In the first attack of its kind reported in the United States, a gang of criminals is using sophisticated techniques to access ATMs and infect them with specialized malware that allows extracting their cash, a technique known in the security industry as jackpotting because it forces ATMs to dispense bills in a short amount of time.
So far, the thieves have stolen more than $1 million using the technique, Reuters reported, citing a U.S. Secret Service official.
News of the attack spree was broken Saturday by cybersecurity blogger Brian Krebs. According to his own sources, the thieves are targeting Opteva ATMs made by Diebold Nixdorf and use a malware application called Ploutus-D.
Ploutus was first spotted by security researchers in 2013 when it was used in jackpotting attacks against ATMs in Mexico. At the time, Symantec noted that attackers are installing the trojan by gaining physical access to terminals and inserting a new boot disk into their CD-ROM drives.
However, according to a security alert issued by Diebold to customers last week and published by Krebs, thieves are now replacing the hard disk drives of targeted machines with ones that contain a modified image of the ATM platform software. When this is done, the encrypted communications between the software and the ATM’s dispenser is disrupted and needs to be reset.
Pairing the components again normally requires the safe door to be opened, so to bypass this, the attackers disrupt a sensor and use an industrial endoscope inserted through the top-hat of the terminal to press a dedicated button.
“Potentially all Front-load AFD based Opteva models are affected by this MO [modus operandi],” Diebold said in its alert. “While there is also a risk for Rear-load AFD based Opteva terminals, due to the design and construction the Rear-load models would be extremely difficult to attack with this MO. Opteva models utilizing the ECRM module are not directly affected by the MO due to a different safe design.”
Malware-based jackpotting attacks against ATMs are not new and have been reported in many countries over the past decade. While many of them require physical access to the machines, there have been cases in which attackers compromised ATMs remotely after breaking into banks’ internal networks or by bribing insiders.
ATM-specific malware programs discovered over the years include Padpin/Tyupkin, GreenDispenser, Suceful, Skimer and Ploutus. Ploutus-D is a new variant of the malware that interacts with KAL’s Kalignite multivendor ATM platform and was documented by researchers from security firm FireEye earlier this month.
“The samples we identified target the ATM vendor Diebold,” the FireEye researchers said in their report. “However, minimal code change to Ploutus-D would greatly expand its ATM vendor targets since Kalignite Platform runs on 40 different ATM vendors in 80 countries.”
Compared to the original variant from 2013, the new Ploutus version can infect ATMs running all versions of the Windows operating system, uses strong code obfuscation and has a component that can identify and kill security monitoring processes to avoid detection.
Ploutus requires an activation code to initiate the cash dispensing operation, a mechanism that might have been added for gang bosses to exert control over the cash-out crews sent to physically infect ATMs.
“With banks’ focus on digital channels, like ATM and mobile, to drive down costs and better serve customers, it’s no surprise that cybercrime is following,” David Vergara, head of global product marketing at VASCO Data Security, said via email. “The relatively low-tech skimming attacks still represent the vast majority of ATM losses, but more coordinated attacks using physical access to the machine (i.e. master key and keyboard) along with more sophisticated malware are enabling much bigger paydays for hackers. This trend will continue until banks have addressed key vulnerabilities. And to beat the bigger issue of skimming, banks should consider cardless security technologies like mobile authentication via visual cryptogram.”