As long as there are ATMs, hackers will be there to drain them of money. And while ATM-targeted “jackpotting” malware—which forces machines to spit out cash—has been on the rise for several years, but a recent variant on the scheme takes that concept literally, turning the machine’s interface into something like a slot machine. One that pays out every time.
As detailed by Kaspersky Lab, so-called WinPot malware afflicts what the security researchers describe only as a “popular” ATM brand. To install WinPot, a hacker needs either physical or network access to a machine; if you cut a hole in the right spot, it’s easy enough to plug into a USB port. Once activated, the malware replaces the ATM’s standard display with four buttons labeled “SPIN”—one for each cassette, the cash-dispensing containers within an ATM. Below each of those buttons, it shows the number of bank notes within each given cassette, as well as the total values. Tap SPIN, and out comes the money. Tap STOP, and well, you know. (But at that point, ATM cyberthief, why would you?)
“These people do have a sense of humor and some spare time.”
Konstantin Zykov, Kaspersky Lab
Kaspersky started tracking the WinPot family of malware back in March of last year, and in that time has seen a few technical variations on the theme. In fact, WinPot appears to be something of a variation in its own right, inspired by a popular ATM malware, dating back to 2016, called Cutlet Maker. Cutlet Maker also displayed detailed information about the contents of its victim ATMs, although rather than the slot motif it used an image of a stereotypical chef giving a wink and the hand gesture for “OK.”
The similarities are a feature, not a bug. “The latest versions of ‘cashout’ ATM software contain only small improvements compared to previous generations,” says Konstantin Zykov, senior security researcher at Kaspersky Lab. “These improvements allow the criminals to automate the jackpotting process because time is critical for them.”
That also goes some way to explaining the absurdist bent ATM hackers have embraced of late, an atypical trait in a field devoted to secrecy and crime. ATM malware is fundamentally uncomplicated and battle-tested, giving its proprietors space to add some creative flair. The whimsical tilt in WinPot and Cutlet Maker “is not usually found in other kinds of malware,” Zykov says. “These people do have a sense of humor and some spare time.”
After all, ATMs are, at their core, computers. Not only that, they’re computers that often run outdated, even unsupported versions of Windows. The primary barrier to entry is that most of these efforts require physical access to machine—one reason ATM malware hasn’t become more popular in the United States, with its relatively pronounced law-enforcement presence. Many ATM hackers deploy so-called money mules, people who assume all the risk of actually extracting money from the device in exchange for a piece of the action.
But WinPot and Cutlet Maker share an even more important trait than waggery: Both have been available for sale on the dark web. Kaspersky found that one could purchase the latest version of WinPot for as little as $500. That’s unusual for ATM hackers, who have historically kept their work closely guarded.
“More recently, with malware such as Cutlet Maker and WinPot, we see this attack tool is now commercially for sale for a relatively small amount of money,” says Numaan Huq, senior threat researcher with Trend Micro Research, which teamed up with Europol in 2016 for a comprehensive look at the state of ATM hacking. “We expect to see an increase in groups targeting ATM machines as a result.”
WinPot and Cutlet Maker represent only a slice of the ATM malware market. Ploutus and its variants have haunted cash machines since 2013, and can force an ATM to spit out thousands of dollars in mere minutes. In some cases, all a hacker needed to do was send a text message to a compromised device to make an illicit withdraw. Typukin Virus, popular in Russia, only responds to commands during specific windows of time on Sunday and Monday nights, to minimize the chances of being found. Prilex appears to have been home-grown in Brazil, and runs rampant there. And on and on.
Stopping this sort of malware is relatively easy; manufacturers can create a whitelist of approved software that the ATM can run, blocking anything else. And device control software can prevent unknown devices—like a malware-carrying USB stick—from connecting in the first place. Then again, think of the last bodega ATM you used, and how long it’s been since it got any kind of updates.
So expect ATM hacking to only get more popular—and more farcical. At this point, it’s literally fun and games. “Criminals are just having fun,” says Zykov. “We can only speculate that since the malware itself is not that complicated they have time to spend on these ‘fun’ features.”
More Great WIRED Stories
- [LLODO] Michigan state Dem pepper-sprayed, charged with DUI, resisting arrest, weapons possession: report
- [LLODO] Head of NYC’s posh Dalton School leaving at the end of 2021
- [LLODO] Chilling video captures moment a love triangle erupts in murder, revenge in NYC
- [LLODO] NYPD officers hit with Molotov cocktail and liquid chemical in face, police say
- [LLODO] California group files federal civil rights complaint over San Diego school district’s ‘racist’ teachings
- [LLODO] Podcast helped in hunt for 1996 killer of California student
- [LLODO] National weather forecast: Parts of Northeast could see more than a foot of snow
- [LLODO] Cuomo boasts he ‘invented’ NYS-scented hand sanitizer, faces no questions over scandals
- [LLODO] Teacher who decried NYC school’s ‘indoctrination’ put on remote work: ‘Feels like punishment’