Organized criminals are physically accessing ATM machines and infecting them with malware that makes them spit out cash, in what reports are calling the first-ever confirmed case of "jackpotting" attacks in the U.S.
Security analyst and blogger Brian Krebs reported on Jan. 27 that the U.S. Secret Service has been discretely warning financial institutions about the operation, which began almost two weeks ago and leverages a sophisticated malware program called Ploutus.D, which allows actors to empty ATMs by using either an attached keyboard or SMS messaging.
So far, the attackers have reportedly focused on standalone terminals installed in various retail and drive-through ATM locations. Meanwhile, the malware itself targets machines from Cincinnati, Ohio based manufacturer Diebold-Nixdorf -- specifically its front-loading Opteva series 500 and 700 terminals. However, a Jan. 25 Diebold-Nixdorf security alert published by Krebs states that terminals from additional ATM vendors that do not require physical authentication could also potentially be affected.
A confidential Secret Service alert sent to financial institutions and later obtained by KrebsOnSecurity warns that the attackers have been assigning "cash-out crews" to ATM locations in the guise of machine technicians so that they can physically access the terminals. The crew replaces the machine's hard disk with a malicious one, and uses an endoscope to look through and navigate the internal mechanisms of the ATM machine, in order to attach a cord that connects to a malicious laptop and accompanying mobile device. At that point, the phony technicians contact their co-conspirators, who are now able to control the ATMs and force them to dispense cash, which is subsequently collected by money mules.
In its alert, Diebold-Nixdorf describes the operation in further detail, noting that it echoes previous attacks launched in October 2017 against Mexican ATM locations:
"As in Mexico last year, the attack involves a series of different steps to overcome security mechanisms and the authorization process for setting the communication with the dispenser," the alert states. "The original hard disk of the terminal is removed and replaced by another hard disk, which has been prepared by the criminals before the attack and also contains an unauthorized and/or stolen image of ATM platform software."
"In order to pair this new hard drive with the dispenser, the dispenser communication needs to be reset, which is only allowed when the safe door is open. As a preparation, a cable is unplugged to manipulate the sensor state to allow the pairing functionality to become available. In order to initiate the dispenser communication additionally a dedicated button inside the safe needs to be pressed and held. With the help of an extension, which is inserted into existing gaps next to the presenter, the button is depressed. According to customer CCTV footage the criminals use an industrial endoscope to achieve this."
Jackpotting is reportedly already a well-established threat to financial service and ATM operators in Europe, Asia and Mexico, but such attacks are a notable first in the U.S. Citing an unnamed source close to the Secret Service, Krebs also warned that more U.S.-based attacks are planned by the responsible criminal organization.
Jane Khodos, senior communications director at the Financial Services - Information Sharing and Analysis Center (FS-ISAC), sent SC Media an official statement, assuring businesses that the jackpotting operation "does not appear widespread in the U.S. at this time," adding that exposed ATMs in outdoor locations, are most at risk. "ATMs and systems have multiple defenses, including physical and cyber. Financial institutions are constantly reviewing and improving layered security in response to changes in the evolving threat landscape," the statement continues.
Also known as logical attacks, jackpotting operations aren't the easiest to pull off, either. “What's interesting about these attacks is that they require considerable physical access to the ATM itself, meaning that there is a high risk of getting caught, and there are far less complex attack vectors that could have been chosen. In other words, it's very surprising the method that these criminals have come up with," said Leigh-Anne Galloway, cybersecurity resilience lead and ATM expert at Positive Technologies, in emailed comments.
“The attack can mostly be mitigated by limiting physical access to the ATM, the service area, and requiring physical authentication by maintainers," Galloway continued. "We have seen quite an increase in logical attacks over the last couple of years and this is certainly one of the most novel."
David Tente, executive director, USA & Americas at the ATM Industry Association (ATMIA), told SC Media in an email interview that the trade association is aware of the reports, but has "not received any information from ATMIA members at jackpotting in the U.S."
According to ATMIA's 2017 global Annual Fraud Survey, only seven percent of reported incidents last year consisted of jackpotting or attempted jackpotting.