Crooks make US ATMs spew million-plus bucks in 'jackpotting' hacks

If you could keep an eye on miscreants cracking open your boxes, that would be great

By John Leyden


Cash machines in the US are being hacked to spew hundreds of dollar bills – a type of theft dubbed "jackpotting" because the ATMs look like slot machines paying out winnings.

A gang of miscreants have managed to steal more than $1m from ATMs using this attack, according to a senior US Secret Service official speaking to Reuters on Monday.

Typically, crooks inject malware into an ATM to make it rapidly dole out large sums of money that doesn't belong to the thieves. Anyone aware of the work by security researcher Barnaby Jack – who almost 10 years ago revealed various ways to force cash machines to cough up cash on demand – will know of jackpotting.

According to an alert [PDF] issued by ATM maker manufacturers Diebold Nixdorf this month, obtained by cybersecurity sleuth Brian Krebs, organized crooks are using the Windows malware Ploutus-D to compromise machines, with the Opteva 500 and 700 series machines being particularly vulnerable. This software nasty was associated with a jackpotting spree that hit Latin America last year, as infosec biz FireEye reported at the time.

Since 2013, if not earlier, Ploutus has been a favorite of Mexican banditos raiding cash machines, as previous Reg stories document. Viewed from this perspective, the main surprise today is that it’s taken so long for the scam to surface north of the border, moving from Mexico to the United States.

To get Ploutus into an ATM, the crooks have to gain physical access to the box's internals to swap its computer hard drive for an infected one. Once the disk is in place and the ATM rebooted, the villains have full control over the device, allowing them to order it to dispense the contents of its cartridges of dollar bills.

Thus, Diebold Nixdorf recommends physical security is stepped up for each cash machine – particularly ones placed in big stores, pharmacies and drive-thrus, all of which crooks seem to prefer to tamper with. Also, tightening the security configuration of the firmware is recommended.

Meanwhile, ATM maker NCR also warned of similar jackpotting attacks against its models.

Leigh-Anne Galloway, cyber security resilience lead at and a banking tech expert with experience in analyzing the security of ATMs, said would-be thieves seem to have picked a difficult approach towards reaching their objective.

"What is interesting about these attacks is that they require considerable physical access to the ATM itself, meaning that there is a high risk of getting caught, and there are far less complex attack vectors that could have been chosen,” Galloway said. “In other words, it's very surprising the method that these criminals have come up with.

"This attack vector involves replacing the boot media – the hard drive – of the ATM and bypassing security controls between the media and the dispenser itself, using an endoscope to press a button to reset the dispenser communication."

Galloway offered suggestion on how US financial institutions might defend against potential attack. "The attack can mostly be mitigated by limiting physical access to the ATM, the service area, and requiring physical authentication by maintainers,” she advised. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

FBI fingers North Korea for two malware strains

'Joanap' and 'Brambul' harvest info about your systems and send it home

US-CERT warns of more North Korean malware

'Typeframe' springs from the same den as 'Hidden Cobra'

Advanced VPNFilter malware menacing routers worldwide

Cisco's Talos team says 500k already pwned and leaking data

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

DOJ convicts second bloke for helping malware go undetected

Scan scam? Scram

Malware-slinging scum copied D-Link's code-signing certificates to dress up PC nasties

Password-stealing backdoor lobbed at Windows boxes

Workplace services-flinger Sodexo pulls Engage website after division hit by malware smackdown

UK information commish is investigating

Who needs custom malware? 'Govt-backed' Gallmaker spy crew uses off-the-shelf wares

Likely state hackers make do with 'living off the land' and going after tardy Office patchers

Fancy Bear still Putin out new modules for VPNFilter malware

Talos turns up obfuscation, lateral attacks, and proxies