Last week US Secret Service issued warnings about cyber attacks on ATMs dubbed “jackpotting”. This type of attack is not new but it draws our attention because for two reasons. First of all, jackpotting was never spotted in the US before. Previously, jackpotting campaigns were spotted in Europe, Asia, and South America, but now it made its way to the US. Secondly, this type of attack is quite sophisticated and quite odd as it requires not only technical skills and great coordination but also acting skills, audacity and composure.

Jackpotting attack criminals force ATMs to spit out cash without authorization. But it is not as simple as it sounds. To carry this attack they must install malicious software or hardware on targeted ATMs. This requires physical access to the cash machine, and thieves need to stay cool-headed and not cause suspicion while they interfere with the ATMs. Customers and staff usually notice when somebody interferes with an ATM for a suspiciously long time. To mask themselves criminals pose as repair technicians. They only attack stand-alone machines like the ones you can find in pharmacies and convenience stores.

To examine the ATM’s internals thieves utilize endoscope – a flexible tool traditionally used by physicians. It is not exactly clear how they manage to get inside machines during jackpotting in US. In previous attacks criminals unlocked ATMs with stolen master keys or by destroying some parts of the machines. Using endoscope thieves find where to attach a laptop with unauthorized software and force the ATM to spit out cash. When fake technicians are finished with their job they contact remote accomplices responsible for controlling malware. At this stage the ATM becomes out of service for customers, and the fake technicians leave.

This is the point where the next stage begins. When the ATM receives the command to dispense cash the so-called “money mules” – represented as the lowest caste in a cybercriminal gang – arrive. Money mules are responsible for collection of the money and always carry a big bag for it. They operate very quickly, but there is always a chance they could get caught by security cameras. In previous attacks the ATMs had dispensed 40 bills every 23 seconds. When machine is completely empty thieves press “Cancel”. Then the fake technicians return to the ATM and remove their equipment.

In the US, criminals attack front-loaded Opteva 500 and 700 series Dielbold ATMs. According to the Secret Service’s warnings ATMs still running on Windows XP are particularly vulnerable.

By Natalia Galadzhyants
Analyst at Cybersecurity Help