Symantec: Hackers already attacking ATMs as Microsoft's Windows XP deadline looms

Just 14 days remain until Microsoft cuts off support for Windows XP and as we have reported before, the 12 year old operating system is used in 95 percent of all ATMs. Now a new report by software security company Symantec claims that hackers are already finding ways to attack these cash machines via a combination of malware and hardware.

One of those methods is to install a specific malware called Backdoor.Ploutus, which was first discovered in 2013 in Mexico. Hackers used it to get money out of ATMs via an external keyboard. A variant of that software, called Backdoor.Ploutus.B, was later found in early 2014. It has not only been written in the English language but had been modified so that hackers could simply send a SMS command to the infected ATM when another mobile phone connected to it.

Symantec says they were able to replicate this kind of attack in their labs. They claim that protecting older ATMs that still have Windows XP installed from this kind of method will be "more challenging" and offer a number of ways banks can protect their machines, not the least of which is upgrading to Windows 7 or 8. Many banks are already in the middle of their ATM OS upgrade and play to pay Microsoft lots of money to continue to support Windows XP past April 8th until that task is finished.

It is important to note that many ATMs run Windows XP embedded (toolkit and runtime) which will not reach an end of life until January of 2016.

Source: Symantec | Image via Symantec

Report a problem with article
Previous Story

Microsoft launches new TV ad campaign for its cloud-based services

Next Story

HTC officially reveals the HTC One M8

32 Comments

View more comments

Honestly, if bad guys have physical access to the ATM, bets are off. Security 101. Physical access = owned machine.

That being said - banks should somehow be held liable for running outdated infrastructure and playing with customer's private information and money like this. Seriously - if they did not see the writing on the wall that XP was going out, they are just not paying attention.

Once again, this just goes to show that physical access trumps all. If a bad guy has physical access to your device, it is only a matter of time and effort before he compromises it.

LOL people installing malware inside ATM machines...
BRB whilst I get some C4 to blow apart the ATM so I can quickly install some malware and then remotely control it using my phone...
...Or alternatively instead of installing the malway I could just take the money boxes...

The title of this article is the definition of "Link Bait"

Symanetec Title " Texting ATMs for Cash Shows Cybercriminals' Increasing Sophistication "
Neowin's Title " Symantec: Hackers already attacking ATMs as Microsoft's Windows XP deadline looms"

Yeah, this has nothing to do with Windows XP. Someone with physical access to the machine can compromise anything. Also, isn't there a forum rule against changing news headlines when posting them? Why doesn't Front Page use the game policy?

Oh, written by John Callaham.

Everything = Explained

warwagon said,
The title of this article is the definition of "Link Bait"

Symanetec Title " Texting ATMs for Cash Shows Cybercriminals' Increasing Sophistication "
Neowin's Title " Symantec: Hackers already attacking ATMs as Microsoft's Windows XP deadline looms"

+1

not related to computer security at all.

the real news here is that somehow, people manage to get access to the hardware inside the ATM without being caught by cctv.

Well yeah I wasnt expecting that to be long after all these news sites including this one started announcing to the world that all the ATM's was still using windows xp.

Biglo said,
Well yeah I wasnt expecting that to be long after all these news sites including this one started announcing to the world that all the ATM's was still using windows xp.

the funny thing with all this crappy reporting is that they ignore the fact that most of these embedded systems are,never patched anyway.
so even if windows XPe support ended on April 8th, that wouldn't make their daily operations any riskier.

furthermore, Microsoft will continue to offer custom extended support until 2019 for Windows XP.

so, most of these systems will still be supported, as long as banks pay for it.

So, in order to hack the ATM, I need to get access to the hardware and install a phone... (gosh)
And, how often are those devices updated? I think most of them are using the original OS (no updates) that was installed from the beginning

There are a lot of embedded systems running old versions of Linux, Unix, etc. There are scenarios where running outdated software is just fine, you just have to take necessary precautions to mitigate the risks. No one is reporting on the plethora of embedded systems out there that are running with an outdated Linux kernel, or other outdated libraries.

Should a standard user be running outdated software, absolutely not, but a properly secured ATM with VPN tunnel only or no internet access that runs Windows XP is not really a risk. Local threats being mitigated by secured hardware, and remote risks mitigated by tunneled or no network access.

Probably attacks that were going to happen anyway. Just being reported on and making light of a situation since end of XP support is coming soon.

I can't believe that Microsoft has not patched that "install software and then connect a phone through a USB port" gaping security hole bug. How long have they known about this without fixing it? Linux is great because they make it so hard to install software it is virtually impossible and there are no drivers, so connecting a phone through USB simply cannot be done.

So they can get inside to hook a phone up, but can't grab the money that's right there? If you have the ability to get inside the thing long enough to hook a phone into it and not get caught, you can more than likely just empty the cash anytime you feel like it.

Romero said,
Faulty assumption. Is it necessary for the safe with the cash to be as accessible as the rest of the ATM?

Did I say it wasn't in a vault?

If you have the ability to access an ATM to hook a phone into it and not get caught, just take the freaking money that is RIGHT THERE. Safe or not. The person hooking a phone into it would clearly have the knowledge to just take the whole thing if they wanted.

Have any knowledge on ATM's? Not all of them have safes that are very secure. I've seen a lot where its just a small door with a simple lock. One hit from a sledge or even a basic hammer and you're in.

Take your "faulty assumption" remark elsewhere.

Your "you can more than likely just empty the cash anytime you feel like it" is a faulty assumption purely based on ATM money storage bins being shoddily constructed. I don't know where you live but over here I've seen lots of ATMs with solid safes, and someone able to access the communications portion is going to be in no position to empty the safe with a simple or even a sledge hammer. A gang here even tried to blast one open and the safe withstood whatever explosives they used though of course everything else got blown to smithereens.

Commenting is disabled on this article.