As long as there are ATMs, hackers will be there to drain them of money. Although ATM-targeted “jackpotting” malware—which forces machines to spit out cash—has been on the rise for several years, a recent variation of the scheme takes that concept literally, turning the machine’s interface into something like a slot machine. One that pays out every time.
As detailed by Kaspersky Lab, so-called WinPot malware afflicts what the security researchers describe only as a “popular” ATM brand. To install WinPot, a hacker needs either physical or network access to a machine; if you cut a hole in the right spot, it's easy enough to plug into a serial port. Once activated, the malware replaces the ATM's standard display with four buttons labeled “SPIN”—one for each cassette, the cash-dispensing containers within an ATM. Below each of those buttons, it shows the number of bank notes within each given cassette, as well as the total values. Tap SPIN, and out comes the money. Tap STOP, and well, you know. (But at that point, ATM cyberthief, why would you?)
“These people do have a sense of humor and some spare time.”
Konstantin Zykov, Kaspersky Lab
Kaspersky started tracking the WinPot family of malware back in March of last year, and in that time has seen a few technical versions on the theme. In fact, WinPot appears to be something of a variation in its own right, inspired by a popular ATM malware dating back to 2016 called Cutlet Maker. Cutlet Maker also displayed detailed information about the contents of its victim ATMs, though rather than the slot motif it used an image of a stereotypical chef giving a wink and the hand gesture for “OK.”
The similarities are a feature, not a bug. “The latest versions of ‘cashout’ ATM software contain only small improvements compared with previous generations,” says Konstantin Zykov, senior security researcher at Kaspersky Lab. “These improvements allow the criminals to automate the jackpotting process because time is critical for them.”
That also goes some way to explaining the absurdist bent ATM hackers have embraced of late, an atypical trait in a field devoted to secrecy and crime. ATM malware is fundamentally uncomplicated and battle-tested, giving its proprietors space to add some creative flair. The whimsical tilt in WinPot and Cutlet Maker “is not usually found in other kinds of malware,” Zykov adds. “These people do have a sense of humor and some spare time.”
After all, ATMs at their core are computers. Not only that, they're computers that often run outdated, even unsupported versions of Windows. The primary barrier to entry is that most of these efforts require physical access to machine, which is one reason why ATM malware hasn’t become more popular in the US, with its relatively pronounced law-enforcement presence. Many ATM hackers deploy so-called money mules, people who assume all the risk of actually extracting money from the device in exchange for a piece of the action.
But WinPot and Cutlet Maker share an even more important trait than waggery: Both have been available for sale on the dark web. Kaspersky found that one could purchase the latest version of WinPot for as little as $500. That’s unusual for ATM hackers, who have historically kept their work closely guarded.
“More recently, with malware such as Cutlet Maker and WinPot, we see this attack tool is now commercially for sale for a relatively small amount of money,” says Numaan Huq, senior threat researcher with Trend Micro Research, which teamed up with Europol in 2016 for a comprehensive look at the state of ATM hacking. “We expect to see an increase in groups targeting ATM machines as a result.”
WinPot and Cutlet Maker represent only a slice of the ATM malware market. Ploutus and its variants have haunted cash machines since 2013, and can force an ATM to spit out thousands of dollars in mere minutes. In some cases, all a hacker needed to do was send a text message to a compromised device to make an illicit withdrawal. Typukin Virus, popular in Russia, only responds to commands during specific windows of time on Sunday and Monday nights, to minimize the chances of being found. Prilex appears to have been homegrown in Brazil, and runs rampant there. It goes on and on.
Stopping this sort of malware is relatively easy; manufacturers can create a whitelist of approved software that the ATM can run, blocking anything else. Device control software also can prevent unknown devices—like a malware-carrying USB stick—from connecting in the first place. Then again, think of the last bodega ATM you used, and how long it's been since it got any kind of updates.
So expect ATM hacking to only get more popular—and more farcical. At this point, it's literally fun and games. “Criminals are just having fun,” says Zykov. “We can only speculate that since the malware itself is not that complicated they have time to spend on these ‘fun’ features.”
As detailed by Kaspersky Lab, so-called WinPot malware afflicts what the security researchers describe only as a “popular” ATM brand. To install WinPot, a hacker needs either physical or network access to a machine; if you cut a hole in the right spot, it's easy enough to plug into a serial port. Once activated, the malware replaces the ATM's standard display with four buttons labeled “SPIN”—one for each cassette, the cash-dispensing containers within an ATM. Below each of those buttons, it shows the number of bank notes within each given cassette, as well as the total values. Tap SPIN, and out comes the money. Tap STOP, and well, you know. (But at that point, ATM cyberthief, why would you?)
“These people do have a sense of humor and some spare time.”
Konstantin Zykov, Kaspersky Lab
Kaspersky started tracking the WinPot family of malware back in March of last year, and in that time has seen a few technical versions on the theme. In fact, WinPot appears to be something of a variation in its own right, inspired by a popular ATM malware dating back to 2016 called Cutlet Maker. Cutlet Maker also displayed detailed information about the contents of its victim ATMs, though rather than the slot motif it used an image of a stereotypical chef giving a wink and the hand gesture for “OK.”
The similarities are a feature, not a bug. “The latest versions of ‘cashout’ ATM software contain only small improvements compared with previous generations,” says Konstantin Zykov, senior security researcher at Kaspersky Lab. “These improvements allow the criminals to automate the jackpotting process because time is critical for them.”
That also goes some way to explaining the absurdist bent ATM hackers have embraced of late, an atypical trait in a field devoted to secrecy and crime. ATM malware is fundamentally uncomplicated and battle-tested, giving its proprietors space to add some creative flair. The whimsical tilt in WinPot and Cutlet Maker “is not usually found in other kinds of malware,” Zykov adds. “These people do have a sense of humor and some spare time.”
After all, ATMs at their core are computers. Not only that, they're computers that often run outdated, even unsupported versions of Windows. The primary barrier to entry is that most of these efforts require physical access to machine, which is one reason why ATM malware hasn’t become more popular in the US, with its relatively pronounced law-enforcement presence. Many ATM hackers deploy so-called money mules, people who assume all the risk of actually extracting money from the device in exchange for a piece of the action.
But WinPot and Cutlet Maker share an even more important trait than waggery: Both have been available for sale on the dark web. Kaspersky found that one could purchase the latest version of WinPot for as little as $500. That’s unusual for ATM hackers, who have historically kept their work closely guarded.
“More recently, with malware such as Cutlet Maker and WinPot, we see this attack tool is now commercially for sale for a relatively small amount of money,” says Numaan Huq, senior threat researcher with Trend Micro Research, which teamed up with Europol in 2016 for a comprehensive look at the state of ATM hacking. “We expect to see an increase in groups targeting ATM machines as a result.”
WinPot and Cutlet Maker represent only a slice of the ATM malware market. Ploutus and its variants have haunted cash machines since 2013, and can force an ATM to spit out thousands of dollars in mere minutes. In some cases, all a hacker needed to do was send a text message to a compromised device to make an illicit withdrawal. Typukin Virus, popular in Russia, only responds to commands during specific windows of time on Sunday and Monday nights, to minimize the chances of being found. Prilex appears to have been homegrown in Brazil, and runs rampant there. It goes on and on.
Stopping this sort of malware is relatively easy; manufacturers can create a whitelist of approved software that the ATM can run, blocking anything else. Device control software also can prevent unknown devices—like a malware-carrying USB stick—from connecting in the first place. Then again, think of the last bodega ATM you used, and how long it's been since it got any kind of updates.
So expect ATM hacking to only get more popular—and more farcical. At this point, it's literally fun and games. “Criminals are just having fun,” says Zykov. “We can only speculate that since the malware itself is not that complicated they have time to spend on these ‘fun’ features.”
Take a look at the story down as run by the observer newspaper on 14/09/2017
Two people have been arrested for allegedly hacking into the accounts systems of Centenary bank and transferring millions of shillings.
The two identified as Denis Etumu and Shalih Ajuna were picked from different areas of Kampala after being trailed by intelligence personnel from Central Police Station (CPS) Kampala.
Etumu was the first to be arrested around Mini Price complex in downtown Kampala. He was thereafter used to set up Ajuna who was also arrested.
According to the Kampala Metropolitan deputy police spokesperson Luke Owoyesigire, Centenary bank officials had earlier filed a complaint indicating that the Automated Teller Machines (ATMs) had been hacked by unknown personnel.
"When they complained that someone had interfered with their ATMs especially the one at Mini Price, we began investigations to establish who was behind the fraud, " Owoyesigire told URN.
Police initially retrieved CCTV camera footage around Mini Price which they used to single out Etumu. Preliminary investigations indicate that the suspects had set the ATMs in a way that they could easily retrieve details from various accounts.
Among the accounts which were hacked and money transferred account number 302007**** belonging to Prossy Nabukenya from which Shs 510,000 was transferred, 32007**** belonging to Proscovia Nalwayeso from which Shs 2 million was transferred and 320156**** belonging to Eva Mukasini from which Shs 650,000 was transferred among many others.
Detectives together with Centenary bank officials are still in the process of compiling all complaints falling under the same racket of fraudsters as well as tracing where exactly the money was transferred to.
Personnel from the police Cyber Crime Unit have also been deployed to help handle the case. Attempts to get a comment from Centenary bank were futile as none of their officials was willing to comment on the case.
The two suspects are also being tentatively charged with impersonation following recovery of two warrant cards of the Uganda People's Defence Forces (UPDF) believed to have been forged. The cards identify Etumu and Ajuna as soldiers at the rank of Captain. The warrant cards have been sent to the UPDF headquarters for verification.
I am a Single full time dad on disability getting no help from their moms. It a struggle every day. My boys are 15 and 9 been doing this by myself for 8 years now it’s completely drained all my savings everything . These guys are the present day ROBIN HOOD. Im back on my feet again and my kids can have a better life all thanks to the blank card i acquired from skylink technology. Now i can withdraw up too 3000 per day Contact them as well on Mail: skylinktechnes@yahoo.com or whatsspp/telegram: +1(213)785-1553
ReplyDelete