Windows XP ATMs being hacked by a simple SMS: Symantec
Cybercriminals have already found a method of hacking into an ATM based on the Windows XP system to withdraw cash without a card. The exploit could and will continue after the Windows XP support plugs are pulled off on April 8.
Daniel Regalado, Symantec Security Response, said that, “In late 2013, we blogged about new ATM malware in Mexico, which could let attackers force ATMs to spew cash on demand using an external keyboard. That threat was named Backdoor.Ploutus. Some weeks later, we discovered a new variant, which showed that the malware had evolved into a modular architecture. The new variant was also localized into the English language, suggesting that the malware author was expanding their franchise to other countries. The new variant was identified as Backdoor.Ploutus.B”
“What was interesting about this variant of Ploutus was that it allowed cybercriminals to simply send an SMS to the compromised ATM, then walk up and collect the dispensed cash. It may seem incredible but this technique is being used in a number of places across the world at this time,” he added.
How the hack is done:
- The attacker installs Ploutus on the ATM and connects a mobile phone to the machine with a USB cable.
- The controller sends two SMS messages to the mobile phone inside the ATM.
- SMS 1 must contain a valid activation ID in order to enable Ploutus in the ATM.
- SMS 2 must contain a valid dispense command to get the money out.
- The phone detects valid incoming SMS messages and forwards them to the ATM as a TCP or UDP packet.
- In the ATM, the network packet monitor module receives the TCP/UDP packet and if it contains a valid command, it will execute Ploutus.
- Ploutus causes the ATM to spew out the cash. The amount of cash dispensed is pre-configured inside the malware.
- The cash is collected from the ATM by the money mule
Symantec was able to replicate the attack in their labs with a real ATM machine infected with the virus. Below is a video on the demonstration.
Daniel further added, “Modern ATMs have enhanced security features, such as encrypted hard-drives, which can prevent these types of installation techniques. However, for older ATMs still running on Windows XP, protecting against these types of attacks is more challenging, especially when the ATMs are already deployed in all sorts of remote locations. Another difficulty that needs to be addressed is the physical security of the computer inside the ATMs. While the ATM’s money is locked inside a safe, the computer generally is not. Without adequate physical security for these older ATMs, the attacker has the upper hand.”