Feeds

Forget sledgehammers – crooks can CRACK ATMs with a TEXT

Malware-flinger cash-snatchers just need a mobile for a heist

Secure remote control for conventional and virtual desktops

Mexican cybercrooks are targeting bank ATMs with malware that can be activated by a SMS message that forces compromised cash machines to spew out cash.

The attack is a refinement on previous assaults using the Ploutus backdoor strain of malware that makes robbing cash machines even easier for local banditos, according to net security firm Symantec:

In late 2013, we blogged about new ATM malware in Mexico, which could let attackers force ATMs to spew cash on demand using an external keyboard. That threat was named Backdoor-Ploutus.

Some weeks later, we discovered a new variant which showed that the malware had evolved into a modular architecture. The new variant was also localized into the English language, suggesting that the malware author was expanding their franchise to other countries.

The new variant was identified as Backdoor-Ploutus-B.

What was interesting about this variant of Ploutus was that it allowed cybercriminals to simply send an SMS to the compromised ATM, then walk up and collect the dispensed cash. It may seem incredible but this technique is being used in a number of places across the world at this time.

The scam relies on remotely controlling the ATM using a mobile phone which is connected to the inside of the cash machine. This is not as difficult as it might seem at first and doesn't entail physically opening up a target machine, Symantec researcher Daniel Regalado explains.

There are multiple ways to connect a mobile phone to an ATM. A common method is to use a setup called USB tethering, which is effectively a shared Internet connection between a phone and a computer (or in this case, an ATM).

The attackers need to set the phone up correctly, connect it to the ATM and infect the ATM with Ploutus. Once all of these steps are complete, a full two-way connectivity is established and the phone is ready to be used.

Since the phone is connected to the ATM through the USB port, the phone also draws power from the connection, which charges the phone battery. As a result, the phone will remain powered up indefinitely.

Once setup is completed, crooks can send SMS command messages to the target phone that first activate the malicious code, before a second message triggers it to dispense cash. Stolen money is collected by a money mule working for the gangs behind the scam. The mobile device converts the message into a network packet before forwarding it to the ATM through the USB cable.

"The network packet monitor (NPM) is a module of the malware which acts as a packet sniffer, watching all network traffic going on in the ATM," Symantec explains. "As soon as the compromised ATM receives a valid TCP or UDP packet from the phone, the NPM will parse the packet and search for the number '5449610000583686' at a specific offset within the packet in order to process the whole package of data. Once that specific number is detected, the NPM will read the next 16 digits and use them to construct a command line to run Ploutus."

Previous versions of the malware relied on the masterminds behind the scheme telling their underlings about the necessary activation code. The latest version of Ploutus gets around this requirement, limiting the possibility that humble money mules could defraud the masterminds behind the scam. The new approach is also more discreet because crooks are not obliged to enter long code strings into compromised devices or wait around for the cash to be dispensed. The amount of cash dispensed is pre-configured inside the malware.

Symantec was able to replicate the attack in its lab with a real ATM that had been infected with Ploutus before putting together a short video illustrating the exploit process.

Symantec warns that Ploutus is far from the only strain of malware geared towards knocking off ATMs. "In the case of Ploutus, the attackers are trying to steal the cash from inside the ATM; however, some malware we have analyzed attempts to steal the customers' card information and PIN while other malicious software lets criminals attempt man-in–the-middle attacks," Symantec's Regalado adds.

Symantec explains that the problem is only going to get worse especially in the case of older cash machines still running (dead-man-walking OS) Windows XP.

"Modern ATMs have enhanced security features, such as encrypted hard-drives, which can prevent these types of installation techniques," the researcher concludes. "However, for older ATMs still running on Windows XP, protecting against these types of attacks is more challenging, especially when the ATMs are already deployed in all sorts of remote locations. Another difficulty that needs to be addressed is the physical security of the computer inside the ATMs. While the ATM’s money is locked inside a safe, the computer generally is not. Without adequate physical security for these older ATMs, the attacker has the upper hand."

The security firm's blog post concludes with a list of security measures to guard against this kind of fraud. But compromising an ATM is always going to be risk because there's always the possibility that crooks might be able to take advantage of complicit insiders, the security firm adds. ®

The essential guide to IT transformation

More from The Register

next story
Apple promises to lift Curse of the Drained iPhone 5 Battery
Have you tried turning it off and...? Never mind, here's a replacement
Mozilla's 'Tiles' ads debut in new Firefox nightlies
You can try turning them off and on again
Linux turns 23 and Linus Torvalds celebrates as only he can
No, not with swearing, but by controlling the release cycle
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
This is how I set about making a fortune with my own startup
Would you leave your well-paid job to chase your dream?
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.