Hackers use ATM jackpotting technique to steal $1M in US

News roundup: Hackers used ATM jackpotting attacks to steal over $1M in the U.S. Plus, a fitness tracking app accidentally exposed the locations of military bases, and more.

A group of hackers stole over $1 million through ATM jackpotting in the United States.

The hacking group, believed to be an international cybercrime gang, used a technique seen in other countries over the past few years to get ATMs to rapidly spit out cash on demand. Called "jackpotting" because the cash shoots out of the machine the way winnings do on a slot machine, the attack requires the hackers to have physical access to the ATM. Once they have physical access, the hackers can use malware or they can replace the hard drive with an infected one and take control over the system.

ATM jackpotting attacks have happened in other parts of the world -- including Central America, Europe and Asia -- for several years, but now the attacks have made their way to America, according to a warning sent out to financial organizations by the U.S. Secret Service. Reuters this week reported that over $1 million was already stolen from ATMs across the U.S.

The confidential Secret Service alert, which investigative cybersecurity journalist Brian Krebs reported on, said that ATMs running Windows XP were at the greatest risk of being jackpotted and the hackers were targeting ATMs located in pharmacies, big box retailers and drive-thrus. The Secret Service recommended that ATM operators upgrade to Windows 7 to minimize the risk.

According to Krebs, the Secret Service alert explained that once the hackers have physical access to an ATM, they use an endoscope -- an instrument typically used in medicine -- to locate where they need to plug a cord into the inside of the cash machine to sync their laptop with the ATM.

The attackers then use an advanced strain of malware called Ploutus.D, which was first reported to have been used in jackpotting attacks in 2013 in Mexico.


How ATM jackpotting works

The hackers reportedly disguise themselves as ATM maintenance crews to gain access to the machines without raising suspicion. Once the malware has been installed on the compromised ATM it will appear to be out of order to potential users. Then, one attacker can go up to the machine while remote hackers trigger the malicious program, and the hacker who appears to be an ordinary ATM user receives the outpouring of cash. The Secret Service report said that in an average Ploutus.D attack, the money is continuously dispensed at a rate of 40 bills every 23 seconds until the machine is totally empty.

After they've emptied the ATM, the hackers disguised as the maintenance crew come back and remove their tools to return the ATM to normal operations -- without any available cash.

In his blog post about the recent wave of ATM jackpotting attacks, Krebs noted that the hacking group has been targeting Diebold Nixdorf ATMs, which are vulnerable to the Ploutus.D malware. Specifically, Secret Service warned that the attacks have focused on the Opteva 500 and 700 series from Diebold.

Krebs also said the Secret Service had evidence that further attacks were being planned across the country.

Diebold issued a warning about the attacks and suggested that countermeasures to ATM jackpotting should include limiting physical access to the ATM, making sure the firmware for the machines are up to date with the latest security updates, and monitoring the physical activity of the machines. Without physical access, ATM jackpotting is not possible.

In other news

  • A fitness tracking app accidentally exposed the location of military bases around the world. Strava, an app that logs walking, running and other movements, published an interactive map with over 13 trillion GPS points from its users a few months ago. The map has since been used to confirm the location of military bases, which show extra activity along specific routes in otherwise remote areas. These are believed to be jogging routes and even patrol routes at military bases. An analyst at the Institute for United Conflict Analysts, Nathan Ruser, noticed the data last week and Twitter has since taken to posting now-confirmed locations of the military bases. The data exists because military personnel didn't turn off their fitness trackers while on base, despite Strava's customizable privacy settings.
  • Google Cloud has teamed up with enterprise mobility management company MobileIron to build a new cloud service. The companies announced that they will combine Google Cloud's Orbitera commerce platform and MobileIron's enterprise mobility management and app distribution platform. The enterprise applications and services portal is expected to be released later in 2018 and will mostly be built on top of the security assertion markup language standard. The service will enable resellers, enterprises and others to buy cloud services and distribute them to customers and employees. It will include customized service bundles, customized branding, unified billing, secure cloud access, and usage analytics, according to Google. "We hope this collaboration simplifies and streamlines enterprise application management for businesses, and helps them unlock additional value for their employees and customers," the companies said in a blog post announcing the joint effort.
  • Researchers discovered that Oracle Micros point-of-sale (POS) systems have been breached. ERPScan researchers published details of the vulnerability, which affects its Micros POS terminals and enables an attacker to read any file and receive information without authentication from the devices. The vulnerability was discovered in September 2017 by Dmitry Chastuhin, security researcher at ERPScan, and was fixed and disclosed this month. "[The flaw is] a directory traversal vulnerability in Oracle MICROS EGateway Application Service," ERPScan explains in its blog post. "In case an insider has access to the vulnerable URL, he or she can pilfer numerous files from the MICROS workstation including services logs and read files like SimphonyInstall.xml or Dbconfix.xml that contain usernames and encrypted passwords to connect to DB, get information about ServiceHost, etc." This means the attacker can run a brute force login attack against the POS devices to gain full access. Micros is used on more than 330,000 cash registers across 180 countries.

Dig Deeper on Threats and vulnerabilities