Attacks on automated teller machines (ATMs) started hitting the United States in late January 2018. Known as ATM jackpotting, the attack features a malicious string of malware that allows thieves to turn ATMs into slot machine-type “jackpots.” Once hacked, machines start spitting out money and don’t stop until they’re empty. This high-level overview describes the intricacies of ATM jackpotting and suggests countermeasures to protect ATMs.
The "ATM jackpotting" attack is not new to the cybersecurity world. Researchers at Symantec first spotted the malware in Mexico in 2013. In that event, attackers used either an external keyboard or SMS text messaging to send commands to a compromised ATM.
The current threat targets older, front-loaded Diebold ATM models Opteva 500 and 700. Diebold’s back-loaded ATM models are much harder to exploit physically because of the location of the internal components. However, FireEye researcher Daniel Regalado also warns the malware could easily be customized to exploit other models and manufacturers that use the Kalignite multivendor platform.
Compromising an ATM is not an easy feat. In order to compromise ATMs and later exploit them, attackers must first gain physical access without looking suspicious or being caught. Because U.S. ATMs generally have stronger physical security controls, such as security cameras, the attack has taken its time in reaching the United States. An attacker is most likely to attempt ATM jackpotting on a machine with the least amount of foot traffic and security controls.
Jackpotting thieves attempt to use a variety of methods to identify vulnerable targets and weasel their way in. They have been known to use various social engineering tactics to their advantage, such as posing as maintenance or technical contractors to perform regular checkups on ATMs. From there, the attackers have to gain access to the inner workings of the ATMs by either using a stolen key, a picklock, or an industrial USB-endoscope, or by cutting into the machine. Once they gain physical access into the machine, attackers connect a device, such as small laptop, phone, or electronic device, and inject malware known as “Ploutus.D.”
After the malware is loaded, attackers can send one or more of their members known as “money mules” to exploit compromised ATMs and collect the cash. Money mules can initiate the exploit using a specific code provided by their boss or attack leader. After ATMs are emptied of all their cash, the money mule or the fake technician removes their devices so as not to leave physical data behind.
On Jan. 25, 2018, Diebold Nixdorf released a statement, obtained by KrebsOnSecurity, to their customers acknowledging the attack was expected to spread from Mexico into the United States. In the statement, Diebold provides specific recommendations on how to protect ATMs from jackpotting attacks.
First and foremost, best practice security measures provided by ATM vendors should be followed. In conjunction with working alongside ATM vendors, some security best practices to lock down ATMs include:
Implement two-factor authentication for technicians to obtain physical access.
Use full-disk encryption on all ATM hard drives.
Update security awareness training to help identify suspicious activity.
Update firmware, software, and operating systems to the latest releases.
Use encrypted communication protocols where possible.
How can you protect your ATMs and networks? Consider the following questions: What operating system is running on your ATM and is it secure? Are other devices that might not be a typical workstation still playing a role on your network? One thing remains certain: Thieves are always looking for a way to make a quick buck.
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2018 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.
The personnel of SDGblue have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm with a global risk consulting practice and offices around the world. This move provides SDGblue clients access to a broader range of products, services, and solutions, while expanding the Crowe cybersecurity risk management capabilities with a deeply specialized team.
Looking for the Client Login?
Access the SDGblue Client Portal
As of Oct. 30, 2017, the professionals of Rowbotham International have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on domestic and international tax and audit compliance services, as well as advisory services.
The personnel of Tru8 Solutions LLC have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm with a global risk consulting practice and offices around the world. This move provides Tru8 clients access to a broad range of products, services, and solutions, while deepening the Crowe GRC technology expertise to manage risk by better leveraging data and gaining more predictive insight.