On Jan. 27, 2018, KrebsOnSecurity published what this author thought a scoop about the first known incidence of U.S. ATMs being hit with “jackpotting” attacks, a crime in which thieves deploy malware that forces cash machines to spit out money like a loose Las Vegas slot machine. As it happens, the first known jackpotting attacks in the United States were reported in November 2017 by local media on the west coast, although the reporters in those cases seem to have completely buried the lede.
On Nov. 20, 2017, Oil City News — a community publication in Wyoming — reported on the arrest of three Venezuelan nationals who were busted on charges of marijuana possession after being stopped by police.
After pulling over the van the men were driving, police on the scene reportedly detected the unmistakable aroma of pot smoke wafting from the vehicle. When the cops searched the van, they discovered small amounts of pot, THC edible gummy candies, and several backpacks full of cash.
FBI agents had already been looking for the men, who were allegedly caught on surveillance footage tinkering with cash machines in Wyoming, Colorado and Utah, shortly before those ATMs were relieved of tens of thousands of dollars.
According to a complaint filed in the U.S. District Court for the District of Colorado, the men first hit an ATM at a credit union in Parker, Colo. on October 10, 2017. The robbery occurred after business hours, but the cash machine in question was located in a vestibule available to customers 24/7.
The complaint says surveillance videos showed the men opening the top of the ATM, which housed the computer and hard drive for the ATM — but not the secured vault where the cash was stored. The video showed the subjects reaching into the ATM, and then closing it and exiting the vestibule. On the video, one of the subjects appears to be carrying an object consistent with the size and appearance of the hard drive from the ATM.
Approximately ten minutes later, the subjects returned and opened up the cash machine again. Then they closed the top of the ATM and appeared to wait while the ATM computer restarted. After that, both subjects could be seen on the video using their mobile phones. One of the subjects reportedly appeared to be holding a small wireless mini-computer keyboard.
Soon after, the ATM began spitting out cash, netting the thieves more than $24,000. When they they were done, the suspects allegedly retrieved their equipment from the ATM and left.
Forensic analysis of the ATM hard drive determined that the thieves installed the Ploutus.D malware on the cash machine’s hard drive. Ploutus.D is an advanced malware strain that lets crooks interact directly with the ATM’s computer and force it to dispense money.
“Often the malware requires entering of codes to dispense cash,” reads an FBI affidavit (PDF). “These codes can be obtained by a third party, not at the location, who then provides the codes to the subjects at the ATM. This allows the third party to know how much cash is dispensed from the ATM, preventing those who are physically at the ATM from keeping cash for themselves instead of providing it to the criminal organization. The use of mobile phones is often used to obtain these dispensing codes.”
In November 2017, similar ATM jackpotting attacks were discovered in the Saint George, Utah area. Surveillance footage from those ATMs showed the same subjects were at work.
The FBI’s investigation determined that the vehicles used by the suspects in the Utah thefts were rented by Venezuelan nationals.
On Nov. 16, Isaac Rafael Jorge Romero, 29, Jose Alejandro Osorio Echegaray, 36, and two other Venezuelan nationals were arrested Teton County, Wyo. on drug charges. Two other suspects in the Utah theft were arrested in San Diego when they tried to return a rental car that was caught on surveillance camera at one of the hacked ATMs.
To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics — often a combination of both — to control the operations of the ATM.
All of the known ATM jackpotting attacks in the U.S. so far appear to be targeting a handful of older model cash machines manufactured by ATM giant Diebold Nixdorf. However, security firm FireEye notes that — with minor modifications to the malware code — Plotus.D could be used to target software that runs on 40 different ATM vendors in 80 countries.
Diebold’s advisory on hardening ATMs against jackpotting attacks is available here (PDF).
Jackpotting is not a new crime: Indeed, it has been a problem for ATM operators in most of the world for many years now. But for some reason, jackpotting attacks have until recently eluded U.S. ATM operators.
Jackpotting has been a real threat to ATM owners and manufacturers since at least 2010, when the late security researcher Barnaby Michael Douglas Jack (known to most as simply “Barnaby Jack”) demonstrated the attack to a cheering audience at the Black Hat security conference. A recording of that presentation is below.