A diagram of how Ploutus works. Credit: Symantec.
At least one brand of ATM can be robbed by sending the machine a text message, then walking up and collecting the ejected cash.
It's not quite as simple as it sounds. The ATMs, which in this case are actually Windows PCs, need to be running Windows XP and need to be infected with a Trojan called "Backdoor.Ploutus.B" or simply "Ploutus," which can only be installed by loading a CD into the ATM's optical-disk reader.
Criminals also have to open the plastic cowling covering the ATM's innards to access the computer. But they don't have to crack into the ATM's safe, where the money is held.
Once the malware is installed, the ATM also has to be hooked up to a mobile phone via a USB port, as Symantec reports on its blog. But if you can complete these two steps without anyone finding out, you can then command the infected ATM to spit out cash just by texting a message to the attached mobile phone.
When the mobile phone receives a properly phrased text message, it then translates the text into a network packet and send it to the ATM. Ploutus then transforms the packets into command-line instructions.
"It may seem incredible, but this technique is being used in a number of places across the world at this time," Symantec's Daniel Regalado wrote on his company blog.
As Regalado pointed out, this setup means the criminals only have to tell their "money mules" which ATMs to go in order to get the discharged money. All the other information — the necessary code, the contents of the text message, the amount of money to be output and the time of the output — stay in the cybercriminals' sole control.
The setup could last indefinitely too: Because the phone is connected to the ATM, it is constantly recharging and never runs out of power.
Symantec first identified Ploutus in Mexico back in October 2013, when the malware had to be controlled from a computer keyboard plugged into the ATM's hidden guts.
Ploutus apparently only affects a single brand of ATM, but Symantec has not released the brand name. It did note that the Trojan, originally written in Spanish, now has an English-language variant, suggesting that the criminals behind it might hope to expand their operation.
Because the criminals need time to tamper with an ATM to set this up, a good old security camera is probably the best line of defense against Ploutus.
In his blog posting, Regalado notes that on April 8, Microsoft will end all support and security patches for Windows XP -- the so-called "XPocalypse."
"ATMs are basically computers that control access to cash, and as it turns out, almost 95 percent of them run on versions of Windows XP," Regalado wrote. "The banking industry is facing a serious risk of cyberattacks aimed at their ATM fleet."
The reality may not be that dire. Most ATMs running XP actually run a stripped-down version called Windows XP Embedded, which Microsoft will support until December 2016. Most ATMs are not connected to the Internet and are at minimal risk of network-based attacks. And most non-bank ATMs, such as you'd find in a convenience store, run something other than Windows.
What is indisputable is, as Regalado wrote, that "cybercriminals are targeting ATMs with increasingly sophisticated techniques." But that would true no matter which operating system an ATM runs.