ATM thieves target stand-alone machines in 'jackpotting' scheme

Register now

A type of ATM attack popular in Mexico recently is making its way to the United States.

While bank-run ATMs don’t appear to be affected so far, older, front-loaded cash machines are vulnerable to the attack, according to an alert the Secret Service has sent to financial firms and ATM manufacturers.

The crime is known as “jackpotting,” a method in which thieves, pretending to be repairmen, break directly into ATMs, install malicious software or hardware that makes the machines spit out cash. Security blogger Brian Krebs first reported on the attacks on U.S. ATMs on Friday.

According to a Secret Service alert Krebs acquired, the victim ATMs tend to be located in pharmacies, big box retailers, and drive-thru ATMs. Krebs noted that these machines lack the security and round-the-clock monitoring of ATMs installed at financial institutions.

The thieves apparently are going after Diebold Opteva 500 and 700 series cash machines in remote, stand-alone locations. They gain physical access to the cash machine, then use jackpotting malware referred to as Ploutus and specialized electronics to control the operations of the ATM.

The attackers “typically use an endoscope — a slender, flexible instrument traditionally used in medicine to give physicians a look inside the human body — to locate the internal portion of the cash machine where they can attach a cord that allows them to sync their laptop with the ATM’s computer,” Krebs wrote. “Once this is complete, the ATM is controlled by the fraudsters and the ATM will appear ‘out of service to potential customers.’ ” Co-conspirators will then remotely control the ATMs and force them to dispense cash.

“From there, the attackers can attach a physical keyboard to connect to the machine, and [use] an activation code provided by the boss in charge of the operation in order to dispense money from the ATM,” he wrote. “Once deployed to an ATM, Ploutus makes it possible for criminals to obtain thousands of dollars in minutes. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk.”

After the cash is taken from the ATM and the mule leaves, the phony technicians return to the site and remove their equipment from the compromised ATM, according to the Secret Service alert.

“The last thing the fraudsters do before leaving the site is to plug the Ethernet cable back in,” the Secret Service alert notes.

A source told Krebs thieves have been hitting the Diebold stand-alone ATMs in a series of coordinated attacks over the past 10 days, and that there is evidence that further attacks are being planned across the country.

The two major U.S. ATM providers, NCR and Diebold, did not agree to interviews. NCR offered a statement:

“NCR confirms the matters reported by Brian Krebs, and had previously issued its own alert and guidance on this situation,” said Owen Wild, security marketing director at NCR, in an email. “NCR regularly and actively works with our financial solutions customers to address the security and fraud issues that impact this industry, and we offer solutions and services that are designed to defend against and mitigate the risks of these kinds of attacks.”

In a security alert, NCR said it had received reports from the U.S Secret Service and other sources of jackpot attacks on ATMs in the U.S.

“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” the alert stated. “This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated by all ATM deployers as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”

The alert goes on to recommend installing all current patches and following security best practices on ATMs.

A Diebold spokesperson said the company has communicated the steps necessary for its customers to protect their ATMs.

“As the ATMs that are being targeted are older, legacy Diebold units, it’s important to remind financial institutions to keep their security up to date,” said Mike Jacobsen, Diebold’s senior director of corporate communications. “Just like changing the batteries in the fire alarm detectors in your house, it’s important for financial institutions to keep the security protocols current on their ATMs.”

In a security alert to customers, Diebold acknowledged that front-load Opteva models are affected by this type of attack. Rear-load Opteva terminals are also vulnerable, but the crime would be difficult to carry out, it said.

Diebold recommended limiting physical access to ATMs, using strong locking mechanisms, controlling access to areas used by personnel to service the ATM, and using firmware with the most recent security updates.

For reprint and licensing requests for this article, click here.