Cybercriminals may be texting their way past bank security.
According to Symantec, a new variant of ATM malware discovered in 2013 has been updated to allow hackers to withdraw cash using SMS messages.
“It may seem incredible but this technique is being used in a number of places across the world at this time,” blogged Symantec researcher Daniel Regalado.
The malware, known as Ploutus, first surfaced last year in Mexico. At the time, the malware enabled attackers armed with an external keyboard to make illegal withdrawals from ATM machines. In the ensuing weeks however, a new variant appeared with an evolved architecture.
“The criminals can remotely control the ATM by using a mobile phone which is connected to the inside of the ATM,” Regalado explained. “There are multiple ways to connect a mobile phone to an ATM. A common method is to use a setup called USB tethering, which is effectively a shared Internet connection between a phone and a computer (or in this case, an ATM).”
“The attackers need to set the phone up correctly, connect it to the ATM and infect the ATM with Ploutus,” he added. “Once all of these steps are complete, a full two-way connectivity is established and the phone is ready to be used. Since the phone is connected to the ATM through the USB port, the phone also draws power from the connection, which charges the phone battery. As a result, the phone will remain powered up indefinitely.”
Once the mobile phone is connected to the ATM, the criminals can send specific SMS command messages to the phone attached inside the ATM. When the phone detects a new message under the required format, the phone will convert the message into a network packet and forward it to the ATM through the USB cable, the researcher wrote.
“The network packet monitor (NPM) is a module of the malware which acts as a packet sniffer, watching all network traffic going on in the ATM,” he blogged. “As soon as the compromised ATM receives a valid TCP or UDP packet from the phone, the NPM will parse the packet and search for the number “5449610000583686” at a specific offset within the packet in order to process the whole package of data. Once that specific number is detected, the NPM will read the next 16 digits and use them to construct a command line to run Ploutus.”
Banks looking to stop these cyber-heists have a number of options, including locking down the BIOS to prevent booting from unauthorized media such as CD ROMs or USB sticks and upgrading to newer versions of Windows.
“While the ATM’s money is locked inside a safe, the computer generally is not,” Regalado blogged. “Without adequate physical security for these older ATMs, the attacker has the upper hand.”
