Thieves can now rob banks using just SMS? That’s right, last year Mexico was hit with an ATM malware that allowed criminals to dispense cash at their will after finding a way to to install malware through the external optical CD-ROM drive. Using a keyboard they controlled the OS to dispense money as well as disabling Anti-Virus security systems. Now a new updated version of the virus is surfacing worldwide that utilizes a mobile device to take control.
Smartphones are a blessing, but at the same time they’re also extremely volatile instruments that can do massive harm to anyone and anything. One can certainly chuck a phone at someone like a brick and injure a person that way. However, for tech savvy thieves, gadgets like smartphones have become useful tools for hacking into banking consoles (i.e. ATM).
Late last year, security researchers at SafenSoft found that a malware, dubbed ‘Ploutus,’ emerged somewhere in Mexico, enabling would-be bank robbers to directly access ATM machines to make illegal withdrawals. As with any other malwares, it didn’t take long for crooks to re-engineer and create a new variant. According to Symantec, the new Ploutus malware allows hackers to access an ATM’s computer, and withdrawal funds using just SMS messages.
“The criminal can remotely control the ATM by using a mobile phone which is connected to the inside of the ATM,” said Symantec security researcher Daniel Regalado. “There are multiple ways to connect a mobile phone to an ATM. A common method is to use a setup called USB tethering, which is effectively a shared Internet connection between a phone and a computer.”
Essentially what the crooks did was establish a connection with the ATM’s computer system via USB tethering, and from there they dumped the Ploutus malware onto the computer. The malware’s network packet monitor (NPM) then checks the system’s network activity, sniffing out valid TCP or UDP packets from the phone. Once the NPM parses and searches for a certain number at a specific offset within the packet, it will proceed to creating a command line that will run Ploutus.
It is a given that bank consoles such as ATMs should not have ports like USBs openly accessible to the public, but the reality is that some cash dispensing machines are dated. The smartphone revolution, if you really think about it, took off only within the last 10-15 years. Banking institutions need to be aware that although cash is stored in an almost impenetrable safe, the computers responsible for managing the safe’s lock aren’t. The solution to this is quite simple, and it’s a safe bet to say that the banks which own these dated ATMs will take note of the recent Ploutus scare and upgrade their equipment.