For the first time on record, ATMs located in the US are falling prey to jackpotting, an attack in which malicious hardware or software forces the machines to dispense huge amounts of cash to waiting thieves, KrebsOnSecurity reported over the weekend.
Jackpotting has been documented in other countries, but until recently it had never been reported in the US. Citing an unnamed person close to the matter and a confidential alert, reporter Brian Krebs reported on Saturday that the US Secret Service has received credible reports of front-loading ATMs made by Diebold Nixdorf being targeted by so-called cash-out crews. The thieves are carrying out the heists by first getting physical access to the machines and infecting them with malware known as "Ploutus.D."
"The targeted stand-alone ATMs are routinely located in pharmacies, big box retailers, and drive-thru ATMs," stated the confidential Secret Service alert sent to financial institutions and obtained by KrebsOnSecurity. "During previous attacks, fraudsters dressed as ATM technicians attached a laptop computer with a mirror image of the ATM's operating system, along with a mobile device, to the targeted ATM."
The person with knowledge of the alert told Krebs that the attacks occurred over the past 10 days and that there's evidence more are being planned. The source said the attacks are targeting Diebold Nixdorf's Opteva 500 and 700 series machines. Krebs also published an alert issued by Diebold Nexdorf that outlines steps customers can take to safeguard the machines.
According to Krebs, the Secret Service alert said the attackers typically insert a doctor's endoscope into targeted ATMs to locate an internal part that can communicate with a laptop. The attackers then attach a cord that allows them to use their computer to control the machine. After installing the malware, remote thieves can force the machines to dispense cash to one or more partners who are on-site.
"In previous Ploutus.D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds," the alert stated. Once the cycle starts, the machine will be completely emptied of all cash on hand unless the person collecting the cash presses a cancel button on the keypad.
In 2009, researchers documented a family of malware that infected ATMs in Eastern Europe. A year later, researcher Barnaby Jack demonstrated a series of ATM attacks at the Black Hat Security conference in Las Vegas. Security firm Symantec chronicled Mexican ATM attacks in 2013, and FireEye wrote about Ploutus.D last year. FireEye said that, for Ploutus.D to be used, attackers must pick the ATM locks, use a stolen master key, or otherwise remove or destroy part of the machine.