First ‘Jackpotting’ Attacks Hit U.S. ATMs

  • 0

First ‘Jackpotting’ Attacks Hit U.S. ATMs

ATM “jackpotting” — a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand — has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States.

To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics — often a combination of both — to control the operations of the ATM.

A keyboard attached to the ATM port. Image: FireEye

On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as “logical attacks,” hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they’d heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.

On Jan. 26, NCR sent an advisory to its customers saying it had received reports from the Secret Service and other sources about jackpotting attacks against ATMs in the United States.

“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” the NCR alert reads. “This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”

The NCR memo does not mention the type of jackpotting malware used against U.S. ATMs. But a source close to the matter said the Secret Service is warning that organized criminal gangs have been attacking stand-alone ATMs in the United States using “Ploutus.D,” an advanced strain of jackpotting malware first spotted in 2013.

According to that source — who asked to remain anonymous because he was not authorized to speak on the record — the Secret Service has received credible information that crooks are activating so-called “cash out crews” to attack front-loading ATMs manufactured by ATM vendor Diebold Nixdorf.

The source said the Secret Service is warning that thieves appear to be targeting Opteva 500 and 700 series Dielbold ATMs using the Ploutus.D malware in a series of coordinated attacks over the past 10 days, and that there is evidence that further attacks are being planned across the country.

Fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATMs operating system along with a mobile device to the targeted ATM.

“The targeted stand-alone ATMs are routinely located in pharmacies, big box retailers, and drive-thru ATMs,” reads a confidential Secret Service alert sent to multiple financial institutions and obtained by KrebsOnSecurity. “During previous attacks, fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATMs operating system along with a mobile device to the targeted ATM.”

Reached for comment, Diebold shared an alert it sent to customers Friday warning of potential jackpotting attacks in the United States. Diebold’s alert confirms the attacks so far appear to be targeting front-loaded Opteva cash machines.

“As in Mexico last year, the attack mode involves a series of different steps to overcome security mechanism and the authorization process for setting the communication with the [cash] dispenser,” the Diebold security alert reads. A copy of the entire Diebold alert, complete with advice on how to mitigate these attacks, is available here (PDF).

The Secret Service alert explains that the attackers typically use an endoscope — a slender, flexible instrument traditionally used in medicine to give physicians a look inside the human body — to locate the internal portion of the cash machine where they can attach a cord that allows them to sync their laptop with the ATM’s computer.

An endoscope made to work in tandem with a mobile device. Source:

“Once this is complete, the ATM is controlled by the fraudsters and the ATM will appear Out of Service to potential customers,” reads the confidential Secret Service alert.

At this point, the crook(s) installing the malware will contact co-conspirators who can remotely control the ATMs and force the machines to dispense cash.

“In previous Ploutus.D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds,” the alert continues. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad. Otherwise, the machine is completely emptied of cash, according to the alert.

An 2017 analysis of Ploutus.D by security firm FireEye called it “one of the most advanced ATM malware families we’ve seen in the last few years.”

“Discovered for the first time in Mexico back in 2013, Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message, a technique that had never been seen before,” FireEye’s Daniel Regalado wrote.

According to FireEye, the Ploutus attacks seen so far require thieves to somehow gain physical access to an ATM — either by picking its locks, using a stolen master key or otherwise removing or destroying part of the machine.

Regalado says the crime gangs typically responsible for these attacks deploy “money mules” to conduct the attacks and siphon cash from ATMs. The term refers to low-level operators within a criminal organization who are assigned high-risk jobs, such as installing ATM skimmers and otherwise physically tampering with cash machines.

“From there, the attackers can attach a physical keyboard to connect to the machine, and [use] an activation code provided by the boss in charge of the operation in order to dispense money from the ATM,” he wrote. “Once deployed to an ATM, Ploutus makes it possible for criminals to obtain thousands of dollars in minutes. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk.”

Indeed, the Secret Service memo shared by my source says the cash out crew/money mules typically take the dispensed cash and place it in a large bag. After the cash is taken from the ATM and the mule leaves, the phony technician(s) return to the site and remove their equipment from the compromised ATM.

“The last thing the fraudsters do before leaving the site is to plug the Ethernet cable back in,” the alert notes.

FireEye said all of the samples of Ploutus.D it examined targeted Diebold ATMs, but it warned that small changes to the malware’s code could enable it to be used against 40 different ATM vendors in 80 countries.

The Secret Service alert says ATMs still running on Windows XP are particularly vulnerable, and it urged ATM operators to update to a version of Windows 7 to defeat this specific type of attack.

This is a quickly developing story and may be updated multiple times over the next few days as more information becomes available.

Tags: atm jackpotting, atm logical attacks, Daniel Regalado, Diebold Nixdorf, Diebold Opteva, endoscope, FireEye, NCR Corp, Ploutus.D, U.S. Secret Service, Windows 7, Windows XP

This entry was posted on Saturday, January 27th, 2018 at 1:45 pm and is filed under All About Skimmers, Latest Warnings, The Coming Storm. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.

  • 0

A Teachable Moment: Hospital Goes Public after Making Ransom Payment

Category : Uncategorized

It’s unusual for victims of ransomware to publicly acknowledge that they have paid hackers to go away. But a regional hospital in Indiana has made public its experience last week with a “sophisticated criminal group” as a teachable moment for other institutions faced with the vexing choice of whether to give in to the ransom demands of cybercriminals.

The Hancock Regional Hospital in Greenfield, Indiana – a general medical and surgery facility located 20 minutes from Indianapolis — was attacked last Thursday night by a ransomware called SamSam, which targeted the hospital’s “most critical” information systems including more than 1,400 files. The hospital paid the hackers about $50,000 in Bitcoin for private encryption keys to unlock its files and restore its IT network.

“My hope is that this retelling of the events will help shed light into the extraordinary efforts our organization mounted in response to a potentially disastrous event,” wrote the hospital’s Chief Executive Officer, Steve Long, in a blog post explaining his decision to go public with details of the attack and decision to make the ransomware payment.

Hancock Regional Hospital’s experience with ransomware isn’t an isolated instance. Ransomware attacks in the healthcare industry have been on the uptick. One recent survey says that ransomware attacks have increased by almost 90 percent in the sector during the past year. In 2016, the U.S. Department of Health and Human Services Office for Civil Rights issued guidance to help the industry address the threat.

The Hancock attack started last Thursday evening after IT staff at the hospital noticed “negative changes in system performance.” Moments later, messages were displayed on computer terminals throughout the hospital saying that the system was under attack and that decryption keys could be purchased with Bitcoin payable on the Dark Web. The message contained detailed payment instructions.

According to the CEO’s blog post, the hospital then shut down its network. The malware was eventually isolated at the hospital’s back-up site but by then – the electronic tunnel between the backup site and hospital had already been compromised by the hackers – which meant that purging encrypted data and replacing it with clean data was no longer a viable option.

“[T]he core components of the backup files from all other systems had been purposefully and permanently corrupted by the hackers,” wrote Long. “Thus, backup of the rest of the network systems would never have been a possibility and acquisition of the decryption keys was unavoidable.”

Long also noted that the hospital was “in a very precarious situation at the time of the attack,” between bad weather conditions and a nationwide flu epidemic. “[W]e wanted to recover our systems in the quickest way possible and … made the deliberate decision to pay the ransom to expedite our return to full operations.”

A forensic investigation determined that the hackers – most likely from Eastern European – obtained the login credentials of a vendor that provides hardware for one of the critical information systems used by the hospital. Using the stolen credentials, the hackers targeted a server in the hospital’s emergency IT backup facility.

Before paying the ransom, the hospital brought in the FBI’s cybercrime task force for “advisory assistance.”

Another Indiana hospital, Adams Memorial Hospital in Fort Wayne, also acknowledged a ransomware attack the same day and said its servers were affected but did not release additional information. A statement posted to the hospital’s website said there “no interruption in patient care or to the quality and safety of patient care was experienced … [and] we do not believe any patient information has been compromised.”

It’s not clear if the two attacks are related.

And a third healthcare company, Allscripts, also reported a ransomware attack late last week. Allscripts, a major player with its popular electronic health records and e-prescribing systems, said the attack affected the company’s data centers in North Carolina. In a statement, an Allscripts spokesperson said, “We are investigating a ransomware incident that has impacted a limited number of our applications. We are working diligently to restore these systems, and most importantly, to ensure our clients’ data is protected. Although our investigation is ongoing, there is currently no evidence that any data has been removed from our systems.”

Patterson Belknap Webb & Tyler LLP