Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

ATM Hackers Turn to Text Messages to Pull Bank Heists

Cybercriminals may be texting their way past bank security. 

According to Symantec, a new variant of ATM malware discovered in 2013 has been updated to allow hackers to withdraw cash using SMS messages. 

Cybercriminals may be texting their way past bank security. 

According to Symantec, a new variant of ATM malware discovered in 2013 has been updated to allow hackers to withdraw cash using SMS messages. 

“It may seem incredible but this technique is being used in a number of places across the world at this time,” blogged Symantec researcher Daniel Regalado.

The malware, known as Ploutus, first surfaced last year in Mexico. At the time, the malware enabled attackers armed with an external keyboard to make illegal withdrawals from ATM machines. In the ensuing weeks however, a new variant appeared with an evolved architecture.

“The criminals can remotely control the ATM by using a mobile phone which is connected to the inside of the ATM,” Regalado explained. “There are multiple ways to connect a mobile phone to an ATM. A common method is to use a setup called USB tethering, which is effectively a shared Internet connection between a phone and a computer (or in this case, an ATM).”

“The attackers need to set the phone up correctly, connect it to the ATM and infect the ATM with Ploutus,” he added. “Once all of these steps are complete, a full two-way connectivity is established and the phone is ready to be used.  Since the phone is connected to the ATM through the USB port, the phone also draws power from the connection, which charges the phone battery. As a result, the phone will remain powered up indefinitely.”

Once the mobile phone is connected to the ATM, the criminals can send specific SMS command messages to the phone attached inside the ATM. When the phone detects a new message under the required format, the phone will convert the message into a network packet and forward it to the ATM through the USB cable, the researcher wrote.

“The network packet monitor (NPM) is a module of the malware which acts as a packet sniffer, watching all network traffic going on in the ATM,” he blogged. “As soon as the compromised ATM receives a valid TCP or UDP packet from the phone, the NPM will parse the packet and search for the number “5449610000583686” at a specific offset within the packet in order to process the whole package of data. Once that specific number is detected, the NPM will read the next 16 digits and use them to construct a command line to run Ploutus.”

Banks looking to stop these cyber-heists have a number of options, including locking down the BIOS to prevent booting from unauthorized media such as CD ROMs or USB sticks and upgrading to newer versions of Windows.

“While the ATM’s money is locked inside a safe, the computer generally is not,” Regalado blogged. “Without adequate physical security for these older ATMs, the attacker has the upper hand.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.