ATM / POS Fraud,
Cybercrime,
Fraud Management & Cybercrime
FBI Warns of $20 Million Stolen in Malware-Driven Jackpotting Attacks Last Year
Last year, cybercriminals executed a series of ATM jackpotting attacks across the United States, resulting in the theft of $20 million in cash using sophisticated malware techniques.
The Federal Bureau of Investigation has issued a warning regarding these malware-driven attacks, noting a significant increase in occurrences. Since 2020, there have been nearly 1,900 recorded incidents of ATM jackpotting, with a striking one-third of those occurring in the past year alone.
Jackpotting attacks exploit vulnerabilities in ATMs by installing malware that grants attackers complete control over the machines, thereby allowing them to dispense cash unlawfully. One notorious strain of malware employed in these attacks is known as Ploutus, which directly infects ATMs instead of targeting customer accounts, facilitating swift withdrawals that are difficult to detect before funds are taken.
The logistical execution of these attacks typically necessitates physical access to the ATM. Initial compromises often begin with the attacker using a generic key to remove the ATM’s casing and disconnecting the internal hard drive. The attacker may switch out this drive with one that has been preloaded with malware or connect it to a laptop to infect it before reinserting it, ultimately rebooting the ATM to execute the malware. The FBI’s alerts stress that this technique circumvents standard safety features, allowing cash to be dispensed without direct access to bank accounts.
This surge in ATM jackpotting appears to be linked to organized crime rings. Recently, the U.S. Department of Justice announced the indictment of 54 individuals tied to a conspiracy that utilized malware to steal vast sums from ATMs while laundering the proceeds. This criminal activity has been associated with Tren De Aragua, a gang initially operating out of Venezuela, which has now been classified as a transnational criminal organization with ties to a multitude of illicit activities.
Evolution of ATM Malware
Ploutus was first identified in 2013 in Mexico, exploiting vulnerabilities in NCR-built ATMs. Subsequent versions have adapted to include various methods of operation, including the capability of using a USB-enabled mobile device to trigger cash withdrawals by sending SMS messages to compromised ATMs.
The FBI reports that Ploutus now manifests in numerous forms, with its latest variants able to operate on different manufacturers’ ATMs with minimal changes to the code. This evolution poses ongoing risks to ATM operators who must remain vigilant against such exploits.
To mitigate these risks, the FBI has recommended a suite of countermeasures for ATM operators. These include installing physical deterrents such as sensors to detect tampering and swapping standard locks for more secure alternatives. On a technical level, utilizing encrypted hard drives and performing firmware checks can significantly reduce the likelihood of successful malware installations.
As the U.S. grapples with this uptick in ATM malware attacks, the landscape in Europe presents a contrasting trend. Reports indicate a significant reduction in confirmed malware attacks across European ATM networks, attributed to the adoption of rigorous hardening guidelines. However, other forms of physical attacks and fraud continue to persist, highlighting the ongoing vigilance required across the globe.