Secret Service Warns Against “Jackpotting” Attacks as Criminals Steal Over $1 Million from ATMs Across US


ATM jackpotting attacks have hit the United States for the first time, a senior US Secret Service official warned on Monday. A coordinated group of hackers potentially tied to an international criminal syndicate has managed to steal over $1 million by hijacking ATM machines across the country in over a half-dozen successful jackpotting attacks.

Two of the world's largest ATM manufacturers, Diebold Nixdorf and NCR, had warned last week of having spotted ATM heists in the US. The jackpotting attacks, also known as Black Box attacks, exploit vulnerabilities of ATMs to make them rapidly and uncontrollably shoot out torrents of cash. Before the US, similar attacks were spotted in Russia, Asia, Western Europe, and then Mexico last year. Europe had arrested 27 perpetrators responsible for these attacks last May.

Criminals Find New Ways to Drain Thousands of ATMs Remotely as Most of Them Still Run Windows XP

NCR had also sent out an advisory to customers after receiving warnings from the Secret Service. "While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue," the NCR alert that was sent on 26 January said.

"This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences."

Krebs on Security added that hackers were using Ploutus.D malware to compromise ATMs. Along with Ploutus, criminals have also used other malware, including ATMii, GreenDispenser, Alice, RIPPER, and Skimer. After connecting an external device like a PIN pad or a keyboard to the ATM, the sophisticated malware can be used to force an ATM to dispense money. Criminals can also then operate ATMs remotely and send mules to pick up cash.

Diebold Nixdorf explained that criminals are gaining access to the ATM's internals, replacing hard drive with their own version, and then using an industrial endoscope to press a reset button inside the ATM. The new hard drive carries a copy of the ATM's original OS, along with the malware. "During previous attacks, fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATMs operating system along with a mobile device to the targeted ATM," the advisory said.

The company recommended banks to restrict physical access to the ATM's backside, implement two-factor authentication, and install latest OS updates.

According to a confidential alert, Windows XP remains the primary reason behind this attack working flawlessly. ATM makers and security experts advised ATM operators to at least update to Windows 7 to protect against jackpotting. However, Secret Service has spotted successful attacks within the past 48 hours on machines running updated Windows 7.

“ATM Malware Is Becoming Mainstream” – Newly Discovered Family Drains All Cash from ATMs

“There isn’t one magic solution to solve the problem," Matthew O‘Neill, a special agent in the criminal investigations division, told Reuters. While the two ATM manufacturers had alerted their consumers of the attacks, the US Secret Service said today that the attacks are quite widespread, "spanning from the Gulf Coast in the southern part of the country to the New England region in the northeast."

Early estimates suggest that this attack technique can be used to push ATMs to release up to 40 bills every 23 seconds, enabling attackers to gain "thousands of dollars in minutes."