Hackers cause ATMs to spit out stacks of cash in elaborate 'jackpotting' scheme

Diebold Nixdorf Inc. and NCR Corp., two of the world’s largest ATM makers, are warning that sophisticated cyber criminals are hacking into U.S. cash machines and forcing them to spit out stacks of cash in a scheme known as “jackpotting,” Reuters news reported.

Jackpotting attacks against ATMs have been happening worldwide for years, but this is the first time thieves are targeting the U.S., according to published reports. The amount of money stolen in the attacks is not clear because police and victims often keep that information under wraps.

What is jackpotting?

In a jackpotting attack, thieves gain physical access to an ATM and then use malware or specialized electronics to control them, according to KrebsOnSecurity, a website run by New York Times bestselling author and investigative journalist Brian Krebs:

ATM “jackpotting” — a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand — has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators,” the website explains. “But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States.

A band of cyber criminals are believed to be working their way into the U.S. from Mexico, reports state.

The ATMs being targeted are typically found in big box retailers, drive-thru-ATMs and pharmacies, according to a confidential Secret Service alert sent to multiple financial institutions and obtained by KrebsOnSecurity.

What methods are theives using?

“During previous attacks, fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATMs operating system along with a mobile device to the targeted ATM,” the Secret Service alert reportedly states.

An alert by Diebold Nixdorf indicates that criminals gain physical access to the ATM replace the hard drive and use an industrial endoscope to depress an internal button that is used to reset the device.

In a series of coordinated attacks over the past 10 days, thieves appeared to be targeting the Opteva 500 and 700 series Dielbold ATMs by using the Ploutus.D malware, KrebsOnSecurity reported. Evidence suggests that more attacks are being planned across the country.

Although it appears certain types of ATMs are being targeted, all manufacturers should be concerned, an alert by NCR indicated.

“This should be treated by all ATM deployers as a call to action to take appropriate steps to protect their ATMs against these forms of attack,” the alert stated.