Criminals Rob ATMs with Text Messages

A diagram of how Ploutus works. Credit: Symantec.A diagram of how Ploutus works. Credit: Symantec.

At least one brand of ATM can be robbed by sending the machine a text message, then walking up and collecting the ejected cash.

It's not quite as simple as it sounds. The ATMs, which in this case are actually Windows PCs, need to be running Windows XP and need to be infected with a Trojan called "Backdoor.Ploutus.B" or simply "Ploutus," which can only be installed by loading a CD into the ATM's optical-disk reader.

MORE: 13 Security and Privacy Tips for the Paranoid

Criminals also have to open the plastic cowling covering the ATM's innards to access the computer. But they don't have to crack into the ATM's safe, where the money is held.

Once the malware is installed, the ATM also has to be hooked up to a mobile phone via a USB port, as Symantec reports on its blog.  But if you can complete these two steps without anyone finding out, you can then command the infected ATM to spit out cash just by texting a message to the attached mobile phone.

When the mobile phone receives a properly phrased text message, it then translates the text into a network packet and send it to the ATM. Ploutus then transforms the packets into command-line instructions.

"It may seem incredible, but this technique is being used in a number of places across the world at this time," Symantec's Daniel Regalado wrote on his company blog.

As Regalado pointed out, this setup means the criminals only have to tell their "money mules" which ATMs to go in order to get the discharged money. All the other information — the necessary code, the contents of the text message, the amount of money to be output and the time of the output — stay in the cybercriminals' sole control.

The setup could last indefinitely too: Because the phone is connected to the ATM, it is constantly recharging and never runs out of power.

Symantec first identified Ploutus in Mexico back in October 2013, when the malware had to be controlled from a computer keyboard plugged into the ATM's hidden guts. 

Ploutus apparently only affects a single brand of ATM, but Symantec has not released the brand name. It did note that the Trojan, originally written in Spanish, now has an English-language variant, suggesting that the criminals behind it might hope to expand their operation.

Because the criminals need time to tamper with an ATM to set this up, a good old security camera is probably the best line of defense against Ploutus. 

In his blog posting, Regalado notes that on April 8, Microsoft will end all support and security patches for Windows XP -- the so-called "XPocalypse."

"ATMs are basically computers that control access to cash, and as it turns out, almost 95 percent of them run on versions of Windows XP," Regalado wrote. "The banking industry is facing a serious risk of cyberattacks aimed at their ATM fleet."

The reality may not be that dire. Most ATMs running XP actually run a stripped-down version called Windows XP Embedded, which Microsoft will support until December 2016. Most ATMs are not connected to the Internet and are at minimal risk of network-based attacks. And most non-bank ATMs, such as you'd find in a convenience store, run something other than Windows.

What is indisputable is, as Regalado wrote, that "cybercriminals are targeting ATMs with increasingly sophisticated techniques." But that would true no matter which operating system an ATM runs.

Email or follow her @JillScharr and Google+. Follow us @TomsGuide, on Facebook and on Google+.

This thread is closed for comments
    Your comment
  • Where do you get your information from? "ATMs are basically computers that control access to cash, and as it turns out, almost 95 percent of them run on versions of Windows XP," Regalado wroteI spent 8 years installing, and repairing ATMs and NONE of them ran Windows XP, or Windows XP Embedded. Granted, I only worked on NCR, Triton, and Wincor Nixdorf. The Tritons ran their own propriatary OS, NCR ran OS2/Warp, and when I got out of the industry a highly customized version of NT4 (5 years ago), and Wincor also had an NT4 based OS. Lots of these ATMs are connected via dedicated MPLS circuits to the Financial Networks, and hacking into those while possible, would still be quite a feat. The only real "damage" the guys can do would be to override the dispenser to disk out cash. I've only ever known of 1 machine to go completly bonkers, and that was back in 2003 in northern Alberta where an NCR machine just lost it's mind, and started dishing out bills through the dispenser. Good thing it was one of the branch staff that was making the transaction at the time, and they called me directly.
  • Even some of the ATM's use xp? O noez, people are more ignorant than i thought.
  • Even some of the ATM's use xp? O noez, people are more ignorant than i thought.