Jackpotting Attack: Making ATM Machines Spit All Cash

ATM jackpotting, a technique to tamper with the machines to spit all cash inside, is becoming a vogue among criminals.
ATM machines are enticing targets for criminals with an intention to rob. The typical robbing of ATM machines is done using different techniques which includes breaking down the machine using tools and gaining access to the vault where the cash is kept. But as we are advancing into the information age the perks of technological advancements have benefited the “high-tech” criminals too. Using some malicious cyber techniques and exploiting the ATM firmware cybercrooks are taking a toll on hundreds of ATM machines in parts of Asia and Europe, with a technique called ATM Jackpotting.

ATM Jackpotting

Also known as logical attack, it is a practice of exploiting the physical and software vulnerabilities in an ATM machine and hacking into it to trigger the machine to dispense cash just like a slot machine at a casino, hence the name. The first jackpotting attack happened in Mexico in 2013 and since then it is spreading in countries in Europe and the Asia Pacific.

Jackpotting Stats

Jackpotting Stats

Culprits use a portable computer called a “black box” along with a malware to target the cash-dispenser by launching cash out commands. In the bold approach, the thieves usually masquerade as bank service personnel to scrutiny. Moreover, machines which are situated away from the bank’s tighter security are easy targets. Thieves who remain undetected get away with ATM’s cash.

Modus Operandi

Usually, the most evident ways observed in the jackpotting attacks to date involves two different techniques.

Using Malware

The first one is by injecting malware in the ATM machine either offline or online by compromising the administrator system using spear-phishing emails.
In offline mode, the criminals open up the fascia of the machine getting access to the ports. The impersonating thieves than power off the machine and insert their USB drive with the malware installed in it. The ATM is rebooted. Moreover, to remain under the radar and unnoticed hackers also disable the antivirus utility on the machine.
On the other hand, the online injection of the virus involves more advanced techniques. The hackers often penetrate the ATM to inject the malware using remote access gained either by victimizing an administrator system or by getting hold of the proprietary firmware of the ATM by targeting employees’ systems.
This jackpotting technique occurs in two phases. The first phase involves injecting the malware and the second phase is executed after weeks. Meanwhile, the malware stays in the machine without anybody knowing the ATM machine is compromised. Also, the machine performs transactions normally. In this time the attackers victimise other ATMs to procure a significant amount.
The second phase involves the thief returning to the machine and deploying cash-out commands using preconfigured card or a special PIN. Having the machine spit out all cash the thieves or the “service personnel” speed off!

Using Black-Box

This technique of jackpotting is more or less similar to the former one only that it doesn’t happen in binary phases.
To make the process quicker hackers have developed a device, famous as a black box amongst the banks, which targets the dispenser of the ATM machine. It does so by impersonating as the bank’s “legitimate” software. It is the most rampant method to tamper with the ATM machines for jackpotting.
The hackers firstly make holes in the fascia of the machine to hijack the EPP cable to send cash-out commands. The dispenser is disconnected from the PC core and is connected with the black box instead.
The black box tricks the dispenser as being the original PC core with the help of the gathered proprietary firmware.

Jackpotting Attacks

I. The most recent attack happened this week when the world’s largest ATM maker, Diebold Nixdorf got its machines across Europe compromised using black boxes.
The company says that the targetted machines are ProCash 2050xe ATM terminals. The hackers then connected the CMD-V4 dispenser cable with their black box to deploy dispense commands. But what surprises the Diebold is that besides using custom malicious code, hackers used a copy of the ATM firmware to interact with the machine.
Diebold ATM targeted for jackpotting

Diebold ATM targeted for jackpotting

II. The attack which made Diebold cautious beforehand was on the Belgian savings bank: Argenta in June 2020. This was the first-ever ATM jackpotting attack in the history of Belgium. Only Diebold Nixdorf ATMs were attacked.
There’s very little ATM users can do to prevent ATM jackpotting. But we can stay far from it by using ATM machines belonging to major banks and eschew from mom-and-pop businesses. Also, keep in mind to shield the keyboard while entering the PIN and keep checking the bank details regularly in search of any unauthorised transactions.

Leave a Comment