Cybercriminals may be texting their way past bank security.
According to Symantec, a new variant of ATM malware discovered in 2013 has been updated to allow hackers to withdraw cash using SMS messages.
“It may seem incredible but this technique is being used in a number of places across the world at this time,” blogged Symantec researcher Daniel Regalado.
The malware, known as Ploutus, first surfaced last year in Mexico. At the time, the malware enabled attackers armed with an external keyboard to make illegal withdrawals from ATM machines. In the ensuing weeks however, a new variant appeared with an evolved architecture.
“The criminals can remotely control the ATM by using a mobile phone which is connected to the inside of the ATM,” Regalado explained. “There are multiple ways to connect a mobile phone to an ATM. A common method is to use a setup called USB tethering, which is effectively a shared Internet connection between a phone and a computer (or in this case, an ATM).”
“The attackers need to set the phone up correctly, connect it to the ATM and infect the ATM with Ploutus,” he added. “Once all of these steps are complete, a full two-way connectivity is established and the phone is ready to be used. Since the phone is connected to the ATM through the USB port, the phone also draws power from the connection, which charges the phone battery. As a result, the phone will remain powered up indefinitely.”
Once the mobile phone is connected to the ATM, the criminals can send specific SMS command messages to the phone attached inside the ATM. When the phone detects a new message under the required format, the phone will convert the message into a network packet and forward it to the ATM through the USB cable, the researcher wrote.
“The network packet monitor (NPM) is a module of the malware which acts as a packet sniffer, watching all network traffic going on in the ATM,” he blogged. “As soon as the compromised ATM receives a valid TCP or UDP packet from the phone, the NPM will parse the packet and search for the number “5449610000583686” at a specific offset within the packet in order to process the whole package of data. Once that specific number is detected, the NPM will read the next 16 digits and use them to construct a command line to run Ploutus.”
Banks looking to stop these cyber-heists have a number of options, including locking down the BIOS to prevent booting from unauthorized media such as CD ROMs or USB sticks and upgrading to newer versions of Windows.
“While the ATM’s money is locked inside a safe, the computer generally is not,” Regalado blogged. “Without adequate physical security for these older ATMs, the attacker has the upper hand.”
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
