ATM malware, controlled by a text message, spews cash

The malware can cause a cash machine to start churning out bills

A group of enterprising cybercriminals have figured out how to get cash from a certain type of ATM -- by text message.

The latest development was spotted by security vendor Symantec, which has periodically written about a type of malicious software it calls "Ploutus" that first appeared in Mexico.

The malware is engineered to plunder a certain type of standalone ATM, which Symantec has not identified. The company obtained one of the ATMs to carry out a test of how Ploutus works, but it doesn't show a brand name.

Ploutus isn't the easiest piece of malware to install, as cybercriminals need to have access to the machine. That's probably why cybercriminals are targeting standalone ATMs, as it is easy to get access to all parts of the machine.

Early versions of Ploutus allowed it to be controlled via the numerical interface on an ATM or by an attached keyboard. But the latest version shows a remarkable new development: it is now controllable remotely via text message.

In this variation, the attackers manage to open up an ATM and attach a mobile phone, which acts as a controller, to a USB port inside the machine. The ATM also has to be infected with Ploutus.

"When the phone detects a new message under the required format, the mobile device will convert the message into a network packet and will forward it to the ATM through the USB cable," wrote Daniel Regalado, a Symantec malware analyst, in a blog post on Monday.

Ploutus has a network packet monitor that watches all traffic coming into the ATM, he wrote. When it detects a valid TCP or UDP packet from the phone, the module searches "for the number "5449610000583686 at a specific offset within the packet in order to process the whole package of data," he wrote.

It then reads the next 16 digits and uses that to generate a command line to control Ploutus.

So, why do this? Regalado wrote that it is more discrete and works nearly instantly. The past version of Ploutus required someone to either use a keyboard or enter a sequences of digits into the ATM keypad to fire up Ploutus. Both of those methods increase the amount of time someone spends in front of the machine, increasing the risk of detection.

Now, the ATM can be remotely triggered to dispense cash, allowing a "money mule," or someone hired to do the risky job of stopping by to pick up the cash, to swiftly grab their gains. It also deprives the money mule of information that could allow them to skim some cash off the top, Regalado wrote.

"The master criminal knows exactly how much the money mule will be getting," he wrote.

Symantec warned that about 95 percent of ATMs are still running Windows XP, Microsoft's 13-year-old OS. Microsoft is ending regular support for Windows XP on April 8, but is offering extended support for Windows XP embedded systems, used for point-of-sale devices and ATMs, through January 2016.

Still, Symantec warned that "the banking industry is facing a serious risk of cyberattacks aimed at their ATM fleet."

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags symantecsecuritymalwarefraud

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?