Security company Symantec has called on banks to upgrade cash machines running on Windows XP, as details emerge of weaknesses that allow hackers to withdraw cash simply by sending an SMS to compromised ATMs.
According to Symantec, Windows XP is the OS behind 95% of ATMs and is being targeted by increasingly sophisticated attacks that use a mobile phone to gain access to cash points and force them to dispense money to mules working for criminal gangs.
"With the looming end-of-life for Windows XP slated for 8 April, the banking industry is facing a serious risk of cyber-attacks aimed at their ATM fleet," said Daniel Regalado, a Symantec malware analyst, in a blog post.
"This risk is not hypothetical — it is already happening. Cybercriminals are targeting ATMs with increasingly sophisticated techniques."
The threat first emerged as malware known as Backdoor.Ploutus in South America late last year, but according to Symantec the hackers have developed the tool with English-language versions and a modular architecture that makes it more flexible.
Effectively, Ploutus allows cybercriminals to send a text message to an infected cash machine, then walk up and retrieve the money that's ejected. "It may seem incredible but this technique is being used in a number of places across the world at this time," said Regalado.
Hardwired
However, while this mobile bank job is already in progress, the raiders need more than a mobile phone number for the targeted ATM.
The criminals first need to install a mobile phone within the ATM, often using USB tethering to both access the ATM and keep the phone charged.
Once installed, the phone acts as a packet sniffer and detects messages sent in a specific format, before converting them into network packets that it forwards to the ATM via the USB cable.
Improvements to the malware means the codes to prompt withdrawals are automated and the money mule no longer needs to be trusted with malware access codes.
"Using SMS messages to remotely control the ATM is a much more convenient method for all of the parties in this scheme, because it is discrete and works almost instantly," said Regalado. "The criminal knows exactly how much the money mule will be getting and the money mule does not need to linger for extended periods around an ATM waiting for it to issue the cash."
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
