Hacking ATMs by texting messages: A possibility indeed

BANGALORE, INDIAMicrosoft is all set to end its support for Windows XP in April which can be set back to banks as hundreds of ATMs still run on the XP, thus making them vulnerable for cyber attacks.

A Symantec blog by Daniel Regalado which explains the possible attack vectors says: In late 2013, we blogged about new ATM malware in Mexico, which could let attackers force ATMs to spew cash on demand using an external keyboard. That threat was named Backdoor.Ploutus. Some weeks later, we discovered a new variant which showed that the malware had evolved into a modular architecture.

The blog post explains that the new variant was also localized into the English language, suggesting that the malware author was expanding their franchise to other countries. The new variant was identified as Backdoor.Ploutus.B (referred to as Ploutus throughout this blog).

What was interesting about this variant of Ploutus was that it allowed cybercriminals to simply send an SMS to the compromised ATM, then walk up and collect the dispensed cash. It may seem incredible but this technique is being used in a number of places across the world at this time, according to Regalado.

Excerpts from Symantec blog:

Connecting a mobile phone to the ATM

The criminals can remotely control the ATM by using a mobile phone which is connected to the inside of the ATM. There are multiple ways to connect a mobile phone to an ATM. A common method is to use a setup called USB tethering, which is effectively a shared Internet connection between a phone and a computer (or in this case, an ATM).

The attackers need to set the phone up correctly, connect it to the ATM and infect the ATM with Ploutus. Once all of these steps are complete, a full two-way connectivity is established and the phone is ready to be used.

Since the phone is connected to the ATM through the USB port, the phone also draws power from the connection, which charges the phone battery. As a result, the phone will remain powered up indefinitely.

Sending SMS messages to the ATM

After the mobile phone is connected to the ATM and set up is completed, the criminals can send specific SMS command messages to the phone attached inside the ATM. When the phone detects a new message under the required format, the mobile device will convert the message into a network packet and will forward it to the ATM through the USB cable.

The network packet monitor (NPM) is a module of the malware which acts as a packet sniffer, watching all network traffic going on in the ATM. As soon as the compromised ATM receives a valid TCP or UDP packet from the phone, the NPM will parse the packet and search for the number "5449610000583686" at a specific offset within the packet in order to process the whole package of data. Once that specific number is detected, the NPM will read the next 16 digits and use them to construct a command line to run Ploutus. An example of such a command is shown below:

cmd.exe /c PLOUTOS.EXE 5449610000583686=2836957412536985

In previous versions of Ploutus, the master criminal would have to share these digits with the money mule, which could allow the money mule to defraud the master criminal if they realize what the code allows them to do. In this version of Ploutus, the mule never sees the 16 digits, giving the master criminal added security and the ability to centrally control cash withdrawals. The code is active for 24 hours.

Using SMS messages to remotely control the ATM is a much more convenient method for all of the parties in this scheme, because it is discrete and works almost instantly. The master criminal knows exactly how much the money mule will be getting and the money mule does not need to linger for extended periods around an ATM waiting for it to issue the cash. The master criminal and money mule can synchronize their actions so that the money is issued just as the money mule pretends to withdraw cash or is walking past the ATM.

Putting it all together

Now that we have looked into the details of how this scheme works, here's an overview of how it all fits together.

Figure 2. Ploutus ATM attack overview

Process overview

• The attacker installs Ploutus on the ATM and connects a mobile phone to the machine with a USB cable.

• The controller sends two SMS messages to the mobile phone inside the ATM.

• SMS 1 must contain a valid activation ID in order to enable Ploutus in the ATM.

• SMS 2 must contain a valid dispense command to get the money out.

• The phone detects valid incoming SMS messages and forwards them to the ATM as a TCP or UDP packet.

• In the ATM, the network packet monitor module receives the TCP/UDP packet and if it contains a valid command, it will execute Ploutus.

• Ploutus causes the ATM to spew out the cash. The amount of cash dispensed is pre-configured inside the malware.

• The cash is collected from the ATM by the money mule.

We were able to replicate this attack in our lab with a real ATM infected with Ploutus, so we can show you this attack in action in our short video.

While in this demonstration, we are using the Ploutus malware, Symantec Security Response has found several different forms of malware that are targeting ATMs. In the case of Ploutus, the attackers are trying to steal the cash from inside the ATM; however, some malware we have analyzed attempts to steal the customers' card information and PIN while other malicious software lets criminals attempt man-in-the-middle attacks. Clearly, attackers have different ideas on how best to make money from an ATM.