30
Jan 18

Drugs Tripped Up Suspects In First Known ATM “Jackpotting” Attacks in the US

On Jan. 27, 2018, KrebsOnSecurity published what this author thought was a scoop about the first known incidence of U.S. ATMs being hit with “jackpotting” attacks, a crime in which thieves deploy malware that forces cash machines to spit out money like a loose Las Vegas slot machine. As it happens, the first known jackpotting attacks in the United States were reported in November 2017 by local media on the west coast, although the reporters in those cases seem to have completely buried the lede.

Isaac Rafael Jorge Romero, Jose Alejandro Osorio Echegaray, and Elio Moren Gozalez have been charged with carrying out ATM “jackpotting” attacks that force ATMs to spit out cash like a Las Vegas casino.

On Nov. 20, 2017, Oil City News — a community publication in Wyoming — reported on the arrest of three Venezuelan nationals who were busted on charges of marijuana possession after being stopped by police.

After pulling over the van the men were driving, police on the scene reportedly detected the unmistakable aroma of pot smoke wafting from the vehicle. When the cops searched the van, they discovered small amounts of pot, THC edible gummy candies, and several backpacks full of cash.

FBI agents had already been looking for the men, who were allegedly caught on surveillance footage tinkering with cash machines in Wyoming, Colorado and Utah, shortly before those ATMs were relieved of tens of thousands of dollars.

According to a complaint filed in the U.S. District Court for the District of Colorado, the men first hit an ATM at a credit union in Parker, Colo. on October 10, 2017. The robbery occurred after business hours, but the cash machine in question was located in a vestibule available to customers 24/7.

The complaint says surveillance videos showed the men opening the top of the ATM, which housed the computer and hard drive for the ATM — but not the secured vault where the cash was stored. The video showed the subjects reaching into the ATM, and then closing it and exiting the vestibule. On the video, one of the subjects appears to be carrying an object consistent with the size and appearance of the hard drive from the ATM.

Approximately ten minutes later, the subjects returned and opened up the cash machine again. Then they closed the top of the ATM and appeared to wait while the ATM computer restarted. After that, both subjects could be seen on the video using their mobile phones. One of the subjects reportedly appeared to be holding a small wireless mini-computer keyboard.

Soon after, the ATM began spitting out cash, netting the thieves more than $24,000. When they they were done, the suspects allegedly retrieved their equipment from the ATM and left.

Forensic analysis of the ATM hard drive determined that the thieves installed the Ploutus.D malware on the cash machine’s hard drive. Ploutus.D is an advanced malware strain that lets crooks interact directly with the ATM’s computer and force it to dispense money.

“Often the malware requires entering of codes to dispense cash,” reads an FBI affidavit (PDF). “These codes can be obtained by a third party, not at the location, who then provides the codes to the subjects at the ATM. This allows the third party to know how much cash is dispensed from the ATM, preventing those who are physically at the ATM from keeping cash for themselves instead of providing it to the criminal organization. The use of mobile phones is often used to obtain these dispensing codes.”

In November 2017, similar ATM jackpotting attacks were discovered in the Saint George, Utah area. Surveillance footage from those ATMs showed the same subjects were at work.

The FBI’s investigation determined that the vehicles used by the suspects in the Utah thefts were rented by Venezuelan nationals.

On Nov. 16, Isaac Rafael Jorge Romero, 29, Jose Alejandro Osorio Echegaray, 36, and two other Venezuelan nationals were detained in Teton County, Wyo. for drug possession. Two other suspects in the Utah theft were arrested in San Diego when they tried to return a rental car that was caught on surveillance camera at one of the hacked ATMs.

To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics — often a combination of both — to control the operations of the ATM.

All of the known ATM jackpotting attacks in the U.S. so far appear to be targeting a handful of older model cash machines manufactured by ATM giant Diebold Nixdorf. However, security firm FireEye notes that — with minor modifications to the malware code — Plotus.D could be used to target software that runs on 40 different ATM vendors in 80 countries.

Diebold’s advisory on hardening ATMs against jackpotting attacks is available here (PDF).

Jackpotting is not a new crime: Indeed, it has been a problem for ATM operators in most of the world for many years now. But for some reason, jackpotting attacks have until recently eluded U.S. ATM operators.

Jackpotting has been a real threat to ATM owners and manufacturers since at least 2010, when the late security researcher Barnaby Michael Douglas Jack (known to most as simply “Barnaby Jack”) demonstrated the attack to a cheering audience at the Black Hat security conference. A recording of that presentation is below.

Tags: , , , , ,

42 comments

  1. In spanish the applicable phrase is “comemierdas”… [rolleyes]

  2. Perhaps this is the new way of propping up the corrupt government in Venezuela??

  3. There are multiple problems with ATMs today.

    1. The computer is not in the safe with the rest of the components/cash.
    2. There is usually no alarm to access the computer portion.
    3. The XFS protocol that the ATM computers use to speak with the cash dispenser does not authenticate. Meaning that you can hook a mini-pc up to the cash dispenser and send the XFS command to dispense and that’s it.
    4. Unless you changed the lock yourself, ATM keys are all the same for that model(at least from diebold)

    The smartest way to fix this issue IMO would be to put the computer in the safe where it belongs. Physical access to a computer means compromise. Other than that I guess you could change XFS to require components to authenticate but that would probably be more costly.

    This is definitely complacency on the part of ATM manufacturers and the banking industry as a whole. There are only a few major players in the ATM market and they don’t have any incentive to change. American banking has been stuck in the 70’s but there’s no will to legislate and force them to catch up with the rest of the world.

    • The biggest problem with putting the computer in the safe is that the people who service the computer and the people who service the safe are 2 different people. Often 2 different companies. Most of the time, outsourced. Many of these ATMs have wireless antenna’s that allow it to connect back to the datacenter via a vpn over 4G. You would have to drill a hole in the safe in order to get the cable to a place to get signal.

      I agree that there should be some type of alarm that goes off when you open the lid. Sending some type of alert if possible would be good. Putting the computer in a locked container other than the safe, but as secure as the safe might make the most sense.

    • JellyKid,

      Even if the HD (and core) were in the safe there is nothing stopping someone from installing their own. A cardinal rule of InfoSec is that any machine open for physical access is by default not secure. Believe it or not all major atm vendors offer solutions to prevent these jackpotting attacks and have for a while.

    • JellyKid,
      So, how does “the rest of the world” do it?

    • I thought Diebold were all different. At least I know ours are. The older NCRs we got rid of were all the same.

    • Well, according to the first report on jackpotting from Krebs updating past Windows XP should fix the problem, for now. Yes, Windows XP still runs on most secure devices from ATMs to hospitals to all kinds of government stuff.

  4. brian, please change the title from “drugs” if it was just weed……..you’re better than this

      • It never was, it was just a way of banning the poor mans buzz, protecting the cotton/pulp industries, and keeping a thumb on specific ethnic people.
        Today it depends what state you live in. And if it’s refined.

        • Marijuana is a drug. So is caffeine. So is heroin. So is aspirin. The quality of “being a drug” has nothing to do with laws or the economic situation of users.

          • Actually tobacco is a plant, nicotine is a drug. Marijuana is a plant, THC is a drug. That being said, technically they were caught with a controlled substance, which isn’t just drugs. However controlled substance isn’t easy to write into a headline, unlike drugs. I would have tried going colloquial, like Mary Jane, but meh, its just a headline.

  5. I liked the fact that you acknowledged Barnaby in your article. God rest his soul.

  6. those guys look like they dont give damn,they just hungry as hell and will do what ever it takes to get rich.
    brave guys.
    only thing is if they saved ill gotten cash..then they clever if not they dumb. after prison they can open up at least some business with money they got.

    • You fuvking illiterate moron. Use spell check next time. And eat some radiator hose in the meantime. 😉

    • Round faces like that are from very full bellies, not hunger. Just greedy crooks, nothing more.

    • I don’t have your skill at analyzing personalities from mug shots. But I’m pretty sure they weren’t keeping the money. Video caught them on their phones while the jackpotting was happening. I’ll bet dollars to donuts they were talking to their boss, or more likely the expert hacker who works for their boss who told them how to do the jackpotting. They were hired hands. Once they got the $, they turned the lion’s share of it over to their employers.

      • It’s usually not hard to tell when people are commenting without even reading the whole story:

        ““Often the malware requires entering of codes to dispense cash,” reads an FBI affidavit (PDF). “These codes can be obtained by a third party, not at the location, who then provides the codes to the subjects at the ATM. This allows the third party to know how much cash is dispensed from the ATM, preventing those who are physically at the ATM from keeping cash for themselves instead of providing it to the criminal organization. The use of mobile phones is often used to obtain these dispensing codes.”

  7. Reminds me of the $6 million 1978 Lufthansa heist. Parnell Edwards was supposed to take the van used in the robbery to be destroyed; instead, jubilant from the gang’s heist, he smoked some marijuana while en route to the junkyard and got distracted. He was found dead with a gunshot wound 7 days later. Gang leaders resolved to kill anyone who could implicate them in the heist.

    These Venezuelan guys should be worried about what their gang leaders will do to them for this foul up.

  8. Brian, where is Ploutus.D even being shared at? I have not heard any talk on any boards. I have known about these attacks for over 6 months. Groups are still pitching Wincor malware openly, but nothing about Ploutus.

    Setting up Ploutus.D on a laptop, disconnect ATM dispenser USB from ATM and plug into laptop port. Cycle the dispenser with the malware on the laptop as if it is the ATM, remove cash from spray dispenser.

    Whoever employed these low level idiots, needs to get some real talent.

    • Except that real talent should have no problems making money legitimately. Criminals are mostly fools who haven’t learned better yet. I used to be foolish…then I grew up.

  9. In Russia there was a case that someone changed the ATM’s registry values in a way that it believed the slots for the big and the small banknotes to be swapped with each other…

  10. at the end of the day its only cash,its only money,its only paper.
    if the cash finished then the Federal reserve will print more and more.
    once upon time when usa was finacing some fellas in russia moscow,,they sent to russia dollar paper press,so in moscow they just printed real usa dollars.
    becouse they needed so much money they could not send by any other ways then send them printing press,lol
    usa dollar is like toilet paper.anyways.

  11. This collection of comments is easily the strangest I’ve ever seen on Krebs. Either I missed a movie or two and don’t get the jokes or you have touched some weird nerves.

  12. Brian,
    Talk about burying the lede, you didn’t focus on whether these crimes could have been prevented if these pot-loving Venezuelans had been blocked by stronger US border security.
    🙂

  13. Cranky Observer

    = = = The complaint says surveillance videos showed the men opening the top of the ATM, which housed the computer and hard drive for the ATM — but not the secured vault where the cash was stored. The video showed the subjects reaching into the ATM, and then closing it and exiting the vestibule. On the video, one of the subjects appears to be carrying an object consistent with the size and appearance of the hard drive from the ATM. = = =

    That would seem to be the problem right there.

  14. Why were these Venezuelan thugs allowed in to the U.S. in the first place? H-1B visas maybe?

    • Probably entered our shores via a homemade narcotrafficante submarine. Hm,guess a wall on the Mexican border wouldn’t really stop that, would it?

  15. Another pair arrested for ATM jackpotting, this time in Harford, Connecticut. One from Spain and the other from Hartford, MA.

    http://wtnh.com/2018/02/05/pd-2-men-face-jackpotting-charges-after-being-found-with-9000-in-20-bills/amp/

  16. Let this be a lesson, kids: Even if you’re jackpotting in Colorado or another legal recreational sales state, do NOT stop by a dispensary on your rounds of the ATMs.

    The late Elmore Leonard said that he had a livelihood as a crime novelist because criminals are so dumb.

  17. Was 10 minutes into watching the Barnaby video when I got a call on my landline (linked to my DSL static IP) from 669-215-0195 telling me that a user in my house using a Windows Computer was at risk of infection from a serious computer problem and that I should press 1 to speak to their technical staff or call the phone number ASAP.
    Coincidence or not?
    Obviously I’m not calling them back.

Leave a comment