As long as there are ATMs, hackers will be there to empty their money. And while ATM-targeted "jackpotting" malware (which forces machines to spit money) has been on the rise for several years, but a recent variant of the system literally takes that concept, turning the interface of the machine into a slot machine. One who pays every time.
As Kaspersky Lab explained, the malicious WinPot program affects what security researchers describe only as a "popular" DAB brand. To install WinPot, a hacker needs physical or network access to a machine. If you make a hole in the right place, it's pretty easy to plug it into a USB port. Once activated, malicious software replaces the standard DAB display with four buttons labeled "SPIN" (one for SPIN), one for each cassette, cash dispensing containers in a DAB. Under each of these buttons, it indicates the number of bank notes in each given cassette, as well as the total values. Press SPIN, and the money comes out. Press STOP, well, you know. (But at that time, ATM cyberthief, why would you?)
"These people have a sense of humor and a little free time."
Konstantin Zykov, Kaspersky Lab
Kaspersky began monitoring the WinPot malware family last March and has seen some technical variations on the subject. In fact, WinPot seems to be a full-fledged variant, inspired by a very popular malware program dating back to 2016, called Cutlet Maker. Cutlet Maker has also posted detailed information about the contents of its ATMs, although, rather than the reason for the slot, it uses the image of a stereotypical head winking and winking. the gesture of the hand for "OK".
Similarities are a feature, not a bug. "The latest versions of the" cashout "ATM software only contain small improvements over previous generations," says Konstantin Zykov, security researcher at Kaspersky Lab. "These improvements allow criminals to automate the jackpotting process because time is of the essence."
This also partly explains the absurd nature of ATM hackers, an atypical trait in a domain dedicated to secrecy and crime. Malware for ATMs is fundamentally simple and battle-tested, giving its owners space to add some creativity. The whimsical inclination of WinPot and Cutlet Maker "does not usually exist in other types of malicious programs," says Zykov. "These people have a sense of humor and a little free time."
After all, ATMs are essentially computers. Not only that, they are computers that often run out of date, even unsupported versions of Windows. The main barrier to market entry is that most of these efforts require physical access to the machine, which partly explains why malware for ATMs has not become more popular in the US, where law enforcement agencies are relatively present. Many ATM hackers deploy what are called money mules, people who assume the entire risk of extracting money from the device in exchange of part of the action.
But WinPot and Cutlet Maker share an even bigger feature than waggery: both are available for sale on the dark Web. Kaspersky discovered that you could buy the latest version of WinPot for as little as $ 500. This is unusual for ATM hackers, who have always kept their work under surveillance.
"More recently, with malware such as Cutlet Maker and WinPot, we have found that this attack tool is now commercially available for a relatively small amount," said Numaan Huq, Senior Threat Researcher at Trend Micro Research, who said teamed with Europol 2016 for a comprehensive overview of the status of hacking ATMs. "We expect an increase in the number of groups targeting ATMs."
WinPot and Cutlet Maker are only part of the ATM malware market. Ploutus and its variants haunt cash machines since 2013 and can force an ATM machine to spend thousands of dollars in just a few minutes. In some cases, all that a hacker had to do was send an SMS to a compromised device to make an illegal removal. The Typukin virus, which is widespread in Russia, responds to orders only during specific time slots on Sunday and Monday nights, in order to minimize the chances of being discovered. Prilex seems to have been grown locally in Brazil and is endemic to it. And so on.
Stop this type of malware is relatively easy; manufacturers can create a whitelist of approved software that can be run by the DAB, blocking everything else. And device control software can prevent unknown devices, such as a USB stick with malware, from connecting in the first place. Again, think about the last bodega ATM that you used and the time since the update.
Expect automatic teller piracy to become more popular – and more ridiculous. At this point, it's literally fun and fun. "The criminals are having fun," Zykov said. "We can only speculate that, since the malware is not that complicated in itself, they have time to spare for these" fun "features."
More great cable stories