Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

ATM Hackers Turn to Text Messages to Pull Bank Heists

Cybercriminals may be texting their way past bank security. 

According to Symantec, a new variant of ATM malware discovered in 2013 has been updated to allow hackers to withdraw cash using SMS messages. 

Cybercriminals may be texting their way past bank security. 

According to Symantec, a new variant of ATM malware discovered in 2013 has been updated to allow hackers to withdraw cash using SMS messages. 

“It may seem incredible but this technique is being used in a number of places across the world at this time,” blogged Symantec researcher Daniel Regalado.

The malware, known as Ploutus, first surfaced last year in Mexico. At the time, the malware enabled attackers armed with an external keyboard to make illegal withdrawals from ATM machines. In the ensuing weeks however, a new variant appeared with an evolved architecture.

“The criminals can remotely control the ATM by using a mobile phone which is connected to the inside of the ATM,” Regalado explained. “There are multiple ways to connect a mobile phone to an ATM. A common method is to use a setup called USB tethering, which is effectively a shared Internet connection between a phone and a computer (or in this case, an ATM).”

“The attackers need to set the phone up correctly, connect it to the ATM and infect the ATM with Ploutus,” he added. “Once all of these steps are complete, a full two-way connectivity is established and the phone is ready to be used.  Since the phone is connected to the ATM through the USB port, the phone also draws power from the connection, which charges the phone battery. As a result, the phone will remain powered up indefinitely.”

Once the mobile phone is connected to the ATM, the criminals can send specific SMS command messages to the phone attached inside the ATM. When the phone detects a new message under the required format, the phone will convert the message into a network packet and forward it to the ATM through the USB cable, the researcher wrote.

“The network packet monitor (NPM) is a module of the malware which acts as a packet sniffer, watching all network traffic going on in the ATM,” he blogged. “As soon as the compromised ATM receives a valid TCP or UDP packet from the phone, the NPM will parse the packet and search for the number “5449610000583686” at a specific offset within the packet in order to process the whole package of data. Once that specific number is detected, the NPM will read the next 16 digits and use them to construct a command line to run Ploutus.”

Advertisement. Scroll to continue reading.

Banks looking to stop these cyber-heists have a number of options, including locking down the BIOS to prevent booting from unauthorized media such as CD ROMs or USB sticks and upgrading to newer versions of Windows.

“While the ATM’s money is locked inside a safe, the computer generally is not,” Regalado blogged. “Without adequate physical security for these older ATMs, the attacker has the upper hand.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.