As long as there are ATMs, hackers will be there to drain them of money. Although ATM-targeted “jackpotting” malware—which forces machines to spit out cash—has been on the rise for several years, a recent variation of the scheme takes that concept literally, turning the machine’s interface into something like a slot machine. One that pays out every time.
As detailed by Kaspersky Lab, so-called WinPot malware afflicts what the security researchers describe only as a “popular” ATM brand. To install WinPot, a hacker needs either physical or network access to a machine; if you cut a hole in the right spot, it’s easy enough to plug into a serial port.
Once activated, the malware replaces the ATM’s standard display with four buttons labeled “SPIN”—one for each cassette, the cash-dispensing containers within an ATM. Below each of those buttons, it shows the number of bank notes within each given cassette, as well as the total values. Tap SPIN, and out comes the money. Tap STOP, and well, you know. (But at that point, ATM cyberthief, why would you?)
“These people do have a sense of humor and some spare time.” Konstantin Zykov, Kaspersky Lab
Kaspersky started tracking the WinPot family of malware back in March of last year, and in that time has seen a few technical versions on the theme. In fact, WinPot appears to be something of a variation in its own right, inspired by a popular ATM malware dating back to 2016 called Cutlet Maker. Cutlet Maker also displayed detailed information about the contents of its victim ATMs, though rather than the slot motif it used an image of a stereotypical chef giving a wink and the hand gesture for “OK.”
The similarities are a feature, not a bug. “The latest versions of ‘cashout’ ATM software contain only small improvements compared with previous generations,” says Konstantin Zykov, senior security researcher at Kaspersky Lab. “These improvements allow the criminals to automate the jackpotting process because time is critical for them.”
That also goes some way to explaining the absurdist bent ATM hackers have embraced of late, an atypical trait in a field devoted to secrecy and crime. ATM malware is fundamentally uncomplicated and battle-tested, giving its proprietors space to add some creative flair. The whimsical tilt in WinPot and Cutlet Maker “is not usually found in other kinds of malware,” Zykov adds. “These people do have a sense of humor and some spare time.”
After all, ATMs at their core are computers. Not only that, they’re computers that often run outdated, even unsupported versions of Windows. The primary barrier to entry is that most of these efforts require physical access to machine, which is one reason why ATM malware hasn’t become more popular in the US, with its relatively pronounced law-enforcement presence. Many ATM hackers deploy so-called money mules, people who assume all the risk of actually extracting money from the device in exchange for a piece of the action.
But WinPot and Cutlet Maker share an even more important trait than waggery: Both have been available for sale on the dark web. Kaspersky found that one could purchase the latest version of WinPot for as little as $500. That’s unusual for ATM hackers, who have historically kept their work closely guarded.
“More recently, with malware such as Cutlet Maker and WinPot, we see this attack tool is now commercially for sale for a relatively small amount of money,” says Numaan Huq, senior threat researcher with Trend Micro Research, which teamed up with Europol in 2016 for a comprehensive look at the state of ATM hacking. “We expect to see an increase in groups targeting ATM machines as a result.”
WinPot and Cutlet Maker represent only a slice of the ATM malware market.
Ploutus and its variants have haunted cash machines since 2013, and can force an ATM to spit out thousands of dollars in mere minutes. In some cases, all a hacker needed to do was send a text message to a compromised device to make an illicit withdrawal.
Typukin Virus, popular in Russia, only responds to commands during specific windows of time on Sunday and Monday nights, to minimize the chances of being found.
Prilex appears to have been homegrown in Brazil, and runs rampant there. It goes on and on.
Stopping this sort of malware is relatively easy; manufacturers can create a whitelist of approved software that the ATM can run, blocking anything else. Device control software also can prevent unknown devices—like a malware-carrying USB stick—from connecting in the first place. Then again, think of the last bodega ATM you used, and how long it’s been since it got any kind of updates.
So expect ATM hacking to only get more popular—and more farcical. At this point, it’s literally fun and games. “Criminals are just having fun,” says Zykov. “We can only speculate that since the malware itself is not that complicated they have time to spend on these ‘fun’ features.”