Threat Management, Malware

New malware enables attackers to take money directly from ATMs

Skimmers were once thought to be the bane of the ATM compromising world, but the trends may end up shifting now that security researchers have discovered a piece of malware, known as Ploutus, which has been infecting money machines in Mexico.

Russian security firm Safensoft made the discovery late in September and last week, after doing a bit of poking and prodding, information security company Trustwave released its own findings.

“Ploutus allows attackers to directly interact with the victimized ATM via either the ATM's keypad, or via an interactive interface,” Josh Grunzweig, security researcher at Trustwave, told SCMagazine.com on Tuesday. “Using specific key sequences on the keypad, the attackers are able to actively dispense money on the machine.”

Attackers can access the interactive interface by using a unique sequence of keystrokes, Grunzweig said, adding that in both methods, entering an activation code will cause the Ploutus malware to interact directly with the ATM software to dispense cash.  

Grunzweig speculated that the malware originated in Mexico because attackers picked locks on the ATMs to gain access to the machine's CD-ROM drive, which was used to physically install the Ploutus malware. The malware also uses the Spanish language.

“To my knowledge, Ploutus has only been identified within Mexico,” Grunzweig said. “This is certainly an attack that could impact ATMs in the U.S., or anywhere else for that matter. While Ploutus itself may not work on a particular brand of ATM, it doesn't mean that someone out there is writing a variant to do just that.”

To help defend against this kind of attack, Grunzweig suggests ATM operators place greater physical protections on the machines. He said that there is anti-virus for the Ploutus malware family, so ATM owners should update their signatures.

“I believe this threat to be quite serious, simply for the fact that it provided the attackers with direct access to physical money,” Grunzweig said. “There was no need to steal someone's identity, clone their debit card or perform other actions commonly associated with financial theft. They simply had to get a disk inserted in an ATM, press a few buttons and they were on their way with as much cash as they'd like.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.