Jack – who almost 10 years ago revealed various ways to force cash machines to cough up cash on demand – will know of jackpotting.
According to an alert [PDF] issued by ATM maker manufacturers Diebold Nixdorf this month, obtained by cybersecurity sleuth Brian Krebs, organized crooks are using the Windows malware Ploutus-D to compromise machines, with the Opteva 500 and 700 series machines being particularly vulnerable. This software nasty was associated with a jackpotting spree that hit Latin America last year, as infosec biz FireEye reported at the time.
Since 2013, if not earlier, Ploutus has been a favorite of Mexican banditos raiding cash machines, as previous Reg stories document. Viewed from this perspective, the main surprise today is that it’s taken so long for the scam to surface north of the border, moving from Mexico to the United States.
To get Ploutus into an ATM, the crooks have to gain physical access to the box's internals to swap its computer hard drive for an infected one. Once the disk is in place and the ATM rebooted, the villains have full control over the device, allowing them to order it to dispense the contents of its cartridges of dollar bills.
Thus, Diebold Nixdorf recommends physical security is stepped up for each cash machine – particularly ones placed in big stores, pharmacies and drive-thrus, all of which crooks seem to prefer to tamper with. Also, tightening the security configuration of the firmware is recommended.
Meanwhile, ATM maker NCR also warned of similar jackpotting attacks against its models.
Leigh-Anne Galloway, cyber security resilience lead at Positive.com and a banking tech expert with experience in analyzing the security of ATMs, said would-be thieves seem to have picked a difficult approach towards reaching their objective.
"What is interesting about these attacks is that they require considerable physical access to the ATM itself, meaning that there is a high risk of getting caught, and there are far less complex attack vectors that could have been chosen,” Galloway said. “In other words, it's very surprising the method that these criminals have come up with.
"This attack vector involves replacing the boot media – the hard drive – of the ATM and bypassing security controls between the media and the dispenser itself, using an endoscope to press a button to reset the dispenser communication."
Galloway offered suggestion on how US financial institutions might defend against potential attack. "The attack can mostly be mitigated by limiting physical access to the ATM, the service area, and requiring physical authentication by maintainers,” she advised. ®