Cash-out Crews Activate ATM Attacks Across the Nation


The NWCUA received credible information that bad actors are activating cash-out crews to attack Diebold frontloading ATMs across the United States in the next 10 days. The attacks specifically target 500 and 700 series ATMs using Ploutus D malware. ATMs running Windows XP are particularly vulnerable. It is recommended that ATMs operate an up-to-date version of Windows 7 to defeat this specific type of attack.

The targeted stand-alone ATMs are routinely located in pharmacies, big-box retailers, and drive-thru ATMs. During previous attacks, fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATM’s operating system and a mobile device to the targeted ATM. The attackers use an endoscope to obtain access to the ATM’s toggle to sync their laptop computer with the security features of the ATM. This process enabled the fraudsters to control the ATM.

A targeted ATM will appear to be out of service to potential customers. At this point, cash-out crews communicate remotely, controlling the ATMs to initiate the cash withdrawals. In previous Ploutus D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad, or the cassette runs out of cash. The cash-out crew/money mule takes the dispensed cash and places it in a large bag. After the cash is taken from the ATM and the mule leaves, the technicians return to the site and remove their equipment.

In addition to the alert we received above, the NWCUA has been made aware of successful and unsuccessful jackpotting attempts occurring in the Northwest over at least the past month. While most of the attacks have been on Diebold machines, there have also been unsuccessful attacks on NCR machines.

Here are several steps credit unions can take to mitigate the risks associated with ATM jackpotting:

  • If your ATM hood is accessed by a generic key, have the hood re-keyed. In the Diebold attacks, bad actors are using generic keys to access the computer portion of the ATM.
  • Additionally, reinforce your ATMs’ hoods to ensure they cannot be opened easily. In some instances, the bad actors have significantly damaged ATMs trying to access the computer, but were unable to actually access the computer due to the ATM’s hood reinforcement.
  • If your ATM is not already alarmed, contact your security company for alarm installation. It is important to note that the hood/CPU portion and the cash-safe portion of the ATM should be alarmed.
  • If possible, work with your ATM service provider to determine if there is a way to check if the Ethernet cable has been unplugged.
  • Staff should be aware of the vendors that are authorized to access the ATMs and what their vehicles and uniforms look like.
  • Ensure that applicable software patches are updated as necessary.
  • Encrypt the hard drive of the ATM.
  • Contact your insurance provider to determine the amount of coverage your credit union currently has, if more coverage is needed, and if your insurer can recommend any additional risk-mitigation measures.

If you have experienced or suspect jackpotting, please reach out to the appropriate FBI office:

Idaho: Special Agent Chris Sheehan, or 208.914.3827
Oregon: Special Agent Josh Cady, or 503.729.7585
Washington: 206.622.0460

Compliance Question of the Week

What should a credit union do if an IRS refund direct deposit went into an account that doesn’t belong to the intended recipient?

This will depend on where the error occurred. But, in all cases, the person who received the deposit in error is not entitled to the funds.

If the credit union made the error, then per Regulation E, the credit union must correct the error.

If the IRS made the error, the person who filed the tax return needs to contact the IRS customer service at 800.829.1040. The IRS will issue a recall of the direct deposit and send the return filer a new refund by check.

If the filer entered the incorrect routing or account number, the IRS assumes no responsibility for tax preparer or taxpayer errors and will not provide any help in this situation. It is the responsibility of the person filing the return to verify the account and routing number and double check for accuracy.  While the IRS suggests the filer work directly with the respective financial institution to recover the funds, the credit union also has no responsibility for the error. Due to privacy, you are not allowed to provide any information concerning the member whose account the payment went into.  You can possibly work as an intermediary, but ultimately this is a civil issue between the filer and the person whose account they directed the payment to be made to.

Related Links:

Legal Briefs

National Credit Union Administration (NCUA)

The NCUA released its Board Action Bulletin. The bulletin discussed the NCUA’s proposal to modernize the Call Report requirements and asks credit unions for feedback on the proposed changes. The NCUA also approved its 2018-2022 Strategic Plan, which summarizes internal and external factors affecting its various initiatives and sets goals for the next five years.

Consumer Financial Protection Bureau (CFPB)

The CFPB announced that it has published a Request for Information regarding its Civil Investigative Demands.

The CFPB announced that it has finalized changes to its Prepaid Accounts Rule. In addition to the changes, the CFPB has also extended the effective date of the rule to April 1, 2019.

Federal Reserve Board (FRB)

The FRB, jointly with the FDIC and OCC, have released their annual Report to Congress regarding the Differences in Accounting and Capital Standards Among the Federal Banking Agencies.

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of January 26, 2018. The last update prior to this was January 25, 2018.

Questions? Contact the Compliance Hotline: 1.800.546.4465;

Posted in Compliance News, Compliance News.