ATMs running Windows XP targeted with cash-dispensing malware
Microsoft has been aggressively campaigning to get users to stop using Windows XP, and has gone so far as to offer $100 off the purchase of a new PC via the Microsoft Store in order to sweeten the switch to a newer OS (preferably Windows 8).
But there is a massive number of devices that won’t be so easily upgraded, as 95 percent of ATMs is running on the soon-to-be outdated and unsupported Windows XP.
Infection with a variant of the Ploutus ATM malware will likely be the most imminent danger for ATMs. First spotted being used in Mexico last year, the malware became modular, and new variants using the English language indicate that the next target are ATMs in English-speaking countries, likely the US.
While Ploutus initially required attackers to use an external keyboard to order the ATM to spew out money, with the newer variants in play they need to send an SMS to the compromised ATM, then simply go and collect the dispensed cash.
In order to send the SMS, they first need to connect their mobile phone to the ATM, and that can be done in a number of ways.
“A common method is to use a setup called USB tethering, which is effectively a shared Internet connection between a phone and a computer (or in this case, an ATM),” Symantec researchers explain.
“The attackers need to set the phone up correctly, connect it to the ATM and infect the ATM with Ploutus. Once all of these steps are complete, a full two-way connectivity is established and the phone is ready to be used.”
Two messages are sent to the ATM. The first instructs the ATM to start running Ploutus, which has been previously installed on it. The second one tells the ATM to dispense the money.
Symantec researchers have also recorded a helpful video that shows each of these steps (and if you’ve never seen what an ATM looks like on the inside, this is your chance):
Update (February 2016): Video removed, as it was using Adobe Flash.
They also offered advice on what to do to protect these vulnerable ATMs from attackers.
Apart from upgrading to a newer OS, setting the BIOS to prevent the booting of unauthorized media is also a great idea. Banks could also try to make it more difficult for attackers to access the ATMs’ computer, and could install CCTV cameras and train them on the ATMs in order to spot suspicious behavior or be able to identify attackers after a successful theft.
Finally, they could start using full disk encryption, and perhaps even a software system lock down solution.