Cybercriminals have found a new way of “jackpotting” ATMs that is forcing the machines to “spit out” cash in several European countries, warned Diebold Nixdorf, the world’s largest ATM manufacturer.
For those unaware, Diebold is one of the top players in the ATM market, which earned $3.3 billion in sales, which includes both selling and servicing machines globally, from its ATM business last year.
In a security alert issued on July 15, 2020, Diebold said that cybercriminals are using a “black box” that they believe contains parts of the company’s proprietary software to illegally exfiltrate money from ATMs across Europe. The black box takes control and issues dispense commands to the ATM, which is obeyed dutifully.
The North Canton, Ohio-based company says the new attack targets the company’s ProCash line terminals, particularly the ProCash 2050xs USB model, with the attackers connecting to the device via USB ports to facilitate thefts.
In general, Jackpotting refers to a category of attacks aiming to dispense cash from an ATM illegitimately. The black box variant of jackpotting does not utilize the software stack of the ATM to dispense money from the terminal. Instead, the fraudster connects his own device, the “black box” to the dispenser, and targets the communication to the cash-handling device directly.
“In the recent incidents, attackers are focusing on outdoor systems and are destroying parts of the fascia in order to gain physical access to the head compartment. Next, the USB cable between the CMD-V4 dispenser and the special electronics, or the cable between special electronics and the ATM PC, was unplugged. This cable is connected to the black box of the attacker in order to send illegitimate dispense commands,” reads the security alert.
“Some incidents indicate that the black box contains individual parts of the software stack of the attacked ATM. The investigation into how these parts were obtained by the fraudster is ongoing. One possibility could be via an offline attack against an unencrypted hard disc.”
The company has not specified how much cash has been stolen, or how many attacks have taken place, nor how many of ProCash models of ATMs are in operation. However, the good news is that there is no evidence of cybercriminals using the jackpotting method to retrieve personal banking information of cardholders.
To mitigate the risks of attacks against its ATM, Diebold suggests its terminal operators to limit physical access to the ATM, implement protection mechanisms for cash modules, implement hardening of the Software Stack, and set up additional countermeasures such as alarms to detect top hat access, interrupted connections to the dispenser, real-time monitoring and more.
