New malware enables attackers to take money directly from ATMs

Share this article:

Skimmers were once thought to be the bane of the ATM compromising world, but the trends may end up shifting now that security researchers have discovered a piece of malware, known as Ploutus, which has been infecting money machines in Mexico.

Russian security firm Safensoft made the discovery late in September and last week, after doing a bit of poking and prodding, information security company Trustwave released its own findings.

“Ploutus allows attackers to directly interact with the victimized ATM via either the ATM's keypad, or via an interactive interface,” Josh Grunzweig, security researcher at Trustwave, told SCMagazine.com on Tuesday. “Using specific key sequences on the keypad, the attackers are able to actively dispense money on the machine.”

Attackers can access the interactive interface by using a unique sequence of keystrokes, Grunzweig said, adding that in both methods, entering an activation code will cause the Ploutus malware to interact directly with the ATM software to dispense cash.  

Grunzweig speculated that the malware originated in Mexico because attackers picked locks on the ATMs to gain access to the machine's CD-ROM drive, which was used to physically install the Ploutus malware. The malware also uses the Spanish language.

“To my knowledge, Ploutus has only been identified within Mexico,” Grunzweig said. “This is certainly an attack that could impact ATMs in the U.S., or anywhere else for that matter. While Ploutus itself may not work on a particular brand of ATM, it doesn't mean that someone out there is writing a variant to do just that.”

To help defend against this kind of attack, Grunzweig suggests ATM operators place greater physical protections on the machines. He said that there is anti-virus for the Ploutus malware family, so ATM owners should update their signatures.

“I believe this threat to be quite serious, simply for the fact that it provided the attackers with direct access to physical money,” Grunzweig said. “There was no need to steal someone's identity, clone their debit card or perform other actions commonly associated with financial theft. They simply had to get a disk inserted in an ATM, press a few buttons and they were on their way with as much cash as they'd like.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.