The Federal Bureau of Investigation has issued a warning about rising nationwide incidents of “ATM jackpotting,” in which criminals hack into ATM machines to steal funds, the agency said in a Feb. 19 Flash alert.
To hack ATMs, criminals deploy jackpotting malware. This includes the Ploutus family of malware, which exploits a software layer in ATMs called eXtensions for Financial Services (XFS).
XFS instructs the ATM on what physical action it must take, such as dispensing cash. During a legitimate transaction, the ATM sends instructions via XFS to banks for authorization to release cash. However, if a threat actor achieves the ability to issue their own commands to XFS, they can bypass bank authorization, like with Ploutus.
“Once Ploutus is installed on an ATM, it gives threat actors direct control over the machine, allowing them to trigger cash withdrawals,” the FBI stated in the alert.
“Ploutus attacks the ATM itself rather than customer accounts, enabling fast cash-out operations that can occur in minutes and are often difficult to detect until after the money is withdrawn.”
The FBI listed several indicators of compromise and technical details of ATM jackpotting, and encouraged organizations to implement recommended mitigation measures to counter the threat. They include physical security actions, such as installing threat sensors and ensuring that ATMs are properly monitored with surveillance systems; hardware security measures, such as configuring security settings to automatically shut down if a jackpotting attempt is detected; and a number of logging, auditing, network security, and threat intelligence measures.
The individuals were charged for “their roles in a large conspiracy to deploy malware and steal millions of dollars from ATMs in the United States,” the Justice Department stated.
“Eighty-seven others have already been charged, bringing the total to 93 charged defendants,” it stated.
Card Skimming
While the jackpotting scheme targets ATM machines and the banks that fund them, officials have warned about scams involving ATMs that specifically target customers.In card skimming, criminals attach a device to a card reader or payment terminal. When someone uses their card at a reader or terminal, skimming devices enable threat actors to steal card information, such as credit card numbers, CVV codes, expiration dates, and PINs.
Law enforcement agencies have seen a “nationwide increase” in skimming activities, especially targeting electronic benefits transfer (EBT) cards, the Secret Service said.
“EBT fraud targets the nation’s most vulnerable communities. Each month, money is deposited into government assistance accounts intended to help families pay for food and other basic items. This enables criminals who steal card information to time their fraudulent withdrawals and purchases around the monthly deposits,” the Secret Service stated.
“Criminals often steal EBT and other payment card numbers by installing illegal skimming devices on ATMs, gas pumps, and merchant point-of-sale terminals.”
People who use crypto ATMs are also at risk of being defrauded.
Victims of crypto ATM fraud were duped via government impersonation scams, fraudulent investment schemes, and tech support scams, according to the report.
