![](\"https:\/\/media.wired.com\/photos\/5c6c7aa2f94f2a1b74c536b9\/master\/pass\/atm_featured-1125750978.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Wed, 20 Feb 2019 16:12:51 +0000<\/strong><\/p>\n As long as <\/span>there are ATMs, hackers will be there to drain them of money. Although ATM-targeted \u201cjackpotting\u201d malware<\/a>\u2014which forces machines to spit out cash\u2014has been on the rise for several years, a recent variation of the scheme takes that concept literally, turning the machine\u2019s interface into something like a slot machine. One that pays out every time.<\/p>\n As detailed by<\/a> Kaspersky Lab, so-called WinPot malware afflicts what the security researchers describe only as a \u201cpopular\u201d ATM brand. To install WinPot, a hacker needs either physical or network access to a machine; if you cut a hole in the right spot<\/a>, it's easy enough to plug into a serial port. Once activated, the malware replaces the ATM's standard display with four buttons labeled \u201cSPIN\u201d\u2014one for each cassette, the cash-dispensing containers within an ATM. Below each of those buttons, it shows the number of bank notes within each given cassette, as well as the total values. Tap SPIN, and out comes the money. Tap STOP, and well, you know. (But at that point, ATM cyberthief, why would you?)<\/p>\n \u201cThese people do have a sense of humor and some spare time.\u201d<\/p>\n Konstantin Zykov, Kaspersky Lab<\/p>\n Kaspersky started tracking the WinPot family of malware back in March of last year, and in that time has seen a few technical versions on the theme. In fact, WinPot appears to be something of a variation in its own right, inspired by a popular ATM malware dating back to 2016 called Cutlet Maker. Cutlet Maker also displayed detailed information about the contents of its victim ATMs, though rather than the slot motif it used an image of a stereotypical chef giving a wink and the hand gesture for \u201cOK.\u201d<\/p>\n The similarities are a feature, not a bug. \u201cThe latest versions of \u2018cashout\u2019 ATM software contain only small improvements compared with previous generations,\u201d says Konstantin Zykov, senior security researcher at Kaspersky Lab. \u201cThese improvements allow the criminals to automate the jackpotting process because time is critical for them.\u201d<\/p>\n That also goes some way to explaining the absurdist bent ATM hackers have embraced of late, an atypical trait in a field devoted to secrecy and crime. ATM malware is fundamentally uncomplicated and battle-tested, giving its proprietors space to add some creative flair. The whimsical tilt in WinPot and Cutlet Maker \u201cis not usually found in other kinds of malware,\u201d Zykov adds. \u201cThese people do have a sense of humor and some spare time.\u201d<\/p>\n After all, ATMs at their core are computers. Not only that, they're computers that often run outdated, even unsupported versions of Windows<\/a>. The primary barrier to entry is that most of these efforts require physical access to machine, which is one reason why ATM malware hasn\u2019t become more popular in the US, with its relatively pronounced law-enforcement presence. Many ATM hackers deploy so-called money mules<\/a>, people who assume all the risk of actually extracting money from the device in exchange for a piece of the action.<\/p>\n But WinPot and Cutlet Maker share an even more important trait than waggery: Both have been available for sale on the dark web. Kaspersky found that one could purchase the latest version of WinPot for as little as $500. That\u2019s unusual for ATM hackers, who have historically kept their work closely guarded.<\/p>\n \u201cMore recently, with malware such as Cutlet Maker and WinPot, we see this attack tool is now commercially for sale for a relatively small amount of money,\u201d says Numaan Huq, senior threat researcher with Trend Micro Research, which teamed up with Europol in 2016 for a comprehensive look<\/a> at the state of ATM hacking. \u201cWe expect to see an increase in groups targeting ATM machines as a result.\u201d<\/p>\n WinPot and Cutlet Maker represent only a slice of the ATM malware market. Ploutus and its variants have haunted cash machines since 2013<\/a>, and can force an ATM to spit out thousands of dollars in mere minutes. In some cases, all a hacker needed to do was send a text message to a compromised device to make an illicit withdrawal. Typukin Virus, popular in Russia<\/a>, only responds to commands during specific windows of time on Sunday and Monday nights, to minimize the chances of being found. Prilex<\/a> appears to have been homegrown in Brazil, and runs rampant there. It goes on and on.<\/p>\n Stopping this sort of malware is relatively easy; manufacturers can create a whitelist of approved software that the ATM can run, blocking anything else. Device control software also can prevent unknown devices\u2014like a malware-carrying USB stick\u2014from connecting in the first place. Then again, think of the last bodega ATM you used, and how long it's been since it got any kind of updates.<\/p>\n So expect ATM hacking to only get more popular\u2014and more farcical. At this point, it's literally fun and games. \u201cCriminals are just having fun,\u201d says Zykov. \u201cWe can only speculate that since the malware itself is not that complicated they have time to spend on these \u2018fun\u2019 features.\u201d<\/p>\n