Two of the most prominent ATM makers in the world have warned the public about a so-called ATM jackpotting scheme that’s quickly spreading throughout the United States.
NCR Corp and Diebold Nixdorf Inc have raised alarms about a hacking tool used by cybercriminals to force cash machines into dispensing money. The scheme, known as ATM jackpotting, has allegedly reached the United States and is now spreading quickly.
In 2016, cybercriminals were able to cash out millions of dollars from ATMs in Taiwan and Thailand through jackpotting. Back then, the Federal Bureau of Investigation warned Americans that “well-resourced and organized” cybercriminals are potentially eyeing the U.S. as their next target.
While cash machines in the U.S. are said to be newer and have better protection than in other countries, they are still susceptible to hacking. In a report from Reuters, Diebold and NCR admitted that attacks have already occurred in the country. However, the two ATM manufacturers did not provide further details about how much money was taken or if there were individuals targeted by the attacks.#Hackers are using 'jackpotting' hacks to steal from #ATM machines. #Cybersecurity #CybercrimeClick To Tweet
For years, ATM jackpotting has been a major threat in most European and Asian countries. For a number of reasons, these sophisticated hacking attacks have not been commonplace within the United States. However, things changed this month when the U.S. Secret Service started warning financial institutions about potential attacks.
According to Krebs on Security, a security news and investigation site, they first heard of the jackpotting attacks, also known as logical attacks, on January 21st. Back then, NCR said they had received unconfirmed reports, but nothing substantial.
On Friday, however, NCR sent an advisory to its customers warning them about potential ATM attacks. Krebs was able to quote a part of the notice which reads:
“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue. This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”
Diebold Nixford ATMs Targeted
Further reports said that ATMs manufactured by Diebold Nixford were attacked using a jackpotting malware known as Ploutus.D. A reliable Kreb’s source said that the Secret Service received information about organized criminal gangs activating “cash out crews” to attack front-loading Diebold Nixford ATMs.
Using this malware, the hackers are said to be targeting Opteva 500 and 700 series Diebold Nixford ATMs in a series of organized attacks. The hacking attacks reportedly happened these past few days and further investigation into the matter revealed that more attacks are being planned in different parts of the country.
“The targeted stand-alone ATMs are routinely located in pharmacies, big box retailers, and drive-thru ATMs.” ~ U.S. Secret Service
“During previous attacks, fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATMs operating system along with a mobile device to the targeted ATM,” a part of the Secret Service’s alert reads.
The Ploutus.D Malware
According to FireEye, the Ploutus.D malware has to be installed manually on a targeted machine before it can be activated. The high-risk task, which may involve picking locks or destroying parts of the cash machine, is said to be carried out typically by “money mules” or low-level operators within a criminal organization.
“From there, the attackers can attach a physical keyboard to connect to the machine, and [use] an activation code provided by the boss in charge of the operation in order to dispense money from the ATM,” Daniel Regalado of FireEye wrote in a 2017 Ploutus.D analysis.
Once deployed to an ATM, Ploutus makes it possible for criminals to obtain thousands of dollars in minutes. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk.”
The Secret Service alert further stated that ATMs running on Windows XP are particularly vulnerable to a Ploutus.D attack. Following this, they are urging operators to update their operating systems to Windows 7 or higher OS.