New malware enables attackers to take money directly from ATMs

Share this article:

Skimmers were once thought to be the bane of the ATM compromising world, but the trends may end up shifting now that security researchers have discovered a piece of malware, known as Ploutus, which has been infecting money machines in Mexico.

Russian security firm Safensoft made the discovery late in September and last week, after doing a bit of poking and prodding, information security company Trustwave released its own findings.

“Ploutus allows attackers to directly interact with the victimized ATM via either the ATM's keypad, or via an interactive interface,” Josh Grunzweig, security researcher at Trustwave, told SCMagazine.com on Tuesday. “Using specific key sequences on the keypad, the attackers are able to actively dispense money on the machine.”

Attackers can access the interactive interface by using a unique sequence of keystrokes, Grunzweig said, adding that in both methods, entering an activation code will cause the Ploutus malware to interact directly with the ATM software to dispense cash.  

Grunzweig speculated that the malware originated in Mexico because attackers picked locks on the ATMs to gain access to the machine's CD-ROM drive, which was used to physically install the Ploutus malware. The malware also uses the Spanish language.

“To my knowledge, Ploutus has only been identified within Mexico,” Grunzweig said. “This is certainly an attack that could impact ATMs in the U.S., or anywhere else for that matter. While Ploutus itself may not work on a particular brand of ATM, it doesn't mean that someone out there is writing a variant to do just that.”

To help defend against this kind of attack, Grunzweig suggests ATM operators place greater physical protections on the machines. He said that there is anti-virus for the Ploutus malware family, so ATM owners should update their signatures.

“I believe this threat to be quite serious, simply for the fact that it provided the attackers with direct access to physical money,” Grunzweig said. “There was no need to steal someone's identity, clone their debit card or perform other actions commonly associated with financial theft. They simply had to get a disk inserted in an ATM, press a few buttons and they were on their way with as much cash as they'd like.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.