ATM cash-out attacks

This Info Note reviews ATM cash-out attacks and the weaknesses that this may reveal from the financial services industry.

September 05, 2018


It has been a challenging year for the financial services industry and ATM manufacturers with an increasing number of incidents and variants of cash-out attacks. Jackpotting - also known as “black box attack” - refer to attacks in which an ATM is manipulated to dispense all its cash, similar to a slot machine after a jackpot in a casino, is reportedly increasing since the beginning of the year. Last week, law enforcement authorities notified financial services institutions on the threat of coordinated logical attacks on ATMs known as “ATM cashouts”. Furthermore, the recent attack to Cosmos bank in India - attributed to the North Korean Lazarus group – although not considered a typical jackpotting attack, reveals that ATM infrastructure of certain financial services entities is still vulnerable, particularly to logical attacks. This Info Note reviews ATM cash-out attacks and the weaknesses that this may reveal from the financial services industry.

Contextual Information

ATMs continue to be a profitable target for criminals, who use various methods to generate illegal revenue. While some rely on physically destructive methods through the use of metal cutting tools, others choose malware infections, enabling them to manipulate cash dispensers from the inside.

Criminals use different tools and techniques (physical, logical or combined) to access ATMs “black box” and bypass all security controls forcing the cash-out of all its money. With some exceptions, each ATM has the same functionality, a cash dispensing mechanism that is controlled by an operating system using a personal computer (PC) and therefore, exposed to risk from logical attacks. Malware attacks, a sub-category of these logical attacks, are becoming increasingly popular among cyber criminals.

Examples of tools used in Jackpotting attacks

Endoscope - Narrow, tube-like medical devices with cameras on the ends typically used to see inside the human body. Used by fraudsters to see inside the ATM and locate vulnerable points.

Tyupkin malware - Piece of malware that allows attackers to empty the ATM cash cassettes via direct manipulation. Firstly identified by security researchers in 2013 as Backdoor.MSIL.Tyupkin, affecting ATMs from a major manufacturer running Microsoft Windows 32-bit.

Ploutus.D malware Identified by the filename of “AgilisConfigurationUtility.exe”, is one of the most advanced ATM malware families, discovered for the first time in Mexico in 2013. This malware once installed via USB port, allows criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message.

Cutlet Maker, c0decalc and Stimulator in a malware tool kit - Malware kit designed with the help of an ATM vendor specific API, the news media reported. To operationalize an attack using this kit, criminals need to gain direct access to the ATM’s insides and reach one of the USB ports, which is used to upload the malware. The c0decalc generates a password to guarantee the copyright of the malware author. The Stimulator retrieves the status information of specific vendor ATM cash cassettes (such as currency, value and the amount of notes).

Examples of techniques used in Jackpotting attacks:

ATM’s hard drive manipulation:

  • Fraudsters dressed as ATM technicians or through an onsite “money mule” replace the ATM hard drive with a new one (possibly using a malware-laden thumb drive), to enable unauthorized dispense commands to the cash dispenser unit.
  • Optionally, ATM’s hard drive can be removed, infected with malware, and reinserted instead of being replaced with an attacker-supplied hard drive.
  • In addition, sensors are manipulated using an endoscope to fool the authentication system. This way, encrypted communication protocols are bypassed in the attack.

Black Box Attack:

  • Fraudsters dressed as technicians disconnect the ATM PC or “black box” disabling logical security measures.
  • An endoscope is used to look inside the ATM and locate the internal portion of the cash machine where a cord can be attached, allowing the synchronization between the criminal’s laptop and the ATM’s computer.
  • The ATM is switched back to ON with the malware already installed and running on the machine’s background, waiting for instructions from the ATM keyboard to dispense the cash.


  • Fraudsters install a device tampering the communication line between the ATM PC or “black box” and the dispenser unit. In most cases a serial RS232 or USB connection.
  • The malware fakes the host responses to withdraw money without debiting the fraudster’s account.

What makes these attacks interesting for certain criminals is the low technical knowledge required to execute. There are plenty of tutorials and step-by-step guides available on the dark web to make things easier for them. Still, these attacks require a certain level of physical access to the ATM and criminal’s identity exposure to pull it off. Criminals can steal money from ATMs using less complicated methods than jackpotting. There are remote attacks that do not rely on physical access to the inside of the ATM, that the recent Cosmos bank incident is a good example.

Malware injected into the ATM network

Attackers are also infecting ATMs with malware through the Financial Institutions networks. Once an attacker gains access to a bank’s network, they can install malware from a remote location transforming the ATM into a slave machine. The final stage would be for the attacker to send instructions directly to the ATM, command it to dispense the money, and order a mule to collect it.

Cosmos Bank ATM Heist

Early this month, an attack attributed to the North Korean-linked Lazarus Group was responsible for stealing US $13.5 million from India's Cosmos Bank in an aggressive attack that has exposed limitations in the measures banks use to defend against targeted cyber threats. It is still unclear how the threat actors managed to initially infiltrate the bank's network. According to a security research, based on how this threat actor typically operates, the attackers broke in via a spear-phishing email and then moved laterally, within the bank's network, compromising the institution's ATM infrastructure.

This was not the typical basic card-not-present (CNP) or jackpotting attack. The attack was a more advanced, well-planned, and highly-coordinated operation that focused on the bank’s infrastructure, effectively bypassing the four main layers of defence per Europol ATM attack mitigation guidance. Following the initial compromise, attackers most likely either leveraged the vendor ATM test software or made changes to the currently deployed ATM payment switch software to create a malicious proxy switch (MPS). As a result, the details sent from payment switch to authorize transaction were never forwarded to the Core Banking Solution (CBS) so the checks on card number, card status (Cold, Warm, Hot), PIN, and more were never performed. Instead, the request was handled by the MPS deployed by the attackers sending fake responses authorizing transactions.

FBI warns financial institutions on a global ATM cash-out scheme

The news media reported that, the Federal Bureau of Investigation (FBI) is warning financial institutions that cybercriminals are preparing to carry out a highly choreographed, global fraud scheme known as an “ATM cash-out”. The FBI associated the scheme to the hacking of a bank or payment card processor and the use of cloned cards at cash machines around the world. This technique would allow the fraudulent withdraw of millions of dollars in just a few hours. The warning was issued just few days before the Cosmos Bank heist but concerns over replicas are still eminent.


Recommendations for ATM operators and Financial Services Institutions

  • Implement EMV security standards. EMV is a payment method based upon a technical standard for smart payment cards (also called chip cards or IC cards) and for payment terminals and automated teller machines that can accept them.
  • Review the physical security of ATMs and consider investing in quality and robust physical security solutions and ATM security alarm.
  • Secure the top compartment (top box) of an ATM which contains the PC. This area should be secured by an intruder alert to prevent unauthorised opening, or the access lock to the top box should be changed to avoid the usage of default master keys provided by the manufacturer.
  • Implement special security solutions designed for self-service terminals. Solutions that keep ATMs software up-to-date through a smart ATM security management program. Consider including other equipment connected to the ATM such as network devices and modems in the security management program.
  • Proactively report to law enforcement authorities of any unusual amount withdrawals on specific units.
  • Use of real time fraud detection system or artificial intelligence software to spot ATM theft, money laundering and other financial crimes.
  • Hardened the PC operating system security policies to prevent abuse of privileges, default accounts, installation of malicious software, and unauthorised access to resources like USB ports/CDs/DVDs/hard disks.
  • Set the BIOS to boot only from the ATM hard drive.
  • Disable the booting from removable media by default in any device related with ATM.
  • Block the use of unknown USB devices by default in any device related with the ATM.
  • Ensure that the AUTORUN has been fully and effectively disabled in any device related with the ATM.
  • Deploy hard disk encryption to prevent unauthorised changes to the content of the hard drive.
  • Implement strong password requirements and two-factor authentication using a physical or digital token when possible for local ATM administrators. Consider robust password management policies. Best practice indicates that these passwords should be as complex as the BIOS can support.
  • Limit the use of unapproved applications to block the execution of malware.
  • Define a policy establishing secure and regular software updates for all software installed on devices related with the ATM.
  • Monitor for encrypted traffic traveling over nonstandard ports.
  • Monitor for network traffic to regions where outbound connections from the financial institution do not normally occur.
  • Configure the system to only accept initial communications requiring authentication at the cash dispenser. e.g. by physical access to the safe. This can prevent unauthorised devices from sending commands to the cash dispenser.
  • Define rules to inhibit the circumvention of communication’s protection e.g. by rolling back firmware, or by replaying messages.
  • Establish a firewall to restrict all inbound communication to the ATM.
  • Apply communication authentication and encryption protections to all ATM network traffic. The recommendation is to use TLS 1.2 or a VPN, and by implementing MACing to provide cryptographic authentication of sensitive messages.

Recommendations for on-premise ATM operators

  • Ensure the ATM is in an open, well-lit environment that is monitored by visible security cameras. The ATM should be securely fixed to the floor with an anti-lasso device that will deter criminals.
  • Regularly check the ATM for signs of attached third-party devices (skimmers).
  • Be on the lookout for social engineering attacks by criminals who may be masquerading as ATM technicians.
  • Implement intruder alarms and act accordingly by notifying law enforcement authorities of any potential breach.
  • Consider filling the ATM with just enough cash for a single day of activity.

Closing Remarks

The first publicly known ATM exploit was presented to the world at the 2010 Black Hat Conference. Years later, fraudsters and their money mules became reportedly active in jackpotting attacks, encouraged by ATM operators' slow adoption of EMV technology, lax physical security, poor monitoring and maintenance. Information describing the tools and techniques required to conduct these crimes also became widely available on the dark web. All these factors created the ideal environment for this criminal activity to flourish. Still, there is a certain level of risk for fraudsters since it requires physical presence to conduct the attack. ATM network-based attacks is the next best technique for fraudsters to cash-out more securely and efficiently. The recent Cosmos incident demonstrates that it’s possible for criminals to steal large quantities of money from ATMs in just a few hours, without leaving a trace.

The TTP (tactics/tools, techniques and procedures) used by criminals in ATM network-based attacks are very similar to the ones used on other type of targets in a cyberattack. Moreover, cyber threats and security recommendations that typically apply to corporate networks are also valid for ATMs.

In the realm of these recent security incidents, security managers from financial services institutions should consider extending their corporate network security measures to ATM networks as a matter of priority, mitigating the risks of exposure to these devastating ATM cash-out attacks.

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies