back to article Forget sledgehammers – crooks can CRACK ATMs with a TEXT

Mexican cybercrooks are targeting bank ATMs with malware that can be activated by a SMS message that forces compromised cash machines to spew out cash. The attack is a refinement on previous assaults using the Ploutus backdoor strain of malware that makes robbing cash machines even easier for local banditos, according to net …

COMMENTS

This topic is closed for new posts.
  1. Pen-y-gors

    Neat!

    There are some clever people out there...lucky for us they've decided to go into crime rather than getting jobs at GCHQ or the NSA.

    1. Anonymous Coward
      Anonymous Coward

      Re: Neat!

      There is a difference?

      1. NumptyScrub

        Re: Neat!

        quote: "There is a difference?"

        One of them commits crimes to get paid, and the other is paid to commit crimes. ;)

        1. JeffyPoooh
          Pint

          Oh God...

          So ATMs are now going to be infected with Symantec's bug-infested crapware? Crash. Burn. Blue screen of Symantec. No money...

          WE'RE ALL GONNA DIE... BROKE... COLD... HUNGRY... DESTITUTE...

  2. Thecowking

    Sure it's easier than digging a tunnel

    but is it art?

    1. Anonymous Coward
      Anonymous Coward

      Re: Sure it's easier than digging a tunnel

      A forklift, a runup and a flatbed tuck is nearly art.

      1. Ole Juul

        Re: Sure it's easier than digging a tunnel

        It's fast, and totally analogue. We had something similar happen around here. Someone drives down the street in a front end loader, and smashes into the bank, scoops the ATM, and dumps it in a pickup that just happened to be handy. It all happened in a blink, and they were never found.

        1. Anonymous Coward
          Anonymous Coward

          Re: Sure it's easier than digging a tunnel

          Have to check the weight limits, but you might be able to do it with one of those rubbish lorries with the hydraulics for emptying the bins automatically. Ram, lift and away; all in one vehicle. As a bonus, you wouldn't have to break into the ATMs...just switch the compactor on for a cycle or two. Hmmm.....

  3. Irongut

    You'd hope that the bank employee whose job it is to fill the ATM would also check for unexpected changes to the ATM such as a USB cable leading to a mobile phone. Pretty fucking obvious I would have thought.

    1. JimmyPage Silver badge
      Stop

      Bank employee ? How quaint.

      AFAICT most ATMs in the UK are serviced by security companies - mainly G4S. Given their *cough* competence in other areas, I wouldn't be too hopeful they'd spot anything amiss in an ATM.

    2. Anonymous Blowhard

      "You'd hope that the bank employee whose job it is to fill the ATM would also check for unexpected changes to the ATM such as a USB cable leading to a mobile phone."

      Who do you think is best placed to install a mobile phone into an ATM?

  4. Anonymous Coward
    Anonymous Coward

    I don't understand why the cash machine wasn't designed from the outset with the computer inside a locked and tamper-proof box. It is nothing short of negligence on the part of the cash machine manufacturer.

    1. RaidOne

      @AC re: Forget sledgehammers – crooks can CRACK ATMs with a TEXT

      Because of cost. I am sure the banks or the ATM operators will buy the cheapest unit, and that is the one without security features like this.

    2. Zack Mollusc

      As usual, things get crappier over time.

      Earlier (running OS/2 on 200MHz cpus) ATMs had the computer inside the safe, next to the money.

  5. Anonymous Coward
    Anonymous Coward

    Tut, tut Reg.

    "Forget sledgehammers – crooks can CRACK ATMs with a TEXT"

    Having now read the article, that headline really is a little bit Daily Mail, but I realise 'crooks can control previously compromised ATMs via SMS' doesn't quite sound as cool.

  6. Anonymous Coward
    Anonymous Coward

    XP I guess

    Why these machines don't run secure embedded OS's has always bemused me.

    1. Bronek Kozicki
      Facepalm

      Re: XP I guess

      but who would update these when patches are released by OS vendor? Much cheaper to just install commodity OS (like Windows XP for example) on commodity hardware.

      Oh, wait ... that's not a joke.

    2. Lars Silver badge
      FAIL

      Re: XP I guess

      This has nothing to do with the OS this time.

      1. Bronek Kozicki

        Re: XP I guess

        I am quite sure that no matter what you attach to USB port, without OS support the worst it can do is pull too much current and shut itself down (and perhaps other devices on the same power bus). So yeah, OS is very much implicated into this. But I do agree that physical security of the port comes before it.

        1. big_D Silver badge

          Re: XP I guess

          You need to attach a thumb drive or similar, reboot the ATM, getting it to boot from USB in the process, then copy the relevant files onto the ATM.

          Once you have done that, you can reboot the ATM again and attach the mobile phone and Bob's your uncle behind bars.

    3. Evil Auditor Silver badge
      Thumb Down

      Re: XP I guess

      Hello Eadon! Didn't know you were back.

  7. Anonymous Coward
    Anonymous Coward

    And here was me thinking that they just bribed the little man that lives in the machine.

  8. Semtex451
    Joke

    Inform the Met

    Doesn't this make every El Reg Hack a Bandito too?

    After all they get cash from text.

    Sorry wheres that withdraw button?

  9. bigtimehustler

    Errrm, so they have to gain physical access first anyway, so what is all this, no sledgehammer required nonsense, they need the same access the first time around that they always have.

    1. Pascal Monett Silver badge

      Indeed. My interest waned notably when I read that they had to "connect phone to ATM".

      Sorry, if they have access to connect the phone, the rest is just details. The basic rule still applies here : if the crims get physical access to the hardware, all bets are off and there is no more security.

  10. ian 22

    ¿Plata o plomo?

    Mexico has a culture of corruption, but even honest folk will bend when a gun is held to their head.

    Nonetheless I'm pleased to see people robbing banks again. For far too long banks have been robbing people.

    1. Daniel B.

      Re: ¿Plata o plomo?

      Heh. Been a while since my country appeared on El Reg, and I'm not quite surprised it came up with an ATM slurping malware bit. But it does confirm that I was properly annoyed when I realized they had switched from OS/2 to WinXP on ATMs … and I was thinking "geeze, we shouldn't be putting that OS on ATMs!"

  11. Herby

    Note to banks:

    Please use (very) custom hardware/software when you build ATMs. Oh, and please put in some logging features that do checksums of vital parts and report them back to "central". You don't need to verify them at the ATM, let your center do that and raise alarms.

    p.s. Keep those $20 bills on coming! Baby needs a new pair of shoes!

  12. Daniel B.
    Boffin

    Windows on ATMs

    Looks like using Windows for ATMs doesn't sound as bright right about now.

    I have always been miffed at this, especially given that I have worked at certain banks (yes, MEXICAN banks) and most of them snub Windows for everything else. But the ATMs are on Windows, no surprise they're getting 0wn3d on the ATM side.

    Oh well, beats having the whole ATM stolen, which happens every now and then.

  13. Anonymous Coward
    Anonymous Coward

    WTF? Why would ATMs require an active USB?

    Wow the banks have been complacent. I have to think that outsourcing and general wipe-out of IT salaries has had something to do with this. Why would ATMs require an active USB? To Pwn your own ATM?... Was this a deliberate added feature! Ditto for leaving active USBs on the walk-in self-service machines where crims can upload Malware 'while-you-wait' so to speak... And how did windows XP spread like a virus and find its way onto so many ATM machines?

    I thought the banks used proprietary software precisely to defeat these types of attacks. I have to think again its cost control so the execs can get their bonuses at the expense of quality IT departments, many of which have been decimated. But clearly this is just the cost of doing business. If the banks were taking a hard enough hit, they would have to fix this fiasco..

    Still its all good, overall I'm glad that the crims are targeting the banks directly though and not using those smarts to forge more attacks on Mom and Pop.... As someone else flippantly said, maybe its good that these people took the crim path and didn't take jobs for the Five Eyes.

    1. Sanctimonious Prick

      Re: WTF? Why would ATMs require an active USB?

      @AC What's an ATM machine?

  14. Nuno trancoso

    While everybody loves hating Windows, true point is, a USB port? And the ATM is configured to boot from it as default? What could possible be wrong with that line of thought...

    Even keeping the USB port, a much better idea would have been to have a custom BIOS that checked for existence of a flash drive connected to said USB port and then, if one existed, read a key from it and used it to decrypt a boot image off a hidden partition into the system partition. Right key? ATM back to a clean start state. Wrong key? Bricked ATM in need of hauling to repair shop. Assumes a tamper proof HD/SSD setup.

    The cynical in me thinks this is just a setup for plausible denial. Whomever did the ATM's was probably "persuaded" (at point blank) to make them "somewhat insecure", not bad enough they'd look guilty, just clueless. Eventually loosing face is far better than immediately loosing (parts of) head...

    1. Sanctimonious Prick

      Whomever did the ATM's was probably "persuaded"

      That sounds like you're suggesting this was set up / organised long ago. IF that's the case, how come these "hacks" are only just coming to light now?

      I think it was just downright stupidity. Not intentional - I say that reluctantly. XP was released in 2001. Why the machines were never upgraded, I'm thinking may have been / could have been intentional?

      There are many questions that need to be answered here.

  15. Dig

    Physical Access?

    "This is not as difficult as it might seem at first and doesn't entail physically opening up a target machine, "

    So how do they tether a mobile phone via USB to an ATM without physically opening it. Do they have USB slots on the front in Mexico.

  16. Dazzz
    FAIL

    Watch the video, physical entry is simply a very simple key lock on the front of the machine...

    http://www.symantec.com/connect/blogs/texting-atms-cash-shows-cybercriminals-increasing-sophistication

  17. RAMChYLD
    Linux

    Sheesh

    WinXP? Which maniac thought it was a good idea to put XP on ATMs? Even slot makers have the sanity to put Linux into their slots. Saw one Bally machine booting Linux (albeit an ancient 2.2 kernel) at a casino sometime back, when a service tech maintained the machine and then reboot.

    Surely if Linux is good enough for slots, it would be good enough for ATMs?

    1. Lars Silver badge
      Linux

      Re: Sheesh

      "Which maniac thought it was a good idea to put XP on ATMs". Basically IBM as they gave up, lost the plot, so to say, for reasons I don't know. But again the way the OS was used and the way the "old" ATMs where designed, as the text goes "in the case of older cash machines still running (dead-man-walking OS) Windows XP" the problem would have been the same regardless of the OS. Nobody was then, long ago, prepared to back up Linux with any force, but with the same guys "designing" the ATMs the result would have been again the same. The fuck ups regarding Android is equally not because of Linux. There is nothing you cannot fuck up totally regardless of the OS.

      1. Lars Silver badge
        Linux

        Re: Sheesh

        And sheesh to my self but the damned logic is that if you hit your thumb with a hammer you may say sheesh but it would perhaps be silly to blame the hammer. Still you will probably rather throw the hammer in the drink than your self. Life is sometimes unfair for hammers windows and penquins.

    2. WereWoof

      Re: Sheesh

      Sorry, I configured loads of machines for a large high street bookies chain, all were using Windows XP, you did need a key to disable the tamper alarm, and another to open the front and another to unlock the cage the actual PC was in. Access to the USB slots and hard drive was not possible without disabling the alarm, opening the case and unlocking the PC cage. hard drives were imaged off the machine, then installed and configured. USB was not disable as the cash reader was connected via USB, You also needed a PS/2 keyboard and mouse to set them up as USB keyboards and mice were not recognised.

  18. Winkypop Silver badge
    Joke

    However

    I'm sure they ONLY withdraw to their daily limit!

    1. Lars Silver badge
      Joke

      Re: However

      Yes, there is indeed a limit to how much you can withdraw from a ATM. A rather "poor" bank to rob. (among us bank robbers).

  19. Ralph B

    5449610000583686 ?

    Hang on! That's my HSBC Mastercard number! Excuse me while I go check my account.

    [2 minutes later]

    Whaaaaaaat the f*******ck??!?!?!

  20. martin 62

    we will be seeing more of this.....

    Most ATM'S run windows xp and Microsoft are not updating windows xp anymore so we will be seeing attacks like this more often. Unless banks pull their fingers out and update the atm's to windows 7 (or ditch windows and run another secure os)

This topic is closed for new posts.

Other stories you might like