Crooks steal money from ATMs using USB drives, experts weigh in


ATMs (automated teller machines) around the world that are still running Windows XP – which reaches end of support in April – are vulnerable to malware being loaded on machines via USB drives, a couple of German researchers revealed at the annual Chaos Communication Congress on Friday.

The researchers, who wished to remain anonymous, demonstrated how criminals store malware on thumb drives, cut out portions of the ATM machines that conceal the USB ports, upload the malware to the machine, cover up the hole in the ATM body and then proceed to extract as much cash as they want after rewriting the operating system's registry, according to a article.

The researchers explained that the malware forces a system reboot in order to rewrite the registry, and that criminals will wait until the ATMs are restocked with cash before taking action, the article said. Researchers reconstructed the malware from samples they discovered in the wild.

Uploading malware to ATMs is nothing new. In October, researchers learned of a piece of Spanish-language malware, known as Ploutus, being uploaded through the CD-ROM drive to ATM machines in Mexico. A few weeks later, different researchers discovered an English-language variant making the rounds.

Aviv Raff, the CTO at Seculert, who has studied financial malware, told on Tuesday that this malware does not appear to be Ploutus. “I believe this is a tailored malware, created by someone who had access to these kinds of ATMs in the past,” he said.

But other experts see traces. Ryan Linn, a managing consultant with information security company Trustwave, told on Tuesday that this most recent malware has many similarities to Ploutus. Trustwave released research on Ploutus when the malware first started gaining momentum

“Both pieces of malware facilitate the extraction of cash from the ATM,” Linn said. “The sample presented at the [Chaos Communication Congress] has some additional protection, such as two-factor authentication, before cash can be withdrawn by an attacker, so it appears to be more sophisticated than some of the malware previously seen.”

Linn also explained that criminals going after cash find it much more beneficial to go straight to the source, and that increasingly sophisticated attacks against ATMs underscore an ever-evolving change of approach for crooks. 

Raff added, “If there are still ATM machines out there which are using Windows XP, there are probably criminals quietly abusing this for a long time."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.