ATM jackpotting is the process of manipulating an automated teller machine (ATM) to dispense cash. It can be done in two ways.
First, hackers can exploit an ATM software’s vulnerabilities to control it remotely. A money mule usually waits for the physical machine to dispense cash that he or she then sends to the mastermind.
Second, attackers exploit vulnerabilities in the ATM hardware to make it dispense cash. A mule or the mastermind can collect the money then physically.
- How Do Attackers Perform ATM Jackpotting?
- What Are the Kinds of ATM Jackpotting Attacks?
- How Can ATM Jackpotting Be Prevented?
- Key Takeaways
Read More about ATM Jackpotting
The first U.S. ATM jackpotting attack was seen in January 2018. The hackers reportedly used the Ploutus.D jackpotting malware on Diebold Nixdorf ATMs, specifically Opteva 500 and 700 models, typically seen in pharmacies and big box retailers. These also served as drive-thru ATMs.
How Do Attackers Perform ATM Jackpotting?
The actors behind the attack mentioned above reportedly dressed as ATM technicians who attached a laptop with a mirror image of the machine’s operating system (OS) and a mobile device to the target ATM.
To find where to attach the cord, the attackers used an endoscope. They then attach a cord to sync their laptop with the ATM’s computer.
Once completed, the criminals gain full control of the ATM, which will appear out of service to customers. The crooks then install the malware (like Ploutus.D) into the ATM’s computer and contact their co-conspirators to remotely control the infected machines, forcing them to dispense cash while their mules wait.
Even worse for the ATM owners, malware like Ploutus.D makes infected machines dispense 40 bills per 23 seconds, allowing thieves to obtain thousands of dollars in a matter of minutes.
Here’s a diagram of an ATM jackpotting attack.
What Are the Kinds of ATM Jackpotting Attacks?
ATM jackpotting attacks come in two general types, namely:
- Malware-based ATM jackpotting: Attackers use a USB device that contains the malware. The infected USB device is plugged into the ATM’s USB terminal. Once infected, the malware forces the machine to dispense cash for the mules or hackers to collect. This attack is hard to detect since customers can still use the malware-laden ATM, and the withdrawals aren’t reflected on any bank account. To stay hidden, the hackers also ensure closed-circuit television (CCTV) cameras don’t capture their co-conspirators. This method was employed in the first U.S. ATM jackpotting attack utilizing Ploutus.D.
- Black box attack: Criminals use so-called “rogue devices” or “black boxes” that mimic the ATM’s internal computer. Such a device can be anything from a laptop to a Raspberry Pi, which are easy to obtain. The attackers can use the black box in two ways. The first requires the black box to imitate the ATM’s internal computer. The attackers connect it directly to the dispenser, then command it to spit cash. The other method involves plugging the black box with network cables and grabbing cardholder information. This attack is thus easier to detect since the withdrawals will be reflected in customers’ accounts. But unlike typical withdrawal transactions that have a limit (maximum amount per transaction), the black box can empty target accounts.
How Can ATM Jackpotting Be Prevented?
Unfortunately, customers can do very little to prevent ATM jackpotting, but they can still follow these tips:
- Use only ATMs owned by famous financial institutions and avoid those belonging to regular businesses, malls, and retail outlets. Financial institutions’ ATMs have better security systems than standalone but more accessible ATMs.
- Look out for the person standing behind you in the ATM queue, he or she could be a threat actor looking for funds to siphon. Cover the keypad when inputting your personal identification number (PIN).
- Check your bank statements monthly for unauthorized transactions and report anomalies immediately.
Banks that wish to avoid ATM jackpotting attacks should keep these in mind:
- Ensure the ATMs’ antivirus program and other security software are always up-to-date.
- Disable the ATM’s auto-start and boot functions since hackers can easily exploit these.
- Monitor ATMs for unusual activities like requests for large amounts of cash, especially from customers with empty bank accounts. Look out for multiple failed login attempts, which could indicate the machine could be a jackpotting target.
- Ensure there are security personnel present near ATMs. They can easily prevent illegal access.
- Take physical measures like adding locks and alarms to the ATM’s cabinet. That way, hackers can’t access the machine’s interior to remove its hard drive.
ATM jackpotting will remain popular because it’s easy to do and provides large payouts. Given the severe threat it poses to the financial industry, heed the best practices mentioned in this post.
- ATM jackpotting is the process of manipulating an ATM to dispense cash.
- The first U.S. ATM jackpotting attack was seen in January 2018. The hackers reportedly used the Ploutus.D jackpotting malware on Diebold Nixdorf ATMs, specifically Opteva 500 and 700 models, typically seen in pharmacies and big box retailers. These also served as drive-thru ATMs.
- ATM jackpotting attackers can instigate attacks using malware or a black box.