Home Malware Jackpotting hits ATM’s to spit out cash

Jackpotting hits ATM’s to spit out cash


Jackpotting is a crime in which the hackers can install malicious software/hardware into ATMs that forces the ATMs to spit out huge amounts of cash. Jackpotting was mostly a threat in Europe, Asia, and Mexico but the Secret service has been warning US financial institutions that domestic ATMs are being targeted in jackpotting attacks. Jackpotting attacks hit a number of countries in Europe in recent years, and those followed similar attacks in Taiwan and Thailand.

Methods of Jackpotting attack:

Jackpotting attacks can empty ATM’s cash reserves in minutes. There are many methods as well that could be used to steal cash from ATM by physically accessing the ATM and plug in a purpose-built black-box to override security control. Attack can also be done by installing a skimmer in the mouth of card reader that can read and store the data stored on cards’ magnetic stripes, as consumers feed their cards into machines. In some cases broadcast the data to a waiting attacker via Bluetooth.

But the most interesting one is using ports. Attacks are performed by accessing a USB port on the machine and injecting malicious code. The use of doctor’s endoscope is the most interesting part in this attack. The endoscope used to sync the ATM’s computer with hacker’s system.

The hackers gain physical access to the machines and infect them with malware remotely. It’s unclear which particular strain of malware is being used but report suggests that it could be a strain of malware known as “Ploutus.D”. The analysis of Ploutus D in 2017 mentioned this malware to be one of the most advanced ATM malware families. It was discovered first back in 2013. Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine. Ploutus.D can make internet-connected ATMs dispense cash using an SMS code as well, meaning the attacker doesn’t even need to maintain a physical connection to empty it.

The targeted stand-alone ATMs are routinely located in pharmacies, big box retailers, and drive-thru ATMs,” reads a confidential Secret Service alert sent to multiple financial institutions and obtained by KrebsOnSecurity. Earlier fraudsters disguised as ATM technicians attached a laptop with the mirror image of the ATMs operating system, along with mobile device to the targeted ATM. The attacks occurred during past 10 days and evidence says that they are more to be planned. The source informed that the attacks are targeting Diebold Nixdorf’s Opteva 500 and 700 series machines.

Jackpotting using endoscope:

The secret service said that the fraudsters typically insert a doctor’s endoscope into the targeted ATM’s to locate the internal part of the ATM that will sync the laptop with ATM’s computer. The original hard disk of the ATM is removed and replaced with a disk that mirrors the ATM’s own software. Then the ATM will appear Out of Service to potential customers. They then attach a cord that allows them to control the ATM from their laptop. Once the malware is installed, remotely hackers can force the machines to spit out cash to the person present at the ATM site.

Once the cycle starts, the machine will be completely emptied of all cash on hand unless the person collecting the cash presses a cancel button on the keypad. The Secret Service alert says ATM’s still running on Windows XP are particularly vulnerable, and it urged ATM operators to update to a version of Windows 7 to defeat this specific type of attack.

No matter what kind of data a company deals with, protecting end-point hardware is essential. In the case of standalone machines like ATM’s, access points such as USB ports need to be thoroughly protected, as well as being disabled to prevent attackers from using them if they do gain access.