A group of enterprising cybercriminals have figured out how to get cash from a certain type of ATM—by text message.
The latest development was spotted by security vendor Symantec, which has periodically written about a type of malicious software it calls “Ploutus” that first appeared in Mexico.
The malware is engineered to plunder a certain type of standalone ATM, which Symantec has not identified. The company obtained one of the ATMs to carry out a test of how Ploutus works, but it doesn’t show a brand name.
Ploutus isn’t the easiest piece of malware to install, as cybercriminals need to have access to the machine. That’s probably why cybercriminals are targeting standalone ATMs, as it is easy to get access to all parts of the machine.
Early versions of Ploutus allowed it to be controlled via the numerical interface on an ATM or by an attached keyboard. But the latest version shows a remarkable new development: it is now controllable remotely via text message.
In this variation, the attackers manage to open up an ATM and attach a mobile phone, which acts as a controller, to a USB port inside the machine. The ATM also has to be infected with Ploutus.
“When the phone detects a new message under the required format, the mobile device will convert the message into a network packet and will forward it to the ATM through the USB cable,” wrote Daniel Regalado, a Symantec malware analyst, in a blog post on Monday.
Ploutus has a network packet monitor that watches all traffic coming into the ATM, he wrote. When it detects a valid TCP or UDP packet from the phone, the module searches “for the number “5449610000583686 at a specific offset within the packet in order to process the whole package of data,” he wrote.
It then reads the next 16 digits and uses that to generate a command line to control Ploutus.
So, why do this? Regalado wrote that it is more discrete and works nearly instantly. The past version of Ploutus required someone to either use a keyboard or enter a sequences of digits into the ATM keypad to fire up Ploutus. Both of those methods increase the amount of time someone spends in front of the machine, increasing the risk of detection.
Now, the ATM can be remotely triggered to dispense cash, allowing a “money mule,” or someone hired to do the risky job of stopping by to pick up the cash, to swiftly grab their gains. It also deprives the money mule of information that could allow them to skim some cash off the top, Regalado wrote.
“The master criminal knows exactly how much the money mule will be getting,” he wrote.
Symantec warned that about 95 percent of ATMs are still running Windows XP, Microsoft’s 13-year-old OS. Microsoft is ending regular support for Windows XP on April 8, but is offering extended support for Windows XP embedded systems, used for point-of-sale devices and ATMs, through January 2016.
Still, Symantec warned that “the banking industry is facing a serious risk of cyberattacks aimed at their ATM fleet.”