A newly detected malware variant allows cyber-criminals to control infected ATMs via remote text message
The technique targets a particular brand of ATM that Symantec didn’t identify, but the company warned that such techniques are part of a wider problem: the fact that almost 95 percent of ATMs continue to run on Windows XP, an operating system for which Microsoft is phasing out technical support. The fact that these machines are often deployed in remote locations increases their vulnerability, according to Symantec.
The new technique builds upon a previously reported piece of malware called Backdoor.Ploutus, which was controlled via an external keyboard. That method, detected in Mexico, posed a number of problems for attackers, however, not least that the attack was obvious to passers-by.
The new variant dispenses with the need for a keyboard: instead, the attacker attaches a mobile phone directly to the computer controlling the ATM, and it’s this mobile phone – connected via a USB cable that also keeps the phone’s battery charged – that triggers the ATM to dispense cash.
Using Ploutus, the “mastermind” of the scheme is the only one who knows a secret sequence of numbers that controls the infected system. With the keyboard method, the mastermind was obliged to provide this code to the “money mule” responsible for withdrawing the cash, which meant this mule could potentially defraud his employer.
The new technique dispenses with this necessity: instead, the mastermind sends the control code to the infected system via SMS just as the mule is approaching the ATM, and the mule merely accepts the cash that is dispensed.
“The master criminal knows exactly how much the money mule will be getting and the money mule does not need to linger for extended periods around an ATM waiting for it to issue the cash,” wrote Symantec malware analyst Daniel Regalado in a Monday blog post. “The master criminal and money mule can synchronise their actions so that the money is issued just as the money mule pretends to withdraw cash or is walking past the ATM.”
This variant is currently being actively exploited, and exists in an English translation, which suggests exploitation has spread to English-speaking countries, according to Regalado.
“It may seem incredible but this technique is being used in a number of places across the world at this time,” he wrote.
Symantec said it was able to replicate the attack with a real ATM in its labs. The company has also detected other techniques targeting Windows XP-based ATMs, which steal customers’ card data or attempt man-in-the-middle attacks, according to Regalado.
The company recommended that ATM operators provide better physical security for the computers controlling the machines, lock down BIOS or system hard drives, deploy lock-down software or upgrade to a supported operating system.
“With all these measures in place, attackers would find it much harder to compromise an ATM without a complicit insider,” Regalado wrote.
Are you a security pro? Try our quiz!