January 27, 2018

ATM “jackpotting” — a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand — has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States.

To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics — often a combination of both — to control the operations of the ATM.

A keyboard attached to the ATM port. Image: FireEye

On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as “logical attacks,” hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they’d heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.

On Jan. 26, NCR sent an advisory to its customers saying it had received reports from the Secret Service and other sources about jackpotting attacks against ATMs in the United States.

“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” the NCR alert reads. “This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”

The NCR memo does not mention the type of jackpotting malware used against U.S. ATMs. But a source close to the matter said the Secret Service is warning that organized criminal gangs have been attacking stand-alone ATMs in the United States using “Ploutus.D,” an advanced strain of jackpotting malware first spotted in 2013.

According to that source — who asked to remain anonymous because he was not authorized to speak on the record — the Secret Service has received credible information that crooks are activating so-called “cash out crews” to attack front-loading ATMs manufactured by ATM vendor Diebold Nixdorf.

The source said the Secret Service is warning that thieves appear to be targeting Opteva 500 and 700 series Dielbold ATMs using the Ploutus.D malware in a series of coordinated attacks over the past 10 days, and that there is evidence that further attacks are being planned across the country.

“The targeted stand-alone ATMs are routinely located in pharmacies, big box retailers, and drive-thru ATMs,” reads a confidential Secret Service alert sent to multiple financial institutions and obtained by KrebsOnSecurity. “During previous attacks, fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATMs operating system along with a mobile device to the targeted ATM.

Reached for comment, Diebold shared an alert it sent to customers Friday warning of potential jackpotting attacks in the United States. Diebold’s alert confirms the attacks so far appear to be targeting front-loaded Opteva cash machines.

“As in Mexico last year, the attack mode involves a series of different steps to overcome security mechanism and the authorization process for setting the communication with the [cash] dispenser,” the Diebold security alert reads. A copy of the entire Diebold alert, complete with advice on how to mitigate these attacks, is available here (PDF).

The Secret Service alert explains that the attackers typically use an endoscope — a slender, flexible instrument traditionally used in medicine to give physicians a look inside the human body — to locate the internal portion of the cash machine where they can attach a cord that allows them to sync their laptop with the ATM’s computer.

An endoscope made to work in tandem with a mobile device. Source: gadgetsforgeeks.com.au

“Once this is complete, the ATM is controlled by the fraudsters and the ATM will appear Out of Service to potential customers,” reads the confidential Secret Service alert.

At this point, the crook(s) installing the malware will contact co-conspirators who can remotely control the ATMs and force the machines to dispense cash.

“In previous Ploutus.D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds,” the alert continues. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad. Otherwise, the machine is completely emptied of cash, according to the alert.

An 2017 analysis of Ploutus.D by security firm FireEye called it “one of the most advanced ATM malware families we’ve seen in the last few years.”

“Discovered for the first time in Mexico back in 2013, Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message, a technique that had never been seen before,” FireEye’s Daniel Regalado wrote.

According to FireEye, the Ploutus attacks seen so far require thieves to somehow gain physical access to an ATM — either by picking its locks, using a stolen master key or otherwise removing or destroying part of the machine.

Regalado says the crime gangs typically responsible for these attacks deploy “money mules” to conduct the attacks and siphon cash from ATMs. The term refers to low-level operators within a criminal organization who are assigned high-risk jobs, such as installing ATM skimmers and otherwise physically tampering with cash machines.

“From there, the attackers can attach a physical keyboard to connect to the machine, and [use] an activation code provided by the boss in charge of the operation in order to dispense money from the ATM,” he wrote. “Once deployed to an ATM, Ploutus makes it possible for criminals to obtain thousands of dollars in minutes. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk.”

Indeed, the Secret Service memo shared by my source says the cash out crew/money mules typically take the dispensed cash and place it in a large bag. After the cash is taken from the ATM and the mule leaves, the phony technician(s) return to the site and remove their equipment from the compromised ATM.

“The last thing the fraudsters do before leaving the site is to plug the Ethernet cable back in,” the alert notes.

FireEye said all of the samples of Ploutus.D it examined targeted Diebold ATMs, but it warned that small changes to the malware’s code could enable it to be used against 40 different ATM vendors in 80 countries.

The Secret Service alert says ATMs still running on Windows XP are particularly vulnerable, and it urged ATM operators to update to a version of Windows 7 to defeat this specific type of attack.

This is a quickly developing story and may be updated multiple times over the next few days as more information becomes available.


114 thoughts on “First ‘Jackpotting’ Attacks Hit U.S. ATMs

  1. JV

    So apparently the ATM companies don’t have a way of detecting this kind of tampering in real time and alerting the police or someone else to go on site and see what is going on? I realize the machine can go off-line for a number of reasons but don’t the machines have cameras they could immediately check? Even if video from the camera is lost due to tampering, they could have the last few minutes saved to check what is going on.

    1. SkunkWerks

      So, imagine you’re one of these proprietors, you have hundreds or maybe thousands of locations to monitor. You’re technically subcontracting to a bank, pharmacy or other institution, so whatever surveillance you’re rocking would have to piggyback off that- and whatever “that” is may not be so great.

      For the vast majority of different possible scenarios, the thing to do is probably lodge the DVR inside the ATM unit. So while video is constantly recorded, it isn’t generally actively checked.

      It’s checked when there’s a problem- as is the case with most video surveillance systems.

      1. JV

        I didn’t mean watch it constantly. I meant coudn’t they react to a machine going off-line by checking the past few minutes of video to see no-one was tampering with it. And more generally, I meant I’m surprised that these people can tamper with a machine without being somehow detected. Like there is no notice when someone connects to the devices port. I understand, though, that checking such alerts and keeping track of whether maintenance is scheduled for the machine may be a lot of work. I guess hardening those machines somehow to make the port more difficult to access may a cheaper way of protection…

        1. Leafweir

          It’s all a matter of scale.

          How much is the loss? How often does the loss occur? How much will it cost to deploy a defense? Is the defense more or less expensive then accepting the loss? Will accepting the loss increase the number of losses over time?

          You can turn every ATM into a fortress, but that’s not an effective use of funds. Why do you think that so many machines are still running XP? Because it’s cheap.

        2. Jim

          Oh, there has to be a built in security system. But it’s not for security. It needs to be filled. So, it has to call home, to get more money. There are things that it has to do to maintain, and make money for it’s owner. Like, it has to call Banks to check if the card is issued to this requestor, if there is money to back this request, if the service door is open, etc, etc. But, what they cannot do is more telling. It cannot verify its location, os, or it’s programs like an imbed system could. Does not being imbed make it safer? Logical fallicies on both sides. Especially the arguements on os. The owner will always err on the side of least cost.

    2. Jacob Rogers

      Wouldn’t a slight electrical charge on all of the access ports be enough that way then if something was plugged into any of the ports it would trip the electrical charge and let the system know something was plugged in

    3. Dave Bacher

      OK, so I worked for a subsidiary of NCR corporation from 1995 to 2003, on software to monitor ATMs. I am well outside my NDA, etc. Also, this is dated, and both times I left NCR it was not on the best of possible terms.

      So sure, a big ATM is always connected to the network, has a lot of tamper sensors and vandalism sensors, and if you trip any of them at most US banks, the software that I used to particiapte in is going to have a cop at that ATM within moments.

      These little kiosk ATMs, though, used to be primarily dial up. Social engineering access to them is trivial, and they have no real way to report any tamper. Once you have the social engineering for access, it’d be relatively easy I would imagine – have your cell out, once you get everything in place, send a text – have someone come in and distract the clerk, activate the jackpot. As long as nobody else is near you in the store, they have to figure out when the money disappeared.

      They will start, there, looking at tapes around when it was filled, by whom it was last filled – and so in this scheme, you’re reliant on asking the right employee to find out “oh, there was someone servicing the ATM,” and then reliant also on there being enough information in the video tape to catch them.

      The immediate trend would be to blame whoever last filled the ATM, and then only after to look at the tape.

      1. JV

        Interesting information. I guess a low cost solution would be a well placed steel plate right on top of any connectors that thieves must not get access to. Like so close there is no way to get in between the plate and the connectors. I don’t think they can drill through it unnoticed even if they are wearing maintenance personnel clothes.

    4. Justsum Guy

      There are alarms and alerts on most ATMs for this type of activity. The problem, at least in my personal experience, is that these alerting systems will blast out e-mails every time a mosquito farts within a mile of the machine. They start to get ignored real quick.

  2. alexey.boh

    allriight,i still think windows 7 is best, also we russians and best parts of eastern europeans like number 7 ,better is triple 777 thats why we put 777 on our nice cars license plates.
    and yes,windows 7 is best whoever says its not then they wrong,i refuse to use other then windows 7 i dont like windows 8 absaloutely,i dont like it.
    7 is best !!

  3. yomm

    ye,u know..i heared dumps are best jobs,means instore carding.,..me i dont like that, i think i dont like this msr thing to copy cards,not my field,however i heared many many guys living of this kind of business. but i like more just cryptocurrency..bitcoins are my field of work

  4. KathyB

    This has been a problem in the Pacific Northwest. A security company I work with mentioned that some perps who were behind those heists were arrested. That company has been busy implementing additional security devices on various Diebold ATMs.

    Although some banks have taken additional security measures, the perps are able to defeat them. Some banks are resorting to a hardware solution with additional security monitoring. Certain algorithms based on behavior will shutdown the ATM as I understand.

  5. Vy

    Wiki says “a small number of deployments may still be running older versions of the Windows OS, such as Windows NT, Windows CE, or Windows 2000.”

    I expect those ATMs will soon be making their way to a banking museum near you.

    1. meh

      You might be surprised, vendors are astonishingly slow to update.

      1. Bryan J Smith

        That was the original promise of thin clients, to get away from the sheer cost of thick PC lifecycle. It’s typically $500/year/unit in support costs. But you then had a reliance on a backend.

        Then BSD and Linux embedded took off in the late ’90s. This was the best-of-both worlds, a client/server architecture with still enough to work standalone, all while updating quick with 1/10th the support costs (sub-$50/year/unit). If it was good enough for launch systems and space probes at NASA, it was good enough for financial.

        Unfortunately, Microsoft sales made it’s efforts, and pried on mainatream IT assumptions. Already embedded heavy and UNIX-csntric industries didn’t listen, and Microsoft lost set-tops and swathes of retail, let alone 100% of the backend trading industry (sans the infamous LSE that blew up on Microsoft-Accenture in 2008).

        But Microsoft got ATMs and voting machines, because enough stakeholders and decision makers were used to fat PCs.

    2. Patrick

      it’s costly to do update ATM’s (which means buying new ones and paying techs to install them). this sort of thing is a wakeup call though, that’s for sure.

  6. Joe Blow

    These ATMs typically can be opened using a generic key. So changing the lock to use a key specific to the owner of the ATM would deter. Also there are switches in the ATM that alarm (when they are used) the network that someone has accessed the top hat of the ATM. When the device communication or software is interrupted in any way, a status is sent to the host. If they cut the comm connection a status is sent to the host. If the ATM owner has set a secure password on the PC core which will not allow booting from the CD or anything except the hard drive that will be a deterrent also.
    In the end there are security measures already present in the ATMs but unfortunately (for the owners) they are not being used.
    That is why the message from the OEM is if you are not using the security measures as they stand, they will not be responsible for losses.

  7. Jasey

    ATMs can have tamper sensors for things like “chassis was opened”, but not so much for “tiny hole was drilled in the side and an endoscope was slid inside”. There are sensors for hardware being moved around inside the chassis, but I am not sure how widely used they are since they cost more.
    Someone does typically gets notified when an ATM goes offline. If the ATM is at a bank branch, you can get someone (who has hopefully had training) to check it out within minutes so probably not the best target.
    If it is a standalone ATM in a gas station or grocery store, then you likely have to send a technician from the manufacturer which takes time. You have nobody onsite that is trained or that you can trust to go inspect the ATM, nobody to call and ask to “just go see if there is anybody standing around it pretending to be a technician”.
    “Checking the cameras” is great in theory, but they can be defeated by a hoodie, a ball cap, or some sunglasses.

    I do wonder why it makes a difference if the ATM is running Windows XP or 7 when the attacker is plugging in their own software. The protections available at the OS level, all of them, would be bypassed because that OS would no longer be active.

    1. Scott T

      I’d imagine the Windows XP / Windows 7 ordeal would be more about how windows treats (or has configured) plug-and-play devices such as USB keys. It’s likely you can get XP to automatically execute code on a USB key that is pretending to be a CD-ROM drive, where the latter ATMs will have been configured to disable Autoplay.

  8. jon deaux

    Microsoft used to offer a stripped down version of Windows 7 called Windows Thin PC that allowed Windows 7 to be run on older hardware.

    I suggested investigating Windows Thin PC to a former employer in order to both let us continue using our …antiquated hardware and make the network more secure, but was told that I didn’t know what I was talking about because I don’t have an IT degree.

    At last count, the company was converting the Windows XP Pro desktops to thin client machines because the up-front costs were cheaper than replacing them with newer computers running Windows 7 Pro or Windows 10 pro.

  9. Goatherderson

    So this is how the DNC funds wars on behalf of local charity fraud!

  10. Nathaniel

    I’ve seen ATM’s left open before by the people servicing them; let alone, people actively trying to rob them.

    I came across one that was open with both cans full of 20’s, so at least a couple grand, and stayed that way for about 2 hours until I called the service provider.

    If they care that little about the cash being unprotected, then updating O/S or put in greater security measures can’t be high on their priority list.

  11. Robert

    If they cant be bothered to update the OS beyond 95 what make you think for a second they will spend a dime on video or security. Please it is all about the numbers. They loose 2 or 3 thousand in one day but make a cool Mil over a year. Tax write off (we pay), Insurance write off (we pay). They fix they collect (we still pay). See how the game works. They still get payed no matter what happens and we still pay 4 to 5 dollars per transaction.

    1. Bryan J Smith

      Because fat PCs, even the ‘Embedded NT/XP/et al editions, still cost $500+/year/unit in support.

      Microsoft got the ATM market by the mid ’00s, and they’ve been stuck with this reality.

      All OSes have network security holes, but Windows really stinks on physical access security, msinly due to how WinForms works with taskmgr.exe.

      1. Bryan J Smith

        I mean, if I’m Diebold and IBM, why use the more appropriate, easier to support, OS-build let fecycle when a customer asks for fat PC Windiws at 5-10x the recurring lifecycle support costs? Engineering took a backseat to Professional Services.

        In lower margin industries like set tops, of course they wouldn’t even remotely look at this. The US Military also stopped doing it after the carrier fiasco in the US Navy. But ATMs and voting machines continue to be ‘fatter,’ at odds with all other trends, from military to retail.

        Why? Because customers are willing to pay and deal with the issues.

  12. Raven

    What interests me is that there are actually sophisticated crews doing these jobs. Obvithey are highly tech savvy? So this is a more lucrative/attractive job for the low level members than working a legit job…that means it must be too easy. Higher-ups will be dedicated highly intelligent types but the lowest members most likely not. It would seem LE would have more HUMINT on these types of networks….

  13. Zafar

    Jackpotting LOL, Yesterday I have seen An Scanner On the ATM machine that Catches our Debit card details.

    Be aware to use your debit card because thefts are attaching a scanner On ATM machines.

  14. ATM Security

    I’ll pass this along, so people keep their eyes open.

  15. Jessica

    This has been occurring since 2013 here in the U.S., it’s not anything new nor is it something that originated in Mexico. How logical or responsible is it to name one specific country as being the first place ploutos was used? Do you think any ATM company or financial institution wants to broadcast that they were outsmarted and compromised? It’s disappointing television news outlets are reporting on this and your article isn’t even accurate.

    1. BrianKrebs Post author

      Please point us to any evidence that jackpotting attacks have been hitting US ATMs since 2013. Your simply saying it doesn’t make it so.

  16. rod mize

    Very good reading – informative – I have seen these scams done and the effect it had on people i.e. personal identification fraud etc.

Comments are closed.