ATM hacking has gotten so easy, the malware’s a game.
AS LONG AS there are ATMs, hackers will be there to drain them of money. Although ATM-targeted “jackpotting” malware—which forces machines to spit out cash—has been on the rise for several years, a recent variation of the scheme takes that concept literally, turning the machine’s interface into something like a slot machine. One that pays out every time.
As detailed by Kaspersky Lab, so-called WinPot malware afflicts what the security researchers describe only as a “popular” ATM brand. To install WinPot, a hacker needs either physical or network access to a machine; if you cut a hole in the right spot, it’s easy enough to plug into a serial port. Once activated, the malware replaces the ATM’s standard display with four buttons labeled “SPIN”—one for each cassette, the cash-dispensing containers within an ATM. Below each of those buttons, it shows the number of bank notes within each given cassette, as well as the total values. Tap SPIN, and out comes the money. Tap STOP, and well, you know. (But at that point, ATM cyberthief, why would you?)
Kaspersky started tracking the WinPot family of malware back in March of last year, and in that time has seen a few technical versions on the theme. In fact, WinPot appears to be something of a variation in its own right, inspired by a popular ATM malware dating back to 2016 called Cutlet Maker. Cutlet Maker also displayed detailed information about the contents of its victim ATMs, though rather than the slot motif it used an image of a stereotypical chef giving a wink and the hand gesture for “OK.”
The similarities are a feature, not a bug. “The latest versions of ‘cashout’ ATM software contain only small improvements compared with previous generations,” says Konstantin Zykov, senior security researcher at Kaspersky Lab. “These improvements allow the criminals to automate the jackpotting process because time is critical for them.”
That also goes some way to explaining the absurdist bent ATM hackers have embraced of late, an atypical trait in a field devoted to secrecy and crime. ATM malware is fundamentally uncomplicated and battle-tested, giving its proprietors space to add some creative flair. The whimsical tilt in WinPot and Cutlet Maker “is not usually found in other kinds of malware,” Zykov adds. “These people do have a sense of humor and some spare time.”
After all, ATMs at their core are computers. Not only that, they’re computers that often run outdated, even unsupported versions of Windows (Like Windows XP). The primary barrier to entry is that most of these efforts require physical access to machine, which is one reason why ATM malware hasn’t become more popular in the US, with its relatively pronounced law-enforcement presence. Many ATM hackers deploy so-called money mules, people who assume all the risk of actually extracting money from the device in exchange for a piece of the action.
But WinPot and Cutlet Maker share an even more important trait than waggery: Both have been available for sale on the dark web. Kaspersky found that one could purchase the latest version of WinPot for as little as $500. That’s unusual for ATM hackers, who have historically kept their work closely guarded.
“More recently, with malware such as Cutlet Maker and WinPot, we see this attack tool is now commercially for sale for a relatively small amount of money,” says Numaan Huq, senior threat researcher with Trend Micro Research, which teamed up with Europol in 2016 for a comprehensive look at the state of ATM hacking. “We expect to see an increase in groups targeting ATM machines as a result.”
WinPot and Cutlet Maker represent only a slice of the ATM malware market. Ploutus and its variants have haunted cash machines since 2013, and can force an ATM to spit out thousands of dollars in mere minutes. In some cases, all a hacker needed to do was send a text message to a compromised device to make an illicit withdrawal. Typukin Virus, popular in Russia, only responds to commands during specific windows of time on Sunday and Monday nights, to minimize the chances of being found. Prilex appears to have been homegrown in Brazil, and runs rampant there. It goes on and on.
Stopping this sort of malware is relatively easy; manufacturers can create a whitelist of approved software that the ATM can run, blocking anything else. Device control software also can prevent unknown devices—like a malware-carrying USB stick—from connecting in the first place. Then again, think of the last bodega ATM you used, and how long it’s been since it got any kind of updates.
So expect ATM hacking to only get more popular—and more farcical. At this point, it’s literally fun and games. “Criminals are just having fun,” says Zykov. “We can only speculate that since the malware itself is not that complicated they have time to spend on these ‘fun’ features.”
IN JULY 2016, ATM hackers in Taiwan raked in more than $2 million using a new type of malware attack that manipulated machines into spitting out tons of cash. The method, dubbed “jackpotting,” quickly spread across parts of Asia, Europe, and Central America, resulting in tens of millions of dollars of stolen cash. By November 2016, the FBI issued a warning that “well-resourced and organized malicious cyber actors have intentions to target the US financial sector” using this approach. But it took a year for the attack to arrive stateside.
This week, the Secret Service began warning financial institutions about a rash of jackpotting attacks across the US, and the threat that more could be coming. In a jackpotting attack, hackers—often dressed as technicians to deflect suspicion—penetrate an ATM’s physical and digital security, install malware, establish remote access, and set it up to display an out-of-order screen. With those hardware and software modifications in place, another attacker can approach the compromised ATM and stand with a bag while co-conspirators remotely instruct it to dispense cash. In past incidents, law enforcement observed a cash flow rate of 40 bills every 23 seconds.
Coming to America
So far, jackpotting attacks in the US have largely targeted standalone ATMs—like the ones you might see at pharmacies or big box stores—and have already cropped up in numerous regions including the Pacific Northwest, New England, and the Gulf. ATM manufacturers, financial institutions, and law enforcement agencies are now scrambling to defend the 400,000 ATMs in the US against further jackpotting attempts—and to figure out what took it so long to get here.
“While there is no way to give a definitive answer, there are two predominant schools of thought,” says Secret Service special agent Matthew Quinn. “First, financial fraud is cyclical. Attack one region, locally or globally, and move on before apprehension or after law enforcement exposure. The second often revolves around ease of entry. Organized transnational criminal groups may first target a region with less law enforcement presence and less restrictive means of entry.”
The US has extensive law enforcement capabilities, making other countries, particularly developing nations, safer training grounds for perfecting malicious techniques. But recently jackpotting has been slowly easing into the US. Krebs on Security, which first reported on the Secret Service advisory earlier this week, also notes that there were some preliminary jackpotting attacks in Wyoming in November.
‘Financial fraud is cyclical. Attack one region, locally or globally, and move on before apprehension or after law enforcement exposure.’ SECRET SERVICE SPECIAL AGENT MATTHEW QUINN
The physical access component is crucial to why there haven’t been more jackpotting attacks in the US, according to Daniel Regalado, principal security researcher at the Internet of Things defense firm ZingBox. “In the context of developing countries, it’s easy to open up the box. No one is going to spot you or it’s easy to bribe the cops. Physical access is not a problem,” says Regalado, who has tracked jackpotting malware for years. “When you come to the US things are different. In five minutes the cops are going to arrive, or they are already tracking you from a previous jackpot.”
ATM security is also stronger in the US than in some countries, because banks can afford to regularly upgrade their devices with new hardware and software protections. The ATMs attackers have hit in the US so far all appear to be old models made by Diebold Nixdorf. And Regalado notes that when companies replace ATMs in moneyed countries, they often sell the old models to developing nations—another reason jackpotting is easier outside the US.
The malware attackers have been using in these recent attacks, known as “Ploutus.D,” originated in Latin America and does have other variants that can target more recent models of ATMs from vendors beyond Diebold. But Regalado is skeptical that jackpotting will truly take off in the US. “I don’t understand to be honest why they’re coming to the US when it’s so much harder to do the attacks than what they’ve been doing in other countries,” he says. “A jackpot in the US is definitely better than one in an ATM in Mexico or another Latin American country, because the currency is worth more. But there’s a big risk of getting caught.”
Nonetheless, US ATM security isn’t stellar, even if it is above average. “Jackpotting is nothing new. The manufacturers play cat and mouse, but still haven’t been able to fix it,” says David Kennedy, the former chief security officer of Diebold, who now runs the corporate security consulting firm TrustedSec. “ATM manufacturers should be protecting the product they sell, but also most of the security enhancements to ATMs are removed by banks or they won’t pay for additional security on the devices. Most banks treat ATMs as standalone devices with few security controls.”
Diebold said in a client advisory on Thursday that customers should implement “the same countermeasures” the company has recommended during past jackpotting waves, like installing the latest firmware updates, using robust physical ATM locks, and adding two-factor authentication to ATM access controls. Diebold hinted, though, that many financial institutions may not have heeded this advice, noting that the recommendations “should be deployed if not already implemented.”
‘The manufacturers play cat and mouse, but still haven’t been able to fix it.’ DAVID KENNEDY, TRUSTEDSEC
While there are important software protections that manufacturers and financial institutions can implement on ATMs, like strict limits on a device’s ability to run foreign code, ZingBox’s Regalado argues that ultimately ATM protections need to be physical, since hackers are already relying on physical access to carry out their attacks. “You can have the latest and greatest software solution, but with physical access they figure out ways to remove the protections,” he says. “This is not a software problem, it’s a hardware problem.”
In comparison to some other countries, communication about these types of threats, law enforcement action, and regulations all move relatively quickly in the US, thanks to specialized groups like the Federal Financial Institutions Examination Council. As a result, TrustedSec’s Kennedy agrees that jackpotting isn’t likely to be as widespread in the US as the law enforcement warnings might make it seem.
But the threat certainly merits precautions from financial institutions, and can also serve as a vital reminder about the ongoing need to invest in strong ATM security. If you get a sketchy vibe off of someone loitering around an ATM for too long, tell someone. Especially if you see them collecting a waterfall of cash.
ATM Hack Attacks
- Before jackpotting, all it took to bust an ATM was a drill and $15 worth of gear
- And before that, there were 3-D printed ATM skimmers
- But honestly, it’s not like online banking hasn’t been hit just as hard