What Is an ATM Jackpotting Attack and How Does It Work?

If you regularly use ATMs, you might have heard the term “jackpotting” in the headlines. Although this has been around for a little while, jackpotting has become an increasingly popular form of hacking, particularly in Europe and Asia.

So what is ATM jackpotting? How exactly do ATM hackers go about carrying out this attack?

What Is ATM Jackpotting?

ATM jackpotting is the detection and exploitation of the vulnerabilities of an Automated Teller Machine, aka ATM. These jackpotting operations aim to force the machine to dispense all the cash in its reserves.

If the hackers succeed, they can cart away all the funds in the ATM. Technically, these do not belong to any account, so usually, none of the bank’s customers bear the brunt of the attacks.

Standalone ATMs located at retail outlets or away from the bank premises are the main targets. Jackpotting requires a physical connection to the machine, so hackers typically dress up as tech experts or security personnel to access the ATM without confrontation.

The first jackpotting attack likely occurred in January 2018. In a press release, the United States Secret Service warned financial and law enforcement bodies about this attack on ATMs. Through partners of their Electronic Crimes Task Force (ECTF), they received credible intelligence regarding planned jackpotting attacks in the US.

How Does ATM Jackpotting Work?

For an ATM jackpotting operation, you need to have physical access to the ATM and a rogue device. A rogue device is a wireless hardware attack tool, like a portable computer, that doesn’t have permission to access a network but exists to cause harm, steal information, and disrupt the network’s normal operations.

Once threat actors successfully gain access to the internal computer of the ATM, they remove the hard drive and uninstall any antivirus software present. With the antivirus gone, the hackers can install their malware, replace the hard drive, and reboot the ATM. The jackpotting operation typically takes less than a minute.

watching while entering your PIN — Image Credit: Richard/ Flickr.

There are two primary forms of ATM jackpotting.

1. Malware-Based Jackpotting

This form of jackpotting makes use of a USB device. The device is usually heavily laden with malware and plugged into the USB terminal of an ATM. This malware forces the machine to dispense cash which the hacker comes to collect.

Other customers can use the ATM even with the malware installed, and the machine would perform optimally. But upon activation of the malware by the hacker, the ATM starts dispensing into the waiting hands of the mule, who acts as a middleman between the ATM and the hacker.

The hackers send someone also "in" on the operation when the funds are ready to be collected. Usually, the only security at off-site ATMs is CCTV cameras, meaning the threat actors and their mules just need to conceal their identities or stay out of view.

These malware-based cash dispensations do not reflect any withdrawal transactions on any bank accounts. A famous example of jackpotting malware is “Ploutus.D,” which has various modifications that allow it to run seamlessly on the ATMs of over 40 different ATM vendors in 80 countries.

2. Black Box Attack

In this case, the rogue devices are known as black boxes. These mimic the ATM’s internal computer and can be anything from laptops to Raspberry Pi, which are relatively easy to obtain or build.

The black box can be used in two different ways. The first involves mimicking the internal computer of the ATM, connecting directly to the dispenser, and commanding it to spit out cash.

The other method involves plugging into network cables and grabbing cardholder information. This information is typically relayed between the ATM and the transaction center responsible for processing the transaction session.

All ATMs have a maximum limit that they’re allowed to withdraw per transaction or customer, but black box attacks pose as the host system and force the ATM to dispense all its cash at once.

How to Prevent ATM Jackpotting

boy in green jacket paying for parking with a card at night

Both banks and customers can take precautions to prevent ATM jackpotting.

Precautions for Customers

As a customer, the sad reality is that there is little you can do to prevent jackpotting. But a few tips come in handy.

The most important would be to use only ATMs belonging to famous financial institutions and avoid those owned by regular businesses, malls, and retail outlets. This is because ATMs of top institutions have better security systems than standalone ATMs in front of casinos or supermarkets.

Another thing you should note is that the person standing behind you in the ATM queue might just be a threat actor looking for funds to siphon. Before you start your transaction session, ensure you cover the keypad when inputting your pin.

Also, check your bank statements monthly for unauthorized transactions and report to the appropriate quarters if any are detected.

Precautions for Banks

Banks hoping to avoid this attack should ensure the antivirus programs and other security software on the ATM are up-to-date. It is also advisable to disable the “auto-start and boot” functions on the machine, as this is a vulnerability that hackers exploit.

The ATM should be monitored for unusual activities, like requests for large amounts of cash from customers with empty bank accounts and multiple failed login attempts from a particular ATM, as it could be a target of jackpotting.

Most importantly, there should be security personnel at ATMs outside the bank: personnel who would be there to prevent illegal access to the dispensing machines.

In addition to all these, take physical measures like adding locks and alarms to the ATM’s cabinet. This is necessary for hackers who want to access the interior of the machine to remove its hard drive.

Hitting the Jackpot?

ATM jackpotting is a form of cybercrime that is popular among threat actors because of its ease and possibility of large payouts. It is a severe threat to the financial industry and can have grave consequences for targeted institutions, customers, and companies.

These groups need to protect themselves from such attacks by implementing up-to-date security measures and carrying out routine checks on their ATMs for signs of tampering or malware infection.