Everything you need to know about ATM jackpotting attacks

Fun fact: The term jackpotting was inspired by a hacker called Jack Barnaby, who demonstrated a jackpotting act at the Black Hat Security Conference in 2010. After he conducted a successful hack, the word Jackpot appeared on the ATM’s screen while it was spewing piles of cash.

Before filling their bags, modern-day bank robbers must do their homework. Attackers gather necessary information on targeted ATMs and specific equipment, like keys. Unfortunately, you can buy specific ATM keys directly from retailers or underground online shops. Later, perpetrators unlock the top part of the ATM and connect a USB or other device to the ATM’s computer with ATM-specific malware. Finally, the jackpotting malware forces the machine to dispense cash.

The rise of ATM jackpotting pushed financial institutions and ATM vendors to invest in better security systems. Alternatively, cybercriminal gangs develop highly sophisticated malware at a fast pace and keep finding new ways to conduct these unauthorized transactions. Let’s explore two main jackpotting attack tactics that cybercriminals use to reach an ATM’s internal computer and execute a successful attack.

Malware-based jackpotting attack

During the first step, fraudsters gain physical access to the targeted ATM’s internal computer using an ATM-specific key. In some cases, threat actors use professional surgical tools like endoscopes to locate the connection ports of the ATM. To avoid suspicion, hackers dress up like ATM technicians. After gaining access to the ATM’s internal computer, the attacker inserts a malware-ridden USB device and, with the help of the ATM’s keyboard, activates the ATM malware. In other cases, malware is executed remotely via smartphones by sending SMS messages. The latter method helps criminals hide their real identities. Finally, when they activate a malicious code, the hacked automatic teller machines are ordered to spew money from the cash dispenser. This is where the so-called money mules come in, and they collect the money.

Black box ATM jackpotting attack

In this case, after gaining access to the ATM computer’s dashboard, criminals switch the ATM to supervisor mode and connect a rogue device, known as the black box. These rogue devices mimic the ATM’s internal computer and are programmed to take over the ATM’s cash dispenser. Now the ATM goes into supervisor mode for customers, but the cash dispenser is still in use. Later, the black box is controlled wirelessly with a simple smartphone by sending commands to the black box. After the maximum amount of cash is withdrawn, the hacker returns and disconnects the portable computer without leaving any evidence behind.

Organized crime has no borders. No wonder ATM jackpotting attacks keep appearing worldwide, more sophisticated than ever. Here are a couple of famous ATM jackpotting attacks that swept huge sums of money from ATMs globally.

Ploutus ATM malware

In 2013, the first large-scale ATM jackpotting attack occurred in Mexico. A large group of hackers conducted an ATM cyber heist by targeting more than 450 ATMs and stealing a large pile of cash. The estimated pillage was worth about $40 million. The investigators discovered that all ATMs were infected with Ploutus ATM malware, which was later crowned as one of the most advanced ATM malware families.

The Carbanak gang

Named the biggest bank robbery of the modern era, the Carbanak gang stole an estimated $1.2 billion worldwide. It was a multilayered cyberattack backed up by social engineering tactics, like spear phishing attacks. Hackers gained full access to the domain controller and the whole banking network. The criminals cashed out the money in two main ways: By sending money to different personal accounts worldwide, while employed money mules would come to ATMs and empty those bank accounts using debit cards. But the second way was even more theatrical. Since they could remotely control ATMs, they would make the machines spit out cash whenever they wanted.

Unfortunately, customers can’t always protect their bank accounts against ATM fraud, especially when criminals set up ATM skimmers, the machines that steal cardholders’ information, like stripe data, card numbers, PIN codes, and even new authentication methods, such as biometric data. But all this can be minimized by following some simple tips:

• Use automatic teller machines belonging to legitimate banks and financial institutions while avoiding ATM owners like shopping malls and ATMs set up by regular businesses.
• Avoid showing your PIN code to anyone behind you while withdrawing money from an ATM.
• Check your bank statements monthly, ensuring there are no unauthorized transactions.
• Switch most operations to online banking and set appropriate cash withdrawal and operational limits. Don’t forget to use a VPN for online banking.

As far as banks are concerned, they are playing the Sisyphus game simply because new strains of ATM jackpotting malware keep constantly appearing. Some key points that banks should keep in mind:

• Banks must ensure that their ATM security software is up-to-date and that all antivirus programs work accordingly.
• Banks should monitor unusual activities thoroughly. Activities like multiple failed login attempts and large cash-out requests could indicate a jackpotting attack.
• Removing common vulnerabilities, like auto-boot functions that hackers exploit, is advisable.
• Banks should be responsible for mobile banking safety by implementing reliable cybersecurity measures for online and mobile banking apps.
• In addition to the software updates, banks could ensure the physical security of their ATM machines. For example, CCTV cameras, locks, and alarms could be installed if an unauthorized person tries to access the ATM interior or hard drives.
• It is essential to safeguard bank assets and protect vulnerable information, such as login passwords and administration rights. Therefore, bank employees should attend regular cybersecurity training on emerging cyber threats like phishing techniques and social engineering issues.