Attackers get cash out of ATMs by sending SMS messages

Share this article:
Attackers get cash out of ATMs by sending SMS messages
Criminals are using SMS messages to get cash out of ATMs.

Criminals are using SMS messages to get cash out of ATMs, according to Symantec.

The crooks begin by loading ATM malware into the cash machine. In the Monday post, Symantec used Ploutus, a piece of malware observed circulating Mexico in October 2013 that was later discovered to have been updated with an English-language version.

Uploading Ploutus to the ATM is as easy as accessing the CD-ROM drive or the USB drive on the machine. In previous operations, criminals picked the locks on the ATMs to access the drives, or even bored holes in the machine's casing and covered up the openings.

Next, the criminals must hook a specially configured mobile phone to the ATM using USB tethering, which allows the money machine and the cell phone to share an internet connection, but also keeps the mobile device charging indefinitely.

Now the criminals can send SMS command messages to the mobile phone in the ATM, which will be converted into network packets and forwarded to the ATM, Daniel Regalado, a Symantec security researcher, wrote in the post.

“As soon as the compromised ATM receives a valid TCP or UDP packet from the phone, the NPM will parse the packet and search for the number “5449610000583686” at a specific offset within the packet in order to process the whole package of data,” Regalado wrote. “Once that specific number is detected, the NPM will read the next 16 digits and use them to construct a command line to run Ploutus.”

The end result is that the ATM almost instantly dispenses however much cash the malware is preconfigured to spit out, according to the post, which adds that criminal operators typically work in tandem with money mules to maximize profits.

Using full disk encryption, preventing booting from unauthorized USB sticks and CD-ROMs, and providing adequate physical defense and surveillance will help slow down criminals, Regalado wrote, but updating to Windows 7 or 8 from Windows XP seems to be the most prominent suggestion.

Microsoft will no longer be supporting Windows XP starting next month and, according to various reports, the popular operating system is being used in 95 percent of ATMs around the world.

In a Monday email correspondence, Charles Henderson, director at Trustwave, a security company that helped analyze Ploutus back in October 2013, told SCMagazine.com that the lack of support for Windows XP may create serious security weaknesses, but added that it is not the only issue.

“In our penetration tests against ATMs, many of our most successful attacks have not been OS-dependent,” Henderson said. “Vectors involving man-in-the-middle (MITM) attacks on the ATM network have been more effective and less time consuming than attacks against the underlying OS.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Company news: New hires at Accuvant, ZeroFox and ThreatStream

New hires at Accuvant, ZeroFOX and ThreatStream, while a divestiture at Juniper and an acquisition for BlackBerry.

News briefs: The latest on Sony, Android, Backoff malware and more.

News briefs: The latest on Sony, Android, Backoff ...

This month's news briefs cover a preliminary settlement Sony will bear for the exposure of 77 million customers, and more.

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.