michelangelus - Fotolia

ATM jackpotting: How does the Ploutus.D malware work?

Ploutus.D malware recently started popping up in the U.S. after several ATM jackpotting attacks. Discover how this is possible and what banks can do to prevent this with Nick Lewis.

After spreading in other parts of the world, an ATM jackpotting technique named Ploutus.D is starting to pop up across the U.S. How does the Ploutus.D strain of malware make ATM jackpotting possible? What measures can banks take to prevent this from happening to them?

There is a widely held perception that ATMs are secure, but as news stories show, that perception is not always the reality.

ATMs are designed to work for an extended period of time in hostile environments that might not be physically secure or that might go unattended for long stretches of time. They also need to meet the functionality and cost requirements of the many different parties that want their location to have an ATM.

Because ATMs are essentially safes that dispense cash on demand, the use of Windows and commodity hardware has potential advantages for management and development for manufacturers, but it lowers the barriers preventing attackers from stealing money from ATMs. From the attacker's viewpoint, ATM jackpotting -- in which the attacker forces the ATM to dispense all its stored cash -- is the best kind of ATM attack.

At Black Hat 2010, Barnaby Jack, the computer security expert from New Zealand who died in 2013, demonstrated ATM jackpotting, and since then there has been increased public scrutiny of ATM security.

While ATM jackpotting attacks have occurred previously outside the U.S., the first such attacks in the U.S. were reported early this year by cybersecurity reporter Brian Krebs after he discovered that ATMs manufactured by Diebold Nixdorf were being targeted with the Ploutus.D malware for ATM jackpotting.

The Ploutus.D malware is designed to attack ATMs and gives malicious actors the ability to dispense cash. After an attacker has compromised the physical security of the ATM to replace the hard drive or infect the computer with the Ploutus.D malware, the attacker can enter an activation code to dispense the cash.

Banks may want to put pressure on manufacturers to improve the security of their devices and pressure businesses with ATMs to implement basic security or use machines with higher security capabilities. For existing businesses with ATMs, a review of the guidance from Diebold that Krebs posted should be used, as the guidance essentially says to perform basic security hygiene, such as physically securing the ATMs, installing the most recent versions of the firmware and software, monitoring the systems, and then responding to incidents.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Dig Deeper on Threats and vulnerabilities