Feeds

Forget sledgehammers – crooks can CRACK ATMs with a TEXT

Malware-flinger cash-snatchers just need a mobile for a heist

Build a business case: developing custom apps

Mexican cybercrooks are targeting bank ATMs with malware that can be activated by a SMS message that forces compromised cash machines to spew out cash.

The attack is a refinement on previous assaults using the Ploutus backdoor strain of malware that makes robbing cash machines even easier for local banditos, according to net security firm Symantec:

In late 2013, we blogged about new ATM malware in Mexico, which could let attackers force ATMs to spew cash on demand using an external keyboard. That threat was named Backdoor-Ploutus.

Some weeks later, we discovered a new variant which showed that the malware had evolved into a modular architecture. The new variant was also localized into the English language, suggesting that the malware author was expanding their franchise to other countries.

The new variant was identified as Backdoor-Ploutus-B.

What was interesting about this variant of Ploutus was that it allowed cybercriminals to simply send an SMS to the compromised ATM, then walk up and collect the dispensed cash. It may seem incredible but this technique is being used in a number of places across the world at this time.

The scam relies on remotely controlling the ATM using a mobile phone which is connected to the inside of the cash machine. This is not as difficult as it might seem at first and doesn't entail physically opening up a target machine, Symantec researcher Daniel Regalado explains.

There are multiple ways to connect a mobile phone to an ATM. A common method is to use a setup called USB tethering, which is effectively a shared Internet connection between a phone and a computer (or in this case, an ATM).

The attackers need to set the phone up correctly, connect it to the ATM and infect the ATM with Ploutus. Once all of these steps are complete, a full two-way connectivity is established and the phone is ready to be used.

Since the phone is connected to the ATM through the USB port, the phone also draws power from the connection, which charges the phone battery. As a result, the phone will remain powered up indefinitely.

Once setup is completed, crooks can send SMS command messages to the target phone that first activate the malicious code, before a second message triggers it to dispense cash. Stolen money is collected by a money mule working for the gangs behind the scam. The mobile device converts the message into a network packet before forwarding it to the ATM through the USB cable.

"The network packet monitor (NPM) is a module of the malware which acts as a packet sniffer, watching all network traffic going on in the ATM," Symantec explains. "As soon as the compromised ATM receives a valid TCP or UDP packet from the phone, the NPM will parse the packet and search for the number '5449610000583686' at a specific offset within the packet in order to process the whole package of data. Once that specific number is detected, the NPM will read the next 16 digits and use them to construct a command line to run Ploutus."

Previous versions of the malware relied on the masterminds behind the scheme telling their underlings about the necessary activation code. The latest version of Ploutus gets around this requirement, limiting the possibility that humble money mules could defraud the masterminds behind the scam. The new approach is also more discreet because crooks are not obliged to enter long code strings into compromised devices or wait around for the cash to be dispensed. The amount of cash dispensed is pre-configured inside the malware.

Symantec was able to replicate the attack in its lab with a real ATM that had been infected with Ploutus before putting together a short video illustrating the exploit process.

Symantec warns that Ploutus is far from the only strain of malware geared towards knocking off ATMs. "In the case of Ploutus, the attackers are trying to steal the cash from inside the ATM; however, some malware we have analyzed attempts to steal the customers' card information and PIN while other malicious software lets criminals attempt man-in–the-middle attacks," Symantec's Regalado adds.

Symantec explains that the problem is only going to get worse especially in the case of older cash machines still running (dead-man-walking OS) Windows XP.

"Modern ATMs have enhanced security features, such as encrypted hard-drives, which can prevent these types of installation techniques," the researcher concludes. "However, for older ATMs still running on Windows XP, protecting against these types of attacks is more challenging, especially when the ATMs are already deployed in all sorts of remote locations. Another difficulty that needs to be addressed is the physical security of the computer inside the ATMs. While the ATM’s money is locked inside a safe, the computer generally is not. Without adequate physical security for these older ATMs, the attacker has the upper hand."

The security firm's blog post concludes with a list of security measures to guard against this kind of fraud. But compromising an ATM is always going to be risk because there's always the possibility that crooks might be able to take advantage of complicit insiders, the security firm adds. ®

HP ProLiant Gen8: Integrated lifecycle automation

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
KDE releases ice-cream coloured Plasma 5 just in time for summer
Melty but refreshing - popular rival to Mint's Cinnamon's still a work in progress
Leaked Windows Phone 8.1 Update specs tease details of Nokia's next mobes
New screen sizes, dual SIMs, voice over LTE, and more
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Another day, another Firefox: Version 31 is upon us ALREADY
Web devs, Mozilla really wants you to like this one
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.