Hacking (in this case, cracking) ATMs is not something new, there are various techniques and methods to clone user’s cards to steal their information, or to access the system from the computer.

This is the case of Jackpotting, a technique that recently surfaced back and allows emptying ATMs with the use of a malware. Recent investigations reveal that is becoming a worldwide problem. 

This methods cause great commotion back in 2017 when ATMs in different parts of Germany were expelling real Money, causing banks to lose millions. Informatic pirats made over a million Euros.

Back then, an employ from the bank noticed what was happening with the ATMs in Freiburg, Germany, he got there and saw the touch screen an image of a chef cooking a piece of meat and message saying “Ho-ho-ho! Let’s make some cutlets today”. This was, apparently, a Russian play on words in which pork chop is used as synonym for a pack of bills.

What happened?

And no, this is not the rise of the machines, the ATM was infected with a malware called Cutlet Maker; designed with the sole purpose of causing an ATM to release all the money stored in it.

A joined investigation between the German, Motherboard, and the German broadcaster, Bayerischer Rundfunk (BR), uncovered details of a malware that stared a series of attacks in Germany.

The infection of the informatics virus causes ATM to ‘spit’ all the Money storage without the need of a stolen credit card. The first attacks were in Europe, but in the last years more and more incidents have been registered in USA and Latin America.

To bypass restrictions, the cyber criminals introduce a malware in the ATM to trick it so it releases the cash, and no credit card is required. Hackers usually install the virus by physically opening a panel in the ATM and using the USB port to upload the infected files. With this technique, hackers have also stolen money in Mexico and the US over the last years.

To perform the attacks it is necessary to physically access the ATM. Some hackers have posed as maintenance officers so they can work without problem. They have to install a malware in the system by using specialized electronic components, which lets them control the ATM’s operations so they can extract the money on a steady rhythm of 40 bills every 23 seconds, until is empty.

Due to its complexity, some attackers use endoscopes to find the inner component of the ATM where to connect and load the malware. It is not that simple, but the reward has made it worth it to many.

The experts claim that implementing security measure to avoid this first physical context could prevent the attacked whatsoever. In addition, the problem affects banks and ATM creators in the entire industry; many ATM use obsolete operative systems like Windows NT or Windows 7. Although in certain moments, cyber criminals have proved that is not such a complex process.

As a matter of fact, during the Annual Conference on Cyber Security Black Hat, in 2010, the late researcher, Barnaby Jack, showed on stage, live, how this take place with his version of the malware, leaving everyone shocked. Now, similar attacks have taken place in German cities.

The research from Motherboard and BR, in which most of the sources were anonymous, revealed that jackpotting is becoming a pandemic that steals millions of Euros in few attacks.

Thiago Marques, researcher from Kaspersky Lab, explains that Ploutus, one of most known versions of the malware, has been active since 2013 and has caused more than 64 million dollars in losses. On the other hand, Christoph Hebbecker, German lawyer, claims that the autor of the German attacks in 2017 is the same criminal group.

Jackpotting does not affect one bank entity or ATMs of a specific maker; they are susceptible of being attacked with Ploutus. According to the investigation, this is because ATMs have a big issue that makes them vulnerable: old Windows computer.

Moreover, an anonymous source points out another issue when facing jackpotting: the affected people do not wish to go to the police.  A report from last year states that the incidents with this malware have reduced in 43%, but the anonymous expert highlights that this information only concerns Europe.

Selling this malware on the dark web is a lucrative business, and some people are willing to pay tens of thousands to have these virtual weapons; and jackpotting is not the exception to it.

“Criminals are selling this malware to anyone”, says David Sancho, main threat researcher from the cyber security company, Trend Micro, who works with the Europol.

“This can potentially affect any country around the world”, added Sancho.

Motherboard contacted with one of the cyber criminals selling this malware and the offer, which costs 1,000 dollars, included an installation manual and instructions to find out how much money does the ATM have.