Skip to main content

Thieves can steal cash by texting an ATM with latest malware

atm malware thieves
In 1983’s largely forgettable and campy Superman III, Richard Pryor’s “hacker” character makes cash spew out of a comically ancient ATM machine. In 1991’s Terminator 2: Judgement Day, Edward Furlong’s John Connor character hacked an ATM with an ATARI, and a whole new generation of hacker dreams were born. At last, finally, someone pulled off the inevitable by creating malware that targets ATMs, and the payoff is cold hard cash — on demand.

This malware was first detected in the wild by Proofpoint, a security firm that found it in Mexico. The culprit is known as GreenDispenser, and like much ATM malware, it infects the target machines through a boot-enabled CD-ROM drive. The exploit is a piece of middleware that is installed by a number of ATM vendors. With just a few commands, the thief can empty an entire machine. After the heist, the malware deletes itself, seemingly in order to evade detection.

Text to Cash

Like most malware, the schemes involving ATM infections are evolving. For example, a first generation version of GreenDispenser required the hacker to issue special commands through the PIN pad or an external keyboard. The latest version can be controlled via text messages. Once infected and activated, the malware displays a status message on the main ATM screen that says the machine is out of service:


It would seem the thieves don’t want anyone else taking the cash they’ve worked so hard to get.

The industry is on notice; dismissing this as a threat that only affects other countries would be a mistake. Although this exploit was initially found in Mexico, the report describes English messages throughout the latest version. The forces behind this infection are apparently intent on spreading into new territories.

Various malware types have been discovered in recent months, which indicates a very bold escalation in number of attempts, and targeting is underway.  If there is any good news in these developments, it would have to be that thus far, the infections require privileged physical access to the system. In other words, ATMs can only be infected with assistance — or as they say in television detective dramas, “someone on the inside.”

ProofPoint advises:

ATM malware continues to evolve, with the addition of stealthier features and the ability to target ATM hardware from multiple vendors. While current attacks have been limited to certain geographical regions such as Mexico, it is only a matter a time before these techniques are abused across the globe. We believe we are seeing the dawn of a new criminal industry targeting ATMs with only more to come. In order to stay ahead of attackers financial entities should reexamine existing legacy security layers and consider deploying modern security measures to thwart these threats.

Consumers should practice awareness at all times and report if they see anything suspicious.

Editors' Recommendations