Researchers have recently discovered new kind of “jackpotting” malware—the sole purpose of which is forcing ATMs to spit out huge volumes of cash.
According to Netskope, a California-based software company, the malware appears to share some functional similarities with ATM Ripper, a variant thought to be responsible for a slew of ATM heists last year in Thailand, which nabbed cyber criminals at least 12.29 million baht (then about $346,000 USD) from 21 ATMs.
Dated with a March 2018 timestamp, the new malware, believed to originate in Hong Kong, is likely still under development, Netskope reports.
Jackpotting is a very niche form of hacking that almost always requires physical access to an ATM. While the cash inside an ATM is generally more secure, physically speaking, an ATM’s motherboard is often protected only by a cheap lock, which may be easily picked or destroyed. To infect ATMs with jackpotting malware, criminals may use USB thumb drives that execute automatically, while others connect their laptops directly to the machine.
Once the command to dispense the cash is given, most ATMs are capable of spitting out nearly $2,500 a minute. While some machines hold hundreds of thousands of dollars, most ATMs reportedly contain less than $10,000. Ostensibly, the ATMs targeted by hackers—those not located inside of banks or heavily-trafficked areas—aren’t filled to capacity.
The malware discovered by Netskope has been dubbed “ATMjackpot,” which is not to be confused with the hacking group by the same name (the researchers say there’s no apparent connection). Last year, the ATMjackpot crew published several instructional YouTube videos demonstrating how ATMs could be hacked using software known as Cutlet Maker, which at the time was being sold on the darknet marketplace Alphabay for around $5,000.
Jackpotting attacks are more common in Asia and Europe but recently spread to the United States. In February, the Department of Justice unveiled charges against a Massachusetts resident and a Spanish national, a pair accused of carrying out multiple jackpotting attacks across New England. Upon his arrest, one of the attackers was found with more than $9,000 in $20 bills in his possession.
Jackpotting almost always requires physical access to the ATM, though remote attacks have been proven possible.
During remote attacks, cyber criminals typically work from a safe distance while cash mules are used to pick up and transport their earnings. This method, while invariably safer for the hackers, is far more complex than those involving physical tampering. Absent some gaping security hole at the bank, remotely infecting an ATM requires access to a bank employee’s credentials, generally obtained via email phishing or social engineering attacks.
For more details about the ATMjackpot malware, read Netskope’s technical report.