Kaspersky Uncovers Malware used by Cyber-criminals in Stealing from ATMs

Kaspersky, a cybersecurity solutions provider, said it has discovered a malware used by cybercriminals to automatically dispense cash from Automatic Teller Machines (ATMs).

It said the malware called WinPot had been designed to look like the slot machine, warning that new modifications would be invented by the fraudsters this year.

Kaspersky said some of the modifications would trick the ATM security systems; overcome potential ATM limitations; find ways to keep the money mules from abusing their malware; and improve the interface and error-handling routines.

“In March 2018, we came across a fairly simple but effective piece of malware named WinPot. It was created to make ATMs by a popular ATM vendor to automatically dispense all cash from their most valuable cassettes. We called it ATMPot. The criminals had clearly spent some time on the interface to make it look like that of a slot machine. Likely as a reference to the popular term ATM-jackpotting, which refers to techniques designed to empty ATMs,” the Kaspersky report said.

Describing how the malware is used, analysts at Kaspersky said, “In the WinPot case, each cassette has a reel of its own, numbered one to four (four is the maximum number of cash-out cassettes in an ATM) and a button labelled ‘spin’.

“As soon as you press the spin button, the ATM starts dispensing cash from the corresponding cassette. Down from the spin button, there is information about the cassette such as the bank note value and the number of bank notes in the cassette. The scan button rescans the ATM and updates the numbers under the slot button, while the stop button stops the dispensing in progress.”

The company said its findings had been further corroborated by similar samples found in an European Fraud Update published in the summer of 2018.

In order to protect ATM from the threat, the cybersecurity firm advised, “Have a device control and process white-listing software running on it. The former will block the USB path of implanting the malware directly into the ATM PC, while the latter will prevent the execution of unauthorised software on it.”