Feeds

Forget sledgehammers – crooks can CRACK ATMs with a TEXT

Malware-flinger cash-snatchers just need a mobile for a heist

Maximizing your infrastructure through virtualization

Mexican cybercrooks are targeting bank ATMs with malware that can be activated by a SMS message that forces compromised cash machines to spew out cash.

The attack is a refinement on previous assaults using the Ploutus backdoor strain of malware that makes robbing cash machines even easier for local banditos, according to net security firm Symantec:

In late 2013, we blogged about new ATM malware in Mexico, which could let attackers force ATMs to spew cash on demand using an external keyboard. That threat was named Backdoor-Ploutus.

Some weeks later, we discovered a new variant which showed that the malware had evolved into a modular architecture. The new variant was also localized into the English language, suggesting that the malware author was expanding their franchise to other countries.

The new variant was identified as Backdoor-Ploutus-B.

What was interesting about this variant of Ploutus was that it allowed cybercriminals to simply send an SMS to the compromised ATM, then walk up and collect the dispensed cash. It may seem incredible but this technique is being used in a number of places across the world at this time.

The scam relies on remotely controlling the ATM using a mobile phone which is connected to the inside of the cash machine. This is not as difficult as it might seem at first and doesn't entail physically opening up a target machine, Symantec researcher Daniel Regalado explains.

There are multiple ways to connect a mobile phone to an ATM. A common method is to use a setup called USB tethering, which is effectively a shared Internet connection between a phone and a computer (or in this case, an ATM).

The attackers need to set the phone up correctly, connect it to the ATM and infect the ATM with Ploutus. Once all of these steps are complete, a full two-way connectivity is established and the phone is ready to be used.

Since the phone is connected to the ATM through the USB port, the phone also draws power from the connection, which charges the phone battery. As a result, the phone will remain powered up indefinitely.

Once setup is completed, crooks can send SMS command messages to the target phone that first activate the malicious code, before a second message triggers it to dispense cash. Stolen money is collected by a money mule working for the gangs behind the scam. The mobile device converts the message into a network packet before forwarding it to the ATM through the USB cable.

"The network packet monitor (NPM) is a module of the malware which acts as a packet sniffer, watching all network traffic going on in the ATM," Symantec explains. "As soon as the compromised ATM receives a valid TCP or UDP packet from the phone, the NPM will parse the packet and search for the number '5449610000583686' at a specific offset within the packet in order to process the whole package of data. Once that specific number is detected, the NPM will read the next 16 digits and use them to construct a command line to run Ploutus."

Previous versions of the malware relied on the masterminds behind the scheme telling their underlings about the necessary activation code. The latest version of Ploutus gets around this requirement, limiting the possibility that humble money mules could defraud the masterminds behind the scam. The new approach is also more discreet because crooks are not obliged to enter long code strings into compromised devices or wait around for the cash to be dispensed. The amount of cash dispensed is pre-configured inside the malware.

Symantec was able to replicate the attack in its lab with a real ATM that had been infected with Ploutus before putting together a short video illustrating the exploit process.

Symantec warns that Ploutus is far from the only strain of malware geared towards knocking off ATMs. "In the case of Ploutus, the attackers are trying to steal the cash from inside the ATM; however, some malware we have analyzed attempts to steal the customers' card information and PIN while other malicious software lets criminals attempt man-in–the-middle attacks," Symantec's Regalado adds.

Symantec explains that the problem is only going to get worse especially in the case of older cash machines still running (dead-man-walking OS) Windows XP.

"Modern ATMs have enhanced security features, such as encrypted hard-drives, which can prevent these types of installation techniques," the researcher concludes. "However, for older ATMs still running on Windows XP, protecting against these types of attacks is more challenging, especially when the ATMs are already deployed in all sorts of remote locations. Another difficulty that needs to be addressed is the physical security of the computer inside the ATMs. While the ATM’s money is locked inside a safe, the computer generally is not. Without adequate physical security for these older ATMs, the attacker has the upper hand."

The security firm's blog post concludes with a list of security measures to guard against this kind of fraud. But compromising an ATM is always going to be risk because there's always the possibility that crooks might be able to take advantage of complicit insiders, the security firm adds. ®

Seven Steps to Software Security

More from The Register

next story
Whoah! How many Google Play apps want to read your texts?
Google's app permissions far too lax – security firm survey
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
Do YOU work at Microsoft? Um. Are you SURE about that?
Nokia and marketing types first to get the bullet, says report
Microsoft takes on Chromebook with low-cost Windows laptops
Redmond's chief salesman: We're taking 'hard' decisions
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Big Blue Apple: IBM to sell iPads, iPhones to enterprises
iOS/2 gear loaded with apps for big biz ... uh oh BlackBerry
OpenWRT gets native IPv6 slurping in major refresh
Also faster init and a new packages system
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.