Researchers found an unusual malware which turns ATMs into slot machines. The security team at Kaspersky Labs dubbed the malware ATMPot or the WinPot ATM jackpotting malware. The malware first appeared in March 2018 on underground forums.
Hackers infect machines through USB drives which contain the malware. The USB drives are inserted in the back of the ATM. When inserted the malware is downloaded and the attacker can automatically dispense all the cash from machines.
ATMs located in gas stations, pharmacies, delis, and unsecured locations are targeted by attackers. Hackers are less likely to get caught by targeting these locations, whereas in a bank they would be seen on camera.
Cybercriminals specifically designed this malware to act and look like a slot machine. The interface looks just like a slot machine with ‘spin’ options. The interface has cassettes numbered from one to four. With the maximum number of cash-out cassettes set to four, just like an ATM. Each cassette is labeled ‘spin’ and underneath this option includes the value of bank notes and the number of notes in each cassette.
When the ‘spin’ option is pressed, cash begins to dispense and the ‘stop’ option shuts off the machine. There is also an ‘scan’ option that resets the machine and updates the funds available.
WinPot is listed on the dark web for upwards $500 to $1,000. Since its appearance on the market, the malware has gone through many updates and modifications. Including, changes to its interface, error-handling, and to better secure the malware.
Kaspersky labs said in its blog:
“We thus expect to see more modifications of the existing ATM malware. The preferred way of protecting the ATM from this sort of threat is to have device control and process whitelisting software running on it”
If your organization was hit with malware contact LIFARS today