The US Secret Service has been quietly warning ATM operators of sophisticated "jackpotting" ATM attacks that began in Mexico and have now hit the United States. According to a confidential Secret Service memo sent to financial institutions and obtained by cybersecurity expert Brian Krebs, hackers have been targeting stand-alone ATMs located in pharmacies, big box retailers and drive-through ATMs.
Over the past few years, jackpotting has been a rising threat across the globe, particularly in Europe and Asia. The attack involves cybercriminals using specialised electronics, a form of malware or both to control the ATM machine and forces it to spit out cash like casino slot machines.
"During previous attacks, fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATMs operating system along with a mobile device to the targeted ATM," the Secret Service memo reads.
Two of the world's largest ATM manufacturers - Diebold Nixdorf and NCR - confirmed to Reuters over the weekend that they have issued warnings to customers regarding jackpotting attacks. They have not specified the number of banks in the US and Mexico that have been affected, how many attacks have taken place or how much money has been stolen so far.
Diebold confirmed in its alert that the attacks seem to have been targeting one of its front-loading ATM models, Opteva, that went out of production a few years ago. The company also offered advice on how to mitigate these attacks including updating to new firmware.
"As in Mexico last year, the attack mode involves a series of different steps to overcome security mechanisms and the authorisation process for setting the communication with the dispenser," the alert reads. "This communication authorization needs to be used when the mainboard or the hard disk has to be exchanged for legitimate reasons."
To carry out this attack, the hackers gain physical access to the machine, remove and replace the hard drive with one prepared by the attackers with stolen ATM platform software and use an industrial endoscope to depress an internal button to reset the machine.
The Secret Service alert noted that hackers can also use the endoscope to locate the part of the machine where they can attach a cord to let them sync their laptop and run malicious malware such as Ploutus.D. While the machine shows up as "Out of Service" to customers, the malware contacts co-conspirators who can remotely control the device and force it to dispense cash until completely emptied, sometimes "at a rate of 40 bills every 23 seconds".
ATMs running on Windows XP are particularly vulnerable to these attacks and ATM operators have been urged to update their software to a version of Windows 7, the Secret Service memo added.
In a separate alert, NCR said its equipment have not been explicitly targeted in recent attacks, but noted it should post as a serious concern for the ATM industry.
"While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue," the NCR alert reads, Reuters reports. "This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences."
It is still unclear who are behind the recent spate of attacks in the US or the type of malware possibly used in these cases.
In 2016, a hacker group named Cobalt targeted a number of countries in Europe using similar attacks along with ATMs in Thailand, Taiwan, Malaysia and others, according to Russian cybersecurity firm Group IB.
"Logical attacks on ATMs are expected to become one of the key threats targeting banks: they enable cybercriminals to commit fraud remotely from anywhere globally and attack the whole ATM network without being 'on the radar' of security services," Dmitry Volkov, Group IB's head of investigation, said in an earlier report.
"This type of attack does not require development of expensive advanced software – a significant amount of the tools used are widely available on the deep web. Every bank is under threat of logical attacks on ATMs and should be protected accordingly."