26 Mar 2014

Almost 95% of ATMs are on Windows XP: Hackers already attacking some of these ATMs for cash

Using text message, a group of cyber criminals have figured out how to make a certain type of ATM with Windows XP spew cash. Symantec have reported on a type of malicious software it calls “Ploutus” which is installed with access to the machine. Previous versions of the software required you to use the keypad on the machine or connect a keyboard. But with the latest version, criminals can control the ATM via text message which is much more convenient and discreet. Symantec, in a blog written yesterday, outlines the process:
  1. The attacker installs Ploutus on the ATM and connects a mobile phone to the machine with a USB cable.
  2. The controller sends two SMS messages to the mobile phone connected to the ATM.
  3. SMS 1 must contain a valid activation ID in order to enable Ploutus in the ATM.
  4. SMS 2 must contain a valid dispense command to get the money out.
  5. The phone detects valid incoming SMS messages and forwards them to the ATM as a TCP or UDP packet.
  6. In the ATM, the network packet monitor module receives the TCP/UDP packet and if it contains a valid command, it will execute Ploutus.
  7. Ploutus causes the ATM to spew out the cash. The amount of cash dispensed is pre-configured inside the malware.
  8. The cash is collected from the ATM by the money mule.
It is security problems like these that will not be reviewed and supported once XP goes end of life.