Mexican cybercrooks are targeting bank ATMs with malware that can be activated by a SMS message that forces compromised cash machines to spew out cash.
The attack is a refinement on previous assaults using the Ploutus backdoor strain of malware that makes robbing cash machines even easier for local banditos, according to net security firm Symantec:
In late 2013, we blogged about new ATM malware in Mexico, which could let attackers force ATMs to spew cash on demand using an external keyboard. That threat was named Backdoor-Ploutus.
Some weeks later, we discovered a new variant which showed that the malware had evolved into a modular architecture. The new variant was also localized into the English language, suggesting that the malware author was expanding their franchise to other countries.
The new variant was identified as Backdoor-Ploutus-B.
What was interesting about this variant of Ploutus was that it allowed cybercriminals to simply send an SMS to the compromised ATM, then walk up and collect the dispensed cash. It may seem incredible but this technique is being used in a number of places across the world at this time.
The scam relies on remotely controlling the ATM using a mobile phone which is connected to the inside of the cash machine. This is not as difficult as it might seem at first and doesn't entail physically opening up a target machine, Symantec researcher Daniel Regalado explains.
There are multiple ways to connect a mobile phone to an ATM. A common method is to use a setup called USB tethering, which is effectively a shared Internet connection between a phone and a computer (or in this case, an ATM).
The attackers need to set the phone up correctly, connect it to the ATM and infect the ATM with Ploutus. Once all of these steps are complete, a full two-way connectivity is established and the phone is ready to be used.
Since the phone is connected to the ATM through the USB port, the phone also draws power from the connection, which charges the phone battery. As a result, the phone will remain powered up indefinitely.
Once setup is completed, crooks can send SMS command messages to the target phone that first activate the malicious code, before a second message triggers it to dispense cash. Stolen money is collected by a money mule working for the gangs behind the scam. The mobile device converts the message into a network packet before forwarding it to the ATM through the USB cable.
"The network packet monitor (NPM) is a module of the malware which acts as a packet sniffer, watching all network traffic going on in the ATM," Symantec explains. "As soon as the compromised ATM receives a valid TCP or UDP packet from the phone, the NPM will parse the packet and search for the number '5449610000583686' at a specific offset within the packet in order to process the whole package of data. Once that specific number is detected, the NPM will read the next 16 digits and use them to construct a command line to run Ploutus."
Previous versions of the malware relied on the masterminds behind the scheme telling their underlings about the necessary activation code. The latest version of Ploutus gets around this requirement, limiting the possibility that humble money mules could defraud the masterminds behind the scam. The new approach is also more discreet because crooks are not obliged to enter long code strings into compromised devices or wait around for the cash to be dispensed. The amount of cash dispensed is pre-configured inside the malware.
Symantec was able to replicate the attack in its lab with a real ATM that had been infected with Ploutus before putting together a short video illustrating the exploit process.
Symantec warns that Ploutus is far from the only strain of malware geared towards knocking off ATMs. "In the case of Ploutus, the attackers are trying to steal the cash from inside the ATM; however, some malware we have analyzed attempts to steal the customers' card information and PIN while other malicious software lets criminals attempt man-in–the-middle attacks," Symantec's Regalado adds.
Symantec explains that the problem is only going to get worse especially in the case of older cash machines still running (dead-man-walking OS) Windows XP.
"Modern ATMs have enhanced security features, such as encrypted hard-drives, which can prevent these types of installation techniques," the researcher concludes. "However, for older ATMs still running on Windows XP, protecting against these types of attacks is more challenging, especially when the ATMs are already deployed in all sorts of remote locations. Another difficulty that needs to be addressed is the physical security of the computer inside the ATMs. While the ATM’s money is locked inside a safe, the computer generally is not. Without adequate physical security for these older ATMs, the attacker has the upper hand."
The security firm's blog post concludes with a list of security measures to guard against this kind of fraud. But compromising an ATM is always going to be risk because there's always the possibility that crooks might be able to take advantage of complicit insiders, the security firm adds. ®