Feeds

back to article Forget sledgehammers – crooks can CRACK ATMs with a TEXT

Mexican cybercrooks are targeting bank ATMs with malware that can be activated by a SMS message that forces compromised cash machines to spew out cash. The attack is a refinement on previous assaults using the Ploutus backdoor strain of malware that makes robbing cash machines even easier for local banditos, according to net …

COMMENTS

This topic is closed for new posts.
Silver badge

Neat!

There are some clever people out there...lucky for us they've decided to go into crime rather than getting jobs at GCHQ or the NSA.

23
1
Anonymous Coward

Re: Neat!

There is a difference?

7
0
Silver badge

Re: Neat!

quote: "There is a difference?"

One of them commits crimes to get paid, and the other is paid to commit crimes. ;)

30
0
Silver badge
Pint

Oh God...

So ATMs are now going to be infected with Symantec's bug-infested crapware? Crash. Burn. Blue screen of Symantec. No money...

WE'RE ALL GONNA DIE... BROKE... COLD... HUNGRY... DESTITUTE...

0
0

Sure it's easier than digging a tunnel

but is it art?

8
0
Silver badge

Re: Sure it's easier than digging a tunnel

A forklift, a runup and a flatbed tuck is nearly art.

0
0
Silver badge

Re: Sure it's easier than digging a tunnel

It's fast, and totally analogue. We had something similar happen around here. Someone drives down the street in a front end loader, and smashes into the bank, scoops the ATM, and dumps it in a pickup that just happened to be handy. It all happened in a blink, and they were never found.

0
0
Silver badge

Re: Sure it's easier than digging a tunnel

Have to check the weight limits, but you might be able to do it with one of those rubbish lorries with the hydraulics for emptying the bins automatically. Ram, lift and away; all in one vehicle. As a bonus, you wouldn't have to break into the ATMs...just switch the compactor on for a cycle or two. Hmmm.....

0
0
Silver badge

You'd hope that the bank employee whose job it is to fill the ATM would also check for unexpected changes to the ATM such as a USB cable leading to a mobile phone. Pretty fucking obvious I would have thought.

10
1
Silver badge
Stop

Bank employee ? How quaint.

AFAICT most ATMs in the UK are serviced by security companies - mainly G4S. Given their *cough* competence in other areas, I wouldn't be too hopeful they'd spot anything amiss in an ATM.

14
0
Bronze badge

"You'd hope that the bank employee whose job it is to fill the ATM would also check for unexpected changes to the ATM such as a USB cable leading to a mobile phone."

Who do you think is best placed to install a mobile phone into an ATM?

18
0
Anonymous Coward

I don't understand why the cash machine wasn't designed from the outset with the computer inside a locked and tamper-proof box. It is nothing short of negligence on the part of the cash machine manufacturer.

1
1

@AC re: Forget sledgehammers – crooks can CRACK ATMs with a TEXT

Because of cost. I am sure the banks or the ATM operators will buy the cheapest unit, and that is the one without security features like this.

3
0

As usual, things get crappier over time.

Earlier (running OS/2 on 200MHz cpus) ATMs had the computer inside the safe, next to the money.

1
0
Anonymous Coward

Tut, tut Reg.

"Forget sledgehammers – crooks can CRACK ATMs with a TEXT"

Having now read the article, that headline really is a little bit Daily Mail, but I realise 'crooks can control previously compromised ATMs via SMS' doesn't quite sound as cool.

6
0
Anonymous Coward

XP I guess

Why these machines don't run secure embedded OS's has always bemused me.

5
3
Bronze badge
Facepalm

Re: XP I guess

but who would update these when patches are released by OS vendor? Much cheaper to just install commodity OS (like Windows XP for example) on commodity hardware.

Oh, wait ... that's not a joke.

4
2
Silver badge
FAIL

Re: XP I guess

This has nothing to do with the OS this time.

3
2
Silver badge
Thumb Down

Re: XP I guess

Hello Eadon! Didn't know you were back.

2
2
Bronze badge

Re: XP I guess

I am quite sure that no matter what you attach to USB port, without OS support the worst it can do is pull too much current and shut itself down (and perhaps other devices on the same power bus). So yeah, OS is very much implicated into this. But I do agree that physical security of the port comes before it.

4
1
Silver badge

Re: XP I guess

You need to attach a thumb drive or similar, reboot the ATM, getting it to boot from USB in the process, then copy the relevant files onto the ATM.

Once you have done that, you can reboot the ATM again and attach the mobile phone and Bob's your uncle behind bars.

3
0
Anonymous Coward

And here was me thinking that they just bribed the little man that lives in the machine.

9
0
Bronze badge
Joke

Inform the Met

Doesn't this make every El Reg Hack a Bandito too?

After all they get cash from text.

Sorry wheres that withdraw button?

2
0
Bronze badge

Errrm, so they have to gain physical access first anyway, so what is all this, no sledgehammer required nonsense, they need the same access the first time around that they always have.

2
0
Silver badge

Indeed. My interest waned notably when I read that they had to "connect phone to ATM".

Sorry, if they have access to connect the phone, the rest is just details. The basic rule still applies here : if the crims get physical access to the hardware, all bets are off and there is no more security.

6
0
Bronze badge

¿Plata o plomo?

Mexico has a culture of corruption, but even honest folk will bend when a gun is held to their head.

Nonetheless I'm pleased to see people robbing banks again. For far too long banks have been robbing people.

7
1
Silver badge

Re: ¿Plata o plomo?

Heh. Been a while since my country appeared on El Reg, and I'm not quite surprised it came up with an ATM slurping malware bit. But it does confirm that I was properly annoyed when I realized they had switched from OS/2 to WinXP on ATMs … and I was thinking "geeze, we shouldn't be putting that OS on ATMs!"

0
0
Silver badge

Note to banks:

Please use (very) custom hardware/software when you build ATMs. Oh, and please put in some logging features that do checksums of vital parts and report them back to "central". You don't need to verify them at the ATM, let your center do that and raise alarms.

p.s. Keep those $20 bills on coming! Baby needs a new pair of shoes!

1
0
Silver badge
Boffin

Windows on ATMs

Looks like using Windows for ATMs doesn't sound as bright right about now.

I have always been miffed at this, especially given that I have worked at certain banks (yes, MEXICAN banks) and most of them snub Windows for everything else. But the ATMs are on Windows, no surprise they're getting 0wn3d on the ATM side.

Oh well, beats having the whole ATM stolen, which happens every now and then.

2
0
Anonymous Coward

WTF? Why would ATMs require an active USB?

Wow the banks have been complacent. I have to think that outsourcing and general wipe-out of IT salaries has had something to do with this. Why would ATMs require an active USB? To Pwn your own ATM?... Was this a deliberate added feature! Ditto for leaving active USBs on the walk-in self-service machines where crims can upload Malware 'while-you-wait' so to speak... And how did windows XP spread like a virus and find its way onto so many ATM machines?

I thought the banks used proprietary software precisely to defeat these types of attacks. I have to think again its cost control so the execs can get their bonuses at the expense of quality IT departments, many of which have been decimated. But clearly this is just the cost of doing business. If the banks were taking a hard enough hit, they would have to fix this fiasco..

Still its all good, overall I'm glad that the crims are targeting the banks directly though and not using those smarts to forge more attacks on Mom and Pop.... As someone else flippantly said, maybe its good that these people took the crim path and didn't take jobs for the Five Eyes.

0
2
Bronze badge

Re: WTF? Why would ATMs require an active USB?

@AC What's an ATM machine?

0
1

While everybody loves hating Windows, true point is, a USB port? And the ATM is configured to boot from it as default? What could possible be wrong with that line of thought...

Even keeping the USB port, a much better idea would have been to have a custom BIOS that checked for existence of a flash drive connected to said USB port and then, if one existed, read a key from it and used it to decrypt a boot image off a hidden partition into the system partition. Right key? ATM back to a clean start state. Wrong key? Bricked ATM in need of hauling to repair shop. Assumes a tamper proof HD/SSD setup.

The cynical in me thinks this is just a setup for plausible denial. Whomever did the ATM's was probably "persuaded" (at point blank) to make them "somewhat insecure", not bad enough they'd look guilty, just clueless. Eventually loosing face is far better than immediately loosing (parts of) head...

2
1
Bronze badge

Whomever did the ATM's was probably "persuaded"

That sounds like you're suggesting this was set up / organised long ago. IF that's the case, how come these "hacks" are only just coming to light now?

I think it was just downright stupidity. Not intentional - I say that reluctantly. XP was released in 2001. Why the machines were never upgraded, I'm thinking may have been / could have been intentional?

There are many questions that need to be answered here.

0
1
Dig

Physical Access?

"This is not as difficult as it might seem at first and doesn't entail physically opening up a target machine, "

So how do they tether a mobile phone via USB to an ATM without physically opening it. Do they have USB slots on the front in Mexico.

1
0
FAIL

Watch the video, physical entry is simply a very simple key lock on the front of the machine...

http://www.symantec.com/connect/blogs/texting-atms-cash-shows-cybercriminals-increasing-sophistication

0
0
Bronze badge
Linux

Sheesh

WinXP? Which maniac thought it was a good idea to put XP on ATMs? Even slot makers have the sanity to put Linux into their slots. Saw one Bally machine booting Linux (albeit an ancient 2.2 kernel) at a casino sometime back, when a service tech maintained the machine and then reboot.

Surely if Linux is good enough for slots, it would be good enough for ATMs?

3
2
Silver badge
Linux

Re: Sheesh

"Which maniac thought it was a good idea to put XP on ATMs". Basically IBM as they gave up, lost the plot, so to say, for reasons I don't know. But again the way the OS was used and the way the "old" ATMs where designed, as the text goes "in the case of older cash machines still running (dead-man-walking OS) Windows XP" the problem would have been the same regardless of the OS. Nobody was then, long ago, prepared to back up Linux with any force, but with the same guys "designing" the ATMs the result would have been again the same. The fuck ups regarding Android is equally not because of Linux. There is nothing you cannot fuck up totally regardless of the OS.

0
0
Silver badge
Linux

Re: Sheesh

And sheesh to my self but the damned logic is that if you hit your thumb with a hammer you may say sheesh but it would perhaps be silly to blame the hammer. Still you will probably rather throw the hammer in the drink than your self. Life is sometimes unfair for hammers windows and penquins.

0
0

Re: Sheesh

Sorry, I configured loads of machines for a large high street bookies chain, all were using Windows XP, you did need a key to disable the tamper alarm, and another to open the front and another to unlock the cage the actual PC was in. Access to the USB slots and hard drive was not possible without disabling the alarm, opening the case and unlocking the PC cage. hard drives were imaged off the machine, then installed and configured. USB was not disable as the cash reader was connected via USB, You also needed a PS/2 keyboard and mouse to set them up as USB keyboards and mice were not recognised.

0
0
Silver badge
Joke

However

I'm sure they ONLY withdraw to their daily limit!

0
0
Silver badge
Joke

Re: However

Yes, there is indeed a limit to how much you can withdraw from a ATM. A rather "poor" bank to rob. (among us bank robbers).

0
0
Silver badge

5449610000583686 ?

Hang on! That's my HSBC Mastercard number! Excuse me while I go check my account.

[2 minutes later]

Whaaaaaaat the f*******ck??!?!?!

1
0

we will be seeing more of this.....

Most ATM'S run windows xp and Microsoft are not updating windows xp anymore so we will be seeing attacks like this more often. Unless banks pull their fingers out and update the atm's to windows 7 (or ditch windows and run another secure os)

0
0
This topic is closed for new posts.