Crooks steal money from ATMs using USB drives, experts weigh in

Share this article:

ATMs (automated teller machines) around the world that are still running Windows XP – which reaches end of support in April – are vulnerable to malware being loaded on machines via USB drives, a couple of German researchers revealed at the annual Chaos Communication Congress on Friday.

The researchers, who wished to remain anonymous, demonstrated how criminals store malware on thumb drives, cut out portions of the ATM machines that conceal the USB ports, upload the malware to the machine, cover up the hole in the ATM body and then proceed to extract as much cash as they want after rewriting the operating system's registry, according to a Wired.com article.

The researchers explained that the malware forces a system reboot in order to rewrite the registry, and that criminals will wait until the ATMs are restocked with cash before taking action, the article said. Researchers reconstructed the malware from samples they discovered in the wild.

Uploading malware to ATMs is nothing new. In October, researchers learned of a piece of Spanish-language malware, known as Ploutus, being uploaded through the CD-ROM drive to ATM machines in Mexico. A few weeks later, different researchers discovered an English-language variant making the rounds.

Aviv Raff, the CTO at Seculert, who has studied financial malware, told SCMagazine.com on Tuesday that this malware does not appear to be Ploutus. “I believe this is a tailored malware, created by someone who had access to these kinds of ATMs in the past,” he said.

But other experts see traces. Ryan Linn, a managing consultant with information security company Trustwave, told SCMagazine.com on Tuesday that this most recent malware has many similarities to Ploutus. Trustwave released research on Ploutus when the malware first started gaining momentum

“Both pieces of malware facilitate the extraction of cash from the ATM,” Linn said. “The sample presented at the [Chaos Communication Congress] has some additional protection, such as two-factor authentication, before cash can be withdrawn by an attacker, so it appears to be more sophisticated than some of the malware previously seen.”

Linn also explained that criminals going after cash find it much more beneficial to go straight to the source, and that increasingly sophisticated attacks against ATMs underscore an ever-evolving change of approach for crooks. 

Raff added, “If there are still ATM machines out there which are using Windows XP, there are probably criminals quietly abusing this for a long time."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.