Hackers using sophisticated malware and an endoscope have been cracking into U.S. ATM machines, making them spit out cash like slot machines, according to security expert Brian Krebs - who reports that the U.S. Secret Service has been quietly warning financial institutions of the new wave of attacks in a confidential memo.
The practice known as "jackpotting" or "logical attacks," first reported by ZeroHedge in 2014, has been widespread in Europe and Asia. Thieves typically target stand-alone ATMs such as those found in pharmacies, retail stores and gas stations, accessing the machine's internals with an endoscope - a tiny camera on a flexible tube with which the hackers use to locate an internal port in the ATMs circuitry in order to connect a laptop and download malware. Another method used by hackers is to completely replace the ATMs hard drive with an identical one loaded with the malware.
Machines running Windows XP are particularly vulnerable, reads the Secret Service report, which recommends updating to Windows 7.
The malware, known as "Ploutus.D" then allows the hackers to remotely instruct the ATM to spit out cash. At present the hackers appear to be targeting Diebold Nixdorf machines - the #1 global ATM provider at around 35% of machines worldwide.
“Once this is complete, the ATM is controlled by the fraudsters and the ATM will appear Out of Service to potential customers,” reads the confidential Secret Service alert, as reported by Krebsonsecurity.com.
Barnaby Jack loading up an ATM for 2010 demonstration. Jack died in 2013
before he was to give a presentation on remotely hacking pacemakers and insulin pumps.
“In previous Ploutus.D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds,” the alert continues. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad. Otherwise, the machine is completely emptied of cash, according to the alert.
At a hacker conference in 2010, Wired reported, a researcher brought two infected ATMs to the stage and gave a demonstration.
In the first example, a volunteer from the audience swiped a card through the ATM, and the researcher instantly brought up his credit card number and personal information on a computer spreadsheet.
In the second, the researcher gave the machine a command. “Jackpot!!” flashed on the ATM’s screen, and it began spitting bills onto the floor as the crowd cheered. -WaPo
In response to the recent attacks, Diebold issued a security notice last Thursday which reads:
On the 26 of January we were informed by US authorities about potential Jackpotting attacks moving from Mexico to the United States within the next days (GIOC Reference #18-007-A)
In a Jackpotting attack, the criminal gains access to the internal infrastructure of the terminal in order to infect the ATM PC or by completely exchanging the hard disk (HDD). In recent evolutions of Jackpotting attacks portions of a third party multi-vendor application software stack to drive ATM components are included. In cases where the complete hard disk is being exchanged, encrypted communications between ATM PC and dispenser protects against the attack.
In this attack vector the top-hat of the terminal is opened in order to execute different activities based on the currently known information. The original hard disk of the terminal is removed and replaced by another hard disk, which has been prepared by the criminals before the attack and also contains an unauthorized and/or stolen image of ATM platform software.
In order to pair this new hard drive with the dispenser, the dispenser communication needs to be reset, which is only allowed when the safe door is open. As a preparation a cable is unplugged to manipulate the sensor state to allow the pairing functionality to become available. In order to initiate the dispenser communication additionally a dedicated button inside the safe needs to be pressed and held. With the help of an extension, which is inserted into existing gaps next to the presenter, the button is depressed. According to customer CCTV footage the criminals use an industrial endoscope to achieve this.
A 2017 analysis of the Ploutus.D malware strain by security firm FireEye concluded that it was "one of the most advanced ATM malware families we've seen in the last few years."
“Discovered for the first time in Mexico back in 2013, Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message, a technique that had never been seen before,” FireEye’s Daniel Regalado wrote.
According to FireEye, the Ploutus attacks seen so far require thieves to somehow gain physical access to an ATM — either by picking its locks, using a stolen master key or otherwise removing or destroying part of the machine.
Regalado says the crime gangs typically responsible for these attacks deploy “money mules” to conduct the attacks and siphon cash from ATMs. The term refers to low-level operators within a criminal organization who are assigned high-risk jobs, such as installing ATM skimmers and otherwise physically tampering with cash machines. -KrebsonSecurity
Once the money mules have cashed out the ATM, according to the Secret Service memo, thieves impersonating technicians then return to the site and remove their equipment from the cracked ATM.
“The last thing the fraudsters do before leaving the site is to plug the Ethernet cable back in,” the alert notes.
While the Ploutus.D currently targets Diebold 500 and 700 series ATMs, FireEye said that the malware could be modified to use against 40 different ATM vendors in 80 countries.