ATM Jackpotting attacks reach the U.S.A

ATM Jackpotting attacks reach the U.S.A

ATM operators in the U.S.A. have started 2018 with a new headache to take care of, as recent news show that ATM Jackpotting (a cyber-criminal technique widely spread across LATAM, Asia & Europe) has now reached their ATM networks.
The U.S. secret service has just reported that a coordinated group of cyber-criminals has been attacking ATM machines across the country during the first weeks of the year, resulting in estimated losses of more than 1 million US dollars.
The attack technique, known as ATM Jackpotting, is based on the use of malware (Ploutus-D in this case) to steal large amounts of money in cash from an ATM without having to use a credit or debit card. This technique has been widely used in other geographies over the past few years, and there was little doubt that sooner or later it would hit the U.S.A. shores.
This blog post discusses that nature and modus operandi of the ATM Jackpotting attacks in question, the root-causes that promote such exploitation of ATMs by criminals and pointers to countermeasures that should be implemented by ATM network owners.

Diebold Front-load ATMs are the target

The attack disclosed by the U.S. secret service targets a particular model of front-loaded Diebold ATMs (Opteva 500 and 700 series) with Advanced Function Dispenser (AFD), which are typically placed in physically exposed locations like retail shops, pharmacies or drive-thrus. The same type of attacks had been reported at the end of 2017 in Mexico, and now they are moving to the northern neighbours.
Although the attack has focused on front-loaded Diebold ATMs with AFD, other vendors and models can be targeted as well in the future, especially if they don’t have dispenser authentication.

PLOUTUS-D Malware is used

The piece of malware being used for the ATM Jackpotting is Ploutus-D, the new generation of Ploutus, a well know and sophisticated ATM malware family which was first discovered in the wild in Mexico in 2013.
The main novelty of Ploutus-D (see S21sec’s blog post for detailed information) is the fact that it uses components of KAL’s Kalignite multivendor ATM software to abuse the XFS layer and gain illegitimate full control of the ATM hardware devices like dispenser, card reader and pinpad.
So far, Ploutus-D has been seen to target Diebold ATMs, but the fact that it uses multi-vendor KAL software (that runs on 40 different ATM vendors) would allow the malware to easily target multiple ATM vendors in the near future.

Innovative Modus Operandi – replacing the Hard Disk

The attacks unveil an extremelly sophisticated and innovative modus operandi, leveraging an in-depth knowledge of the software stack and the hardware setup of the targeted ATMs.
Cyber-criminals make use of the new generation Ploutus-D malware for ATM Jackpotting but, instead of using a USB drive or network connection to copy the malware to the ATM, they simply replace the Hard Disk with a home-made replica that is already infected.
The fake Hard Disk will not be authorized to send commands to the ATM dispenser, since the communications are encrypted in these ATM models. To overcome this security mechanism, the fraudsters make use of an endoscope (a flexible instrument traditionally used in medicine to give physicians a look inside the human body) to manipulate the internals of the ATM and re-authorize the communication between the fake Hard Disk and the dispenser, just like any technician would do when they legitimately replace a damaged Hard Disk.
Once the fake Hard Disk is re-authorized, the malware is free to talk to the dispenser and will be waiting in the background to receive an activation command that will trigger the ATM cash-out.
This is how the Jackpotting attack works:

  • The cyber-criminals steal a Hard Disk from a production ATM, containing the full software stack used by the financial institution
  • The stolen Hard Disk is analysed in the lab (with real ATM hardware) and is used to create Hard Disk replicas infected with the Ploutus-D malware


  • The cyber-criminal (often dressed up as a technician) gains physical access to the ATM internals by means of breaking the top-box or using front-cover keys
  • The legitimate Hard Disk is replaced with the tampered one, that is infected with the Ploutus-D malware
  • An endoscope is used to manipulate the ATM internals and re-authorize the communication between Hard Disk and the dispenser
  • The malware will be running in the background waiting for an activation code, and with full permissions to talk to the dispenser


  • The “money-mules” enter an activation code to cash-out the ATM, by using a connected keyboard, using the pinpad, or even by attaching a mobile device and receiving an SMS

Once the cash-out is completed the legitimate Hard Disk will be returned.

Windows XP vs Windows 7 – both are vulnerable

Some sources claim that ATMs running Windows XP are more vulnerable because the operating system is no longer supported and there are no new security patches.
However, while migrating to Windows 7 is always a good practice, it is very important to highlight that Windows 7 ATMs are as vulnerable as the ones running Windows XP.
The reason for this is the fact that ATM malware is highly targeted, and it does not exploit operating system vulnerabilities, but rather design vulnerabilities of the ATM software stack, like the lack of authentication in the XFS layer.

Security Countermeasures

Every organization operating an ATM network is a potential target for Jackpotting attacks and therefore, the application of robust and efficient security countermeasures becomes a basic need.
The crucial aspect of this attack is the fact that the criminals can steal an ATM Hard Disk and, if the disk is not properly secured, they are able to create mirror copies and then manipulate them to infect with the malware.
The first line of defence should therefore be to prevent the fraudsters from being able to create copies of the Hard Disk and to manipulate them. To do that, the following logical protections need to be applied:

  • Hard Disk Encryption (to avoid “Off-line” Hard Disk manipulation)

The simplest way of manipulating the Hard Disk data consists in booting from an external system, mounting the ATM Hard Disk and altering the file and directory structure “off-line”.

Hard Disk Encryption will prevent an attacker from manipulating the Hard Disk data “off-line”.

  • Whitelisting (to avoid “On-line” Hard Disk manipulation)

If the attacker can boot from the stolen disk, and gets access to the operating system, then he can alter the file and directory structure “on-line”.

A comprehensive Whitelisting technology that would limit and preserve the integrity of the software that can be executed, while restricting the hardware that can be connected, will prevent an attacker from manipulating the Hard Disk data “on-line”.

If these logical measures have not been applied and the cyber-criminal has been able to create a mirror copy of the Hard Disk and to infect with the malware, then organizations need to rely on physical protections, like limiting physical access to the ATM or implementing protection mechanisms in the cash dispenser (encrypted communications and robust authentication), but these measeres typically are more expensive to deploy.
Furthermore, it is critical to stay vigilant and continuously monitor the ATM network for suspicious activities like software or hardware events and ATM disconnections or reboots, as well as having the ability to remotely access the ATMs to quickly react to potential security incidents.

About S21sec

S21sec develops solutions adapted to the needs of the banking industry, like its product Lookwise Device Manager, designed to manage the security of ATM networks. S21sec also provides specialized and advanced cybersecurity services to fight fraud in financial organizations.
S21sec is a member and sponsor of the main ATM industry associations, like ATMIA and ATEFI.
For further information please contact us.


Deja un comentario