Black box attacks, otherwise known as jackpotting, first appeared in Western Europe in 2015 and in Mexico years earlier. The logic-based technique targets ATM cash reserves are targeted and forces compromised machines to uncontrollably dispense cash.
Drills or other tools which expose the inner workings of an ATM are often used to connect the machine to a laptop or similar device. Vulnerabilities are then exploited -- often made possible when ATM operating systems are outdated or unpatched -- allowing for brute-force attacks against the system.
On Saturday, Krebs on Security reported that NCR had sent out an advisory to customers after receiving warnings from the Secret Service and others related to the appearance of jackpotting attacks in the United States.
"While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue," the NCR alert, sent on 26 January, reads. "This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences."
According to a Krebs source close to the matter, criminal gangs are using Ploutus.D malware to compromise ATMs.
Ploutus.D, first spotted in Mexico back in 2013, interacts with ATM operating systems used by manufacturer Diebold Nixdorf -- but a few tweaks expand the malware's reach beyond this vendor.
Once the top portion of an ATM is open and another device is connected, the advanced malware can be used to force an ATM to dispense money. Once installed, criminals can operate the ATM remotely and send money mules to pick up the proceeds -- keeping their own identities hidden away from surveillance cameras.
FireEye estimates that a money mule using Ploutus.D can obtain "thousands of dollars in minutes," a prediction backed up by the NCR alert, which says compromised ATMs may release up to 40 bills every 23 seconds.
According to Krebs on Security's source, Diebold Nixdorf is still the malware's target, with attacks specifically impacting Opteva 500 and 700 series models. These models are no longer being produced but are still in circulation.
In the past 10 days, criminals have compromised these machines by dressing as technicians in a set of coordinated attacks. Further attacks may be on the horizon.
"During previous attacks, fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATMs operating system along with a mobile device to the targeted ATM," the advisory reads.