The WinPot ATM jackpotting malware is evolving, as its authors look to solve the obstacles that get in their way. The latest is an effort to help ATM hackers, a.k.a. jackpotters, better target their efforts in order to steal more cash in a lesser amount of time.
Thieves infect ATMs through physical access, i.e., by using USB drives to install malware onto the machine (ATM owners can thus protect themselves through device control and software blacklisting/whitelisting). The USB port is located on the back of the ATM, which the criminals get to by popping open a flange on the front that exposes a hole.
“Using a special tool, like a screwdriver with a USB soldered to it, in order to reach the USB port at the back of the machine via the hole in the exposed front of the panel, the thief then inserts the USB stick, and waits for the [malware] to launch and the user interface to appear on the screen,” researchers with Lastline explained in a posting describing how jackpotting is done.
Once the malware is installed, the cybercriminals can force the ATM to dispense cash on-demand via a software interface that appears on the ATM’s screen. The effect is a bit like hitting the jackpot on a slot machine, hence the nickname for this kind of strike.
The attacks are usually mounted on standalone ATMs located outside on less-traveled streets, pharmacies, delis, liquor stores and so on, rather than bank ATMs which are likely to be better secured and covered with video recording.
According to Kaspersky Lab researcher Konstantin Zykov, WinPot v.3 has appeared on the Dark Web, going for $500 to $1,000 depending on the offer. A demo from the seller video shows how WinPot v.3 forces ATMs to dispense cash, along with a previously unknown piece of code called “ShowMeMoney.”
Like Stimulator, ShowMeMoney is designed to work on specific vendor ATMs and uses proprietary API calls to fetch an ATM’s the status of the cassettes (e.g., trays/repositories) inside the ATM that hold the money. After execution and pressing the “Scan” button, it shows the currency, banknote value, a counter for specific notes in a cassette and the overall number of notes in the cassette. Presumably this is to help the thieves know which cassettes are the most valuable in the machine in order to better target their efforts.
WinPot was first discovered in March of last year. One notable aspect – and the source of its name – is the fact that the crooks have gone above and beyond to make the interface look and feel a lot like a slot machine.
“Each cassette has a reel of its own numbered one to four (four is the max number of cash-out cassettes in an ATM) and a button labeled SPIN,” explained the researcher. “As soon as you press the SPIN button … the ATM starts dispensing cash from the corresponding cassette. Down from the SPIN button there is information about the cassette (bank note value and the number of bank notes in the cassette). The SCAN button rescans the ATM and updates the numbers under the SLOT button, while the STOP button stops the dispensing in progress.”
Since appearing in the underground markets, new WinPot samples have popped up, with minor modifications such as an updated time period during which the malware is programmed to work.
Other modifications seen over time include adding protectors to make each new sample unique, in order to trick ATM security systems; changes to overcome ATM limitations such as a limit on maximum notes allowed per dispense; protections against money mules abusing the malware; and updates to improve the interface and error-handling routines.
It is therefore likely that WinPot will continue to update and flourish.
“We thus expect to see more modifications of the existing ATM malware,” Zykov explained.
Jackpotting has long been a scourge in Europe and Asia, but it wasn’t until last year that the first attacks of any scale were seen in the U.S., when Brian Krebs reported that NCR Corp. machines were being targeted. At the same time, the U.S. Secret Service issued a warning that these kinds of attacks were set to ramp up in the U.S.