Crooks make US ATMs spew million-plus bucks in 'jackpotting' hacks

If you could keep an eye on miscreants cracking open your boxes, that would be great

By John Leyden

Posted in Security, 30th January 2018 03:56 GMT

Cash machines in the US are being hacked to spew hundreds of dollar bills – a type of theft dubbed "jackpotting" because the ATMs look like slot machines paying out winnings.

A gang of miscreants have managed to steal more than $1m from ATMs using this attack, according to a senior US Secret Service official speaking to Reuters on Monday.

Typically, crooks inject malware into an ATM to make it rapidly dole out large sums of money that doesn't belong to the thieves. Anyone aware of the work by security researcher Barnaby Jack – who almost 10 years ago revealed various ways to force cash machines to cough up cash on demand – will know of jackpotting.

According to an alert [PDF] issued by ATM maker manufacturers Diebold Nixdorf this month, obtained by cybersecurity sleuth Brian Krebs, organized crooks are using the Windows malware Ploutus-D to compromise machines, with the Opteva 500 and 700 series machines being particularly vulnerable. This software nasty was associated with a jackpotting spree that hit Latin America last year, as infosec biz FireEye reported at the time.

Since 2013, if not earlier, Ploutus has been a favorite of Mexican banditos raiding cash machines, as previous Reg stories document. Viewed from this perspective, the main surprise today is that it’s taken so long for the scam to surface north of the border, moving from Mexico to the United States.

To get Ploutus into an ATM, the crooks have to gain physical access to the box's internals to swap its computer hard drive for an infected one. Once the disk is in place and the ATM rebooted, the villains have full control over the device, allowing them to order it to dispense the contents of its cartridges of dollar bills.

Thus, Diebold Nixdorf recommends physical security is stepped up for each cash machine – particularly ones placed in big stores, pharmacies and drive-thrus, all of which crooks seem to prefer to tamper with. Also, tightening the security configuration of the firmware is recommended.

Meanwhile, ATM maker NCR also warned of similar jackpotting attacks against its models.

Leigh-Anne Galloway, cyber security resilience lead at Positive.com and a banking tech expert with experience in analyzing the security of ATMs, said would-be thieves seem to have picked a difficult approach towards reaching their objective.

"What is interesting about these attacks is that they require considerable physical access to the ATM itself, meaning that there is a high risk of getting caught, and there are far less complex attack vectors that could have been chosen,” Galloway said. “In other words, it's very surprising the method that these criminals have come up with.

"This attack vector involves replacing the boot media – the hard drive – of the ATM and bypassing security controls between the media and the dispenser itself, using an endoscope to press a button to reset the dispenser communication."

Galloway offered suggestion on how US financial institutions might defend against potential attack. "The attack can mostly be mitigated by limiting physical access to the ATM, the service area, and requiring physical authentication by maintainers,” she advised. ®

Sign up to our NewsletterGet IT in your inbox daily

27 Comments

More from The Register

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Medic! Orangeworm malware targets hospitals worldwide

Hacking campaign goes after care providers and equipment

Security bods liberate EITest malware slaves

Miscreants' command and control network traffic sent down sinkhole

Hey, govt hacker bod. Made some really nasty malware? Don't be upset if it returns to bite you

RSA 2018 Cough, cough, EternalBlue, cough, cough Wannacry, splutter, Stuxnet

Infosec brainiacs release public dataset to classify new malware using AI

Data is the secret sauce to advancing AI research

Crumbs! Crunchyroll distributed malware for a couple of hours

Anime-streamer is fine again, and disinfection is easy

Researchers create AI attacker to defeat AI malware defender

It's like Spy Vs Spy, but with neural network boffins

Slingshot malware uses cunning plan to find a route to sysadmins

Advanced router code has been in circulation for six years

'R2D2' stops disk-wipe malware before it executes evil commands

'Reactive Redundancy for Data Destruction Protection' stops the likes of Shamoon and Stonedrill before they hit 'erase'

Surprise: Norks not actually behind Olympic Destroyer malware outbreak – Kaspersky

Who framed Pyongyang, then, we wonder