Jackpotting, an older ATM theft technique, could show security operations team members what to look out for when it comes to Internet of things (IoT) attacks in general, and even election machine vulnerabilities. 

This technique first entered the U.S. cybersecurity lexicon in 2018, when Brian Krebs warned of attacks at American ATMs. Jackpotting, Krebs explains, is “a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand.”

The target was usually stand-alone ATMs, almost always from those manufactured by Diebold Nixdorf, an American multinational financial and retail technology company. Criminals needed physical access to the ATM. Then, they used a jackpotting malware called Ploutus.D and special electronics to take over the machines. When done right, jackpotting offered a very large and very fast payout, like a slot machine gone wild, but with paper money instead of quarters. 

While jackpotting does happen in the United States, this type of cyber theft is more common in Europe and Asia where ATMs are less protected. Still, it is a complicated crime to commit, since the nature of the crime requires physical proximity to the machine to both set up the crime and grab the cash. Sure, the ready cash is the big draw, but even in places with minimal law enforcement, why do criminals make the effort?

It boils down to out-of-date operating systems on ATMs. It is not uncommon to find unsupported Windows OS on ATMs (or other internet-connected devices). Windows XP is still very popular in this area, even though it was retired in 2014. To remain hidden in the background, criminals rely on cash mules to retrieve the money.

Malware for jackpotting has expanded into families as well, with the related WinPot and Cutlet Maker both available for sale on the dark web for a few hundred dollars. 

Jackpotting’s New Twist

In cybersecurity years, 2018 was a long time ago. While jackpotting is still around, it has evolved into more sophisticated and dangerous forms. Two years ago, it was all about turning ATMs into personal slot machines. Today, cybercriminals are focused on software.

After a recent rash of jackpotting attacks in Europe, a Diebold Nixdorf formal statement notes, “Some of the successful attacks show a new adapted Modus Operandi on how the attack is performed. Although the fraudster is still connecting an external device, at this stage of our investigations it appears that this device also contains parts of the software stack of the attacked ATM.”

In other words, the criminals are using Diebold Nixdorf’s own proprietary software to help enable attacks. 

“The black box variant of jackpotting does not utilize the software stack of the ATM to dispense money from the terminal. Instead, the fraudster connects his own device, the black box, to the dispenser and targets the communication to the cash-handling device directly,” the Diebold Nixdorf release adds.

As Ars Technica reports, the good news is, so far, the new jackpotting attack isn’t stealing ATM card data, just the money. But the bad news, which has much farther-reaching implications, is that “attackers appear to have their hands on proprietary software that makes attacks more effective.” 

How Jackpotting Connects to Proprietary Software and Cybersecurity

ATMs are part of the large collective that make up the IoT. Jackpotting criminals who are using Diebold Nixdorf’s proprietary software stacks as a possible attack vector should provide a wake-up call for IoT in general. 

Reports about the ATM jackpotting using software stacks show a commonality: the criminals targeted Diebold Nixdorf cash machines. Why? The simple answer is that most ATMs are Diebold and they are found all over Europe. More fortuitous for the criminals, however, is that because the proprietary software is used across all the machines, this tactic can be used with reliability over and over again. 

This also goes for IoT devices. Every IoT device used in corporate facilities or in homes — which is especially important as millions of people continue remote work — uses the manufacturer’s proprietary software. This, in turn, means you may be dealing with dozens of different software systems to protect, patch and update. That in itself is a chore. 

Therefore, if cyber criminals have access to parts of an IoT device’s software stack, they can use it to better facilitate attacks on that specific device. If the IoT device is connected to the corporate network, it offers an open door to hackers. Ten IoT devices in an office could provide the gateway to ten different groups of cybercriminals who may all have different agendas. 

The Trouble With Voting Machines

It’s not just business data and networks that are at risk. IoT controls smart cities and critical infrastructure. And devices don’t even have to be connected to the internet to be targeted. Just as Diebold is a top brand of ATMs, it was a top maker of American voting machines. Although Diebold is no longer in the voting machine business, older machines tend to stay in the field.

“It is well known that current voting systems, like any hardware and software running on conventional general-purpose platforms can be compromised in practice,” reports Defcon Voting Village after a 2019 study covered by Wired. “However, it is notable — and especially disappointing — that many of the specific vulnerabilities reported over a decade earlier … are still present in these systems today.”

Expect criminals to build on the use of proprietary software to make the next round of attacks easier and more financially viable. Also be aware of how those same tactics can move from ATMs to other IoT devices, taking advantage of poor cybersecurity practices.

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today