How to rob ATMs with a couple of SMS messages

Pierluigi Paganini March 26, 2014

Symantec experts demonstrated how to rob ATMs using a mobile device and sending a couple of SMS. Cybercriminals are increasing sophistication of attacks.

What will happen after that Microsoft will stop supporting the Windows XP operating system on 8th April? The question was approached by numerous security experts on different media.

The impact could be very serious for all those industries were XP OS is largely adopted, for example the banking sector. Nearly 95% of the world’s 3 million ATM machines run on Microsoft XP OS, the interruption for the support of Windows XP raises serious security issues.

After April 8th, Windows XP Service Pack 3 customers will no longer receive new security updates or any other form of support, this means that any new security flaw discovered in the Windows OS will not be addressed fixed by Microsoft.  Attackers will have the advantage over victims who choose to continue to run Windows XP, their systems will be vulnerable and a growing number of exploits will be available on the underground market to compromise Windows XP systems.

To better understand the risks related to running a phase-out OS I suggest the reading of a post published by Symantec security firm titled “Texting ATMs for Cash Shows Cybercriminals’ Increasing Sophistication”, it shows how hackers can exploit a weakness in a Windows XP based ATMs that allow them to withdraw with a simple SMS.

The blog post refers to a variant of Ploutus malware detected in 2013, it was installed on ATMs in Mexico and is designed to compromise a certain type of standalone ATM with just the text messages.

“The new variant was identified as Backdoor.Ploutus.B (referred to as Ploutus throughout this blog). What was interesting about this variant of Ploutus was that it allowed cybercriminals to simply send an SMS to the compromised ATM, then walk up and collect the dispensed cash. It may seem incredible, but this technique is being used in a number of places across the world at this time.”

The attack scheme is very simple, the bad actor just needs to connect the ATM to a mobile phone via USB tethering and then initiate a shared Internet connection, which then can be used to send specific SMS commands to the phone attached or hardwired inside the ATM.

“Since the phone is connected to the ATM through the USB port, the phone also draws power from the connection, which charges the phone battery. As a result, the phone will remain powered up indefinitely.”

The attack scheme

  • The attacker connects a mobile handset to the ATM with a USB cable and inject the Ploutus Malware.
  • The attacker sends two specific SMS messages to the mobile phone inside the ATM.
    • SMS 1 contains a valid activation ID to activate the malware
    • SMS 2 contains a valid dispense command to get the money out
  • The Mobile handset in the ATM receives the valid SMS messages and converts them into network packets that forward the ATM through the USB cable.
  • Network packet monitor (NPM) module coded in the malware sniff all incoming traffic, when it will receive a valid TCP or UDP packet from the mobile phone he will parse the packet and search for the number “5449610000583686” at a specific offset within the packet. In this way the module is able to analyze the whole package of data and once it has found a specific number the NPM will read the next 16 digits and use them to construct a command line to run Ploutus. An example of such a command is shown below: 

cmd.exe /c PLOUTOS.EXE 5449610000583686=2836957412536985 “In this version of Ploutus, the mule never sees the 16 digits, giving the master criminal added security and the ability to centrally control cash withdrawals. The code is active for 24 hours.” reports Symantec

  • Amount for Cash withdrawal is pre-configured inside the malware
  • Finally, the hacker can collect cash from the hacked ATM machine.

ATM attack ploutus 2

Malware analysts have discovered a more sophisticated version of the PLOUTOS malware, some detected instances are able to steal customer card data including the PIN, researchers also confirmed the existence of a version able to implement a man-in-the-middle attack.

PLOUTOS is now spreading to different countries all over the world, Symantec experts highlighted that a similar attack is possible on ATMs running on Windows XP, which lack of proper defense measures protecting against these types of attacks, like such as encrypted hard-drives. Physical security of the computer inside the ATMs is considered another critical issue, especially for remote and isolated locations, because usually generally the computer generally is not locked in a safe. Following the suggestions provided by Symantec experts to improve the security of the ATMs:

  • Upgrading to a supported operating system such as Windows 7 or 8
  • Providing adequate physical protection and considering CCTV monitoring for the ATM
  • Locking down the BIOS to prevent booting from unauthorized media, such as CD ROMs or USB sticks
  • Using full disk encryption to help prevent disk tampering
  • Using a system lock down solution

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  ATMs, XP)



you might also like

leave a comment