In July 2016, ATM hackers in Taiwan raked in more than $2 million using a new type of malware attack that manipulated machines into spitting out tons of cash. The method, dubbed "jackpotting," quickly spread across parts of Asia, Europe, and Central America, resulting in tens of millions of dollars of stolen cash. By November 2016, the FBI issued a warning that "well-resourced and organized malicious cyber actors have intentions to target the US financial sector” using this approach. But it took a year for the attack to arrive stateside.

This week, the Secret Service began warning financial institutions about a rash of jackpotting attacks across the US, and the threat that more could be coming. In a jackpotting attack, hackers—often dressed as technicians to deflect suspicion—penetrate an ATM's physical and digital security, install malware, establish remote access, and set it up to display an out-of-order screen. With those hardware and software modifications in place, another attacker can approach the compromised ATM and stand with a bag while co-conspirators remotely instruct it to dispense cash. In past incidents, law enforcement observed a cashflow rate of 40 bills every 23 seconds.

Coming to America

So far, jackpotting attacks in the US have largely targeted standalone ATMs—like the ones you might see at pharmacies or big box stores—and have already cropped up in numerous regions including the Pacific Northwest, New England, and the Gulf. ATM manufacturers, financial institutions, and law enforcement agencies are now scrambling to defend the 400,000 ATMs in the US against further jackpotting attempts—and to figure out what took it so long to get here.

"While there is no way to give a definitive answer, there are two predominant schools of thought," says Secret Service special agent Matthew Quinn. "First, financial fraud is cyclical. Attack one region, locally or globally, and move on before apprehension or after law enforcement exposure. The second often revolves around ease of entry. Organized transnational criminal groups may first target a region with less law enforcement presence and less restrictive means of entry."

The US has extensive law enforcement capabilities, making other countries, particularly developing nations, safer training grounds for perfecting malicious techniques. But recently jackpotting has been slowly easing into the US. Krebs on Security, which first reported on the Secret Service advisory earlier this week, also notes that there were some preliminary jackpotting attacks in Wyoming in November.

'Financial fraud is cyclical. Attack one region, locally or globally, and move on before apprehension or after law enforcement exposure.' Secret Service Special Agent Matthew Quinn

The physical access component is crucial to why there haven't been more jackpotting attacks in the US, according to Daniel Regalado, principal security researcher at the Internet of Things defense firm ZingBox. "In the context of developing countries, it's easy to open up the box. No one is going to spot you or it's easy to bribe the cops. Physical access is not a problem," says Regalado, who has tracked jackpotting malware for years. "When you come to the US things are different. In five minutes the cops are going to arrive, or they are already tracking you from a previous jackpot."

ATM security is also stronger in the US than in some countries, because banks can afford to regularly upgrade their devices with new hardware and software protections. The ATMs attackers have hit in the US so far all appear to be old models made by Diebold Nixdorf. And Regalado notes that when companies replace ATMs in moneyed countries, they often sell the old models to developing nations—another reason jackpotting is easier outside the US.

The malware attackers have been using in these recent attacks, known as "Ploutus.D," originated in Latin America and does have other variants that can target more recent models of ATMs from vendors beyond Diebold. But Regalado is skeptical that jackpotting will truly take off in the US. "I don’t understand to be honest why they’re coming to the US when it’s so much harder to do the attacks than what they’ve been doing in other countries," he says. "A jackpot in the US is definitely better than one in an ATM in Mexico or another Latin American country, because the currency is worth more. But there's a big risk of getting caught."

Cashing Out

Nonethless, US ATM security isn't stellar, even if it is above average. "Jackpotting is nothing new. The manufacturers play cat and mouse, but still haven't been able to fix it," says David Kennedy, the former chief security officer of Diebold, who now runs the corporate security consulting firm TrustedSec. "ATM manufacturers should be protecting the product they sell, but also most of the security enhancements to ATMs are removed by banks or they won't pay for additional security on the devices. Most banks treat ATMs as standalone devices with few security controls."