Hackers hit ATMs with SMS malware

Remote hack using a mobile phone.

Security experts have discovered a team of cyber-criminals responsible for hacking into stand-alone ATMs using adapted SMS messages.

Symantec said the hackers were using software called Ploutus which is hard to install because you need to get access to parts of the machine.

Early versions of Ploutus allowed it to be controlled via the numerical interface on an ATM or by an attached keyboard. However, the latest version is controlled remotely via text message.

Tricky hack

It is still not an easy hack to pull off. The attackers open up an ATM and attach a mobile phone, which acts as a controller, to a USB port inside the machine. The ATM still has to be infected with Ploutus.

In a blog post, Daniel Regalado, a Symantec malware analyst, wrote that the phone detects a new message under the required format, converts the message into a network packet and then forwards it to the ATM through the USB cable.

Ploutus has a network packet monitor that watches all traffic coming into the ATM and when it detects a valid TCP or UDP packet from the phone it generates a command line to control Ploutus. This saves a lot of time that a thief spends in front of the machine, decreasing the risk of detection.

The ATM is remotely triggered to dispense cash, allowing someone hired to do the risky job of stopping by to pick up the cash a quick exit. The "money mule" also does not have any information that allows them to skim some cash off for themselves.