ATM PIN pad

Two of the world's largest ATM manufacturers have issued security alerts regarding ATM jackpotting attacks being detected in the US for the first time.

In alerts sent out to US banks by Diebold Nixdorf and NCR Corp, the two organizations say they've been alerted by the US Secret Service that cyber-criminals are using various techniques to make ATMs "spit out" cash, in an attack commonly referred to in the criminal underground as ATM jackpotting.

ATM jackpotting slowly made their way into the US

ATM jackpotting attacks first appeared in Russia, then spread to Europe and Asia, before making their way into Latin America and Mexico last year.

Jackpotting attacks can be carried out in a variety of ways, but always require physical access to the device so that crooks can install malware on the ATM's internal computer. This malware responds to commands entered via the PIN pad or by a USB keyboard attached to the ATM.

By interfacing with the ATM's specialized software, crooks can issue commands to the ATM's internal cash dispenser component and empty out the money bill-storage cassette.

Crooks have used malware like ATMii, ATMitch, GreenDispenser, Alice, Ploutus, RIPPER, Skimer, and SUCEFUL, to make ATMs spit out cash in ATM jackpotting attacks.

Crooks most likely using Ploutus malware

According to a Diebold Nixdorf security alert obtained by security reporter Brian Krebs on Saturday, the US jackpotting attacks follow the same attack pattern seen in jackpotting attacks in Mexico, in October 2017, suggesting the same gang has moved operations north of the US-Mexico border in search for bigger fish.

A Diebold Nixdorf security alert dated October 2017 says crooks are gaining physical access to the ATM's backside, where they gain access to its internals, replace the ATM's hard-drive with a tainted one, and then use an industrial endoscope to press a reset button deep inside the ATM.

The malicious hard-drive they insert in the ATM contains a copy of the ATM's original operating system, along with the Ploutus ATM malware —known for its simple "press F3 for cash" mode of operation.

Diebold Nixdorf: Only old ATM models affected

Diebold Nixdorf said that only Opteva terminals are susceptible to the attacks reported by Secret Service agents. The company stopped manufacturing Opteva terminals many years ago.

"The [mode of operation] currently is not effective on Diebold Series, ProCash series or CINEO series with recent firmware updates applied," said Diebold Nixdorf.

The company recommends that customers limit physical access to the ATM's backside, implement two-factor authentication for ATM technicians, and install the latest OS and firmware updates.

Neither the US Secret Service nor Diebold Nixdorf published any information on the banks that suffered such attacks. An NCR Corp alert is not publicly available, but Reuters confirmed the organization sent a similar warning to customers last week.

Related Articles:

US Supreme Court Rules Police Need Warrant to Track Cell Phone Location

India Tells Banks to Migrate ATMs From Windows XP by June 2019

New GZipDe Malware Drops Metasploit Backdoor

New SamSam Variant Requires Special Password Before Infection

US Bill Hopes to Prevent IT Supply-Chain Issues Like the Kaspersky & ZTE Fiascos