Sign in with
Sign up | Sign in

Criminals Rob ATMs with Text Messages

By - Source: Tom's Guide US | B 9 comments
Tags :

A diagram of how Ploutus works. Credit: Symantec.A diagram of how Ploutus works. Credit: Symantec.

At least one brand of ATM can be robbed by sending the machine a text message, then walking up and collecting the ejected cash.

It's not quite as simple as it sounds. The ATMs, which in this case are actually Windows PCs, need to be running Windows XP and need to be infected with a Trojan called "Backdoor.Ploutus.B" or simply "Ploutus," which can only be installed by loading a CD into the ATM's optical-disk reader.

MORE: 13 Security and Privacy Tips for the Paranoid

Criminals also have to open the plastic cowling covering the ATM's innards to access the computer. But they don't have to crack into the ATM's safe, where the money is held.

Once the malware is installed, the ATM also has to be hooked up to a mobile phone via a USB port, as Symantec reports on its blog.  But if you can complete these two steps without anyone finding out, you can then command the infected ATM to spit out cash just by texting a message to the attached mobile phone.

When the mobile phone receives a properly phrased text message, it then translates the text into a network packet and send it to the ATM. Ploutus then transforms the packets into command-line instructions.

"It may seem incredible, but this technique is being used in a number of places across the world at this time," Symantec's Daniel Regalado wrote on his company blog.

As Regalado pointed out, this setup means the criminals only have to tell their "money mules" which ATMs to go in order to get the discharged money. All the other information — the necessary code, the contents of the text message, the amount of money to be output and the time of the output — stay in the cybercriminals' sole control.

The setup could last indefinitely too: Because the phone is connected to the ATM, it is constantly recharging and never runs out of power.

Symantec first identified Ploutus in Mexico back in October 2013, when the malware had to be controlled from a computer keyboard plugged into the ATM's hidden guts. 

Ploutus apparently only affects a single brand of ATM, but Symantec has not released the brand name. It did note that the Trojan, originally written in Spanish, now has an English-language variant, suggesting that the criminals behind it might hope to expand their operation.

Because the criminals need time to tamper with an ATM to set this up, a good old security camera is probably the best line of defense against Ploutus. 

In his blog posting, Regalado notes that on April 8, Microsoft will end all support and security patches for Windows XP -- the so-called "XPocalypse."

"ATMs are basically computers that control access to cash, and as it turns out, almost 95 percent of them run on versions of Windows XP," Regalado wrote. "The banking industry is facing a serious risk of cyberattacks aimed at their ATM fleet."

The reality may not be that dire. Most ATMs running XP actually run a stripped-down version called Windows XP Embedded, which Microsoft will support until December 2016. Most ATMs are not connected to the Internet and are at minimal risk of network-based attacks. And most non-bank ATMs, such as you'd find in a convenience store, run something other than Windows.

What is indisputable is, as Regalado wrote, that "cybercriminals are targeting ATMs with increasingly sophisticated techniques." But that would true no matter which operating system an ATM runs.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+. Follow us @TomsGuide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 0 Hide
    Rhinofart , March 26, 2014 11:37 AM
    Where do you get your information from? "ATMs are basically computers that control access to cash, and as it turns out, almost 95 percent of them run on versions of Windows XP," Regalado wroteI spent 8 years installing, and repairing ATMs and NONE of them ran Windows XP, or Windows XP Embedded. Granted, I only worked on NCR, Triton, and Wincor Nixdorf. The Tritons ran their own propriatary OS, NCR ran OS2/Warp, and when I got out of the industry a highly customized version of NT4 (5 years ago), and Wincor also had an NT4 based OS. Lots of these ATMs are connected via dedicated MPLS circuits to the Financial Networks, and hacking into those while possible, would still be quite a feat. The only real "damage" the guys can do would be to override the dispenser to disk out cash. I've only ever known of 1 machine to go completly bonkers, and that was back in 2003 in northern Alberta where an NCR machine just lost it's mind, and started dishing out bills through the dispenser. Good thing it was one of the branch staff that was making the transaction at the time, and they called me directly.
  • 0 Hide
    coolitic , March 26, 2014 12:19 PM
    Even some of the ATM's use xp? O noez, people are more ignorant than i thought.
  • 0 Hide
    coolitic , March 26, 2014 12:19 PM
    Even some of the ATM's use xp? O noez, people are more ignorant than i thought.
  • Display all 9 comments.
  • 0 Hide
    knowom , March 26, 2014 12:41 PM
    Story about nothing not our problem it's the banks problems and like the article mentions a simple security cam is the best line of defense and what ATM doesn't have one of those around?
  • 0 Hide
    cracklint , March 26, 2014 1:20 PM
    went on a sunday morning to get some cash from my local atm and caught it in the middle of an update. it was wild because my atm screen was indeed running xp. noticed over the last few weeks the interface was changed . and the machine responds and processes my transaction much faster. No doubt they have updated there OS . Most likely in lieu of these exploits
  • 0 Hide
    rwinches , March 26, 2014 1:31 PM
    @rinofart NCR stated that they have XP running on hundreds of thousands of their ATMs worldwide. Yes many commercial machines are using embedded versions and are not on the internet. XP Win 7 and 8 are all versions of NT Win 8 is Ver 6.2 Build 9200
  • 0 Hide
    rwinches , March 26, 2014 1:34 PM
    Plenty of ATMs are installed in independent stores that have no cameras, we're talking worldwide here.
  • 0 Hide
    ferooxidan , March 26, 2014 3:12 PM
    still lots of guy didn't know that lots ATM use XP? wow, it's nice to be young
  • 0 Hide
    w8gaming , March 26, 2014 11:20 PM
    Have seen a ATM being "serviced" and catch the OS is Windows XP as well. Most likely some of the vendors who provide the ATM infrastructure has coded their software to be run on XP and sold it to the banking sector. The same vendor is in the nice position to make a lot of cash now that Microsoft is helping them to encourage their clients to "upgrade".
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter