New malware enables attackers to take money directly from ATMs

Share this article:

Skimmers were once thought to be the bane of the ATM compromising world, but the trends may end up shifting now that security researchers have discovered a piece of malware, known as Ploutus, which has been infecting money machines in Mexico.

Russian security firm Safensoft made the discovery late in September and last week, after doing a bit of poking and prodding, information security company Trustwave released its own findings.

“Ploutus allows attackers to directly interact with the victimized ATM via either the ATM's keypad, or via an interactive interface,” Josh Grunzweig, security researcher at Trustwave, told SCMagazine.com on Tuesday. “Using specific key sequences on the keypad, the attackers are able to actively dispense money on the machine.”

Attackers can access the interactive interface by using a unique sequence of keystrokes, Grunzweig said, adding that in both methods, entering an activation code will cause the Ploutus malware to interact directly with the ATM software to dispense cash.  

Grunzweig speculated that the malware originated in Mexico because attackers picked locks on the ATMs to gain access to the machine's CD-ROM drive, which was used to physically install the Ploutus malware. The malware also uses the Spanish language.

“To my knowledge, Ploutus has only been identified within Mexico,” Grunzweig said. “This is certainly an attack that could impact ATMs in the U.S., or anywhere else for that matter. While Ploutus itself may not work on a particular brand of ATM, it doesn't mean that someone out there is writing a variant to do just that.”

To help defend against this kind of attack, Grunzweig suggests ATM operators place greater physical protections on the machines. He said that there is anti-virus for the Ploutus malware family, so ATM owners should update their signatures.

“I believe this threat to be quite serious, simply for the fact that it provided the attackers with direct access to physical money,” Grunzweig said. “There was no need to steal someone's identity, clone their debit card or perform other actions commonly associated with financial theft. They simply had to get a disk inserted in an ATM, press a few buttons and they were on their way with as much cash as they'd like.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.