Researchers Unearth New Malware Designed to Make Cash Machines Spew Out Cash

By Dell Cameron on at

Researchers have recently discovered new kind of “jackpotting” malware—the sole purpose of which is forcing cash machines to spit out huge volumes of cash.

According to Netskope, a California-based software company, the malware appears to share some functional similarities with ATM Ripper, a variant thought to be responsible for a slew of cash machine heists last year in Thailand, which nabbed cyber criminals at least 12.29 million baht (then about £243,000) from 21 cash machines.

Dated with a March 2018 timestamp, the new malware, believed to originate in Hong Kong, is likely still under development, Netskope reports.

Jackpotting is a very niche form of hacking that almost always requires physical access to a cash machine. While the cash inside a cash machine is generally more secure, physically speaking, the motherboard is often protected only by a cheap lock, which may be easily picked or destroyed. To infect cash machines with jackpotting malware, criminals may use USB thumb drives that execute automatically, while others connect their laptops directly to the machine.

Once the command to dispense the cash is given, most machines are capable of spitting out over a thousand quid a minute. Ostensibly, the machines targeted by hackers—those not located inside of banks or heavily-trafficked areas—aren’t filled to capacity.

The malware discovered by Netskope has been dubbed “ATMjackpot,” which is not to be confused with the hacking group by the same name (the researchers say there’s no apparent connection). Last year, the ATMjackpot crew published several instructional YouTube videos demonstrating how cash machines could be hacked using software known as Cutlet Maker, which at the time was being sold on the darknet marketplace Alphabay for around $5,000 (£3,514).

Jackpotting attacks are more common in Asia and Europe but recently spread to the United States. In February, the US Department of Justice unveiled charges against a Massachusetts resident and a Spanish national, a pair accused of carrying out multiple jackpotting attacks across New England. Upon his arrest, one of the attackers was found with more than $9,000 (£6,324) in $20 bills in his possession.

Jackpotting almost always requires physical access to the cash machine, though remote attacks have been proven possible.

During remote attacks, cyber criminals typically work from a safe distance while cash mules are used to pick up and transport their earnings. This method, while invariably safer for the hackers, is far more complex than those involving physical tampering. Absent some gaping security hole at the bank, remotely infecting a cash machine requires access to a bank employee’s credentials, generally obtained via email phishing or social engineering attacks.

For more details about the ATMjackpot malware, read Netskope’s technical report.


More Security Posts: