Alice
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 90 % (High) |
| Infected Computers: | 177 |
| First Seen: | December 28, 2016 |
| Last Seen: | December 7, 2022 |
| OS(es) Affected: | Windows |
Alice is a threat that con artists can use to gain cash illicitly from Automatic Teller Machines (ATM). Alice was first detected in November 2016. Alice is used to targeting ATMs, allowing con artists that have physical access to the ATM's ports to force the machine to give money to the con artist. Alice receives its name because its creator referred to the Alice code as 'Project Alice.' It is possible that versions of Alice have been active since at least 2014.
Table of Contents
How Con Artists may Use Alice to Profit Illicitly
The people using Alice need access to the ATM ports, either through the USB or CD-ROM ports. If they have access, they can load Alice into the ATM and then connect a keyboard to interact with the ATM. In most cases, ATMs are based on the Windows XP, which allows con artists to launch Alice with a keyboard. To do this, the con artists need a PIN access code to start up Alice. This PIN is part of the Alice attack and is designed in a way that bank employees and security researchers cannot inspect or interact with Alice. The PIN also works as an affiliate identifier, allowing gangs to monitor who is using Alice and whether it is being shared with other groups without the con artists' authorization.
Once Alice's PIN is entered, Alice carries out its attack. Alice is designed for one thing only, to dispense cash to the con artist. This is different from many other ATM threat families, which have numerous features that allow the con artists to carry out a variety of tasks on the targeted ATM. Alice connects to the infected ATM's cash dispenser module and displays an interactive interface. This window shows information on how much money is in the ATM and allows the con artists to use the keyboard to order the affected ATM to dispense money while keeping track of the ATM's cash content. Most ATMs are limited to 40 bills per transaction. This means that the attackers would repeat the operation several times, depending on the amount being collected.
Alice’s Features and Other ATM Threats
Alice allows third parties to connect to the affected ATM using RDP (Remote Desktop Protocol), in theory allowing them to collect money remotely. However, security researchers have noted that this feature has not been observed in the wild. One of the reasons for this is that it would be necessary to find the affected ATM's RDP password, which would require a brute force attack or other sophisticated operation that could expose the attackers potentially. ATM threats have been around for nearly a decade, with the first ATM threat variants being observed in 2007. In general, an ATM threat either lies hidden and collects card data and sends it to the con artists, or it is designed to allow the con artists to take control of the ATM. Although Alice falls into the category of threats that allow con artists control the affected ATM, Alice is quite different from other ATM families.
The Probable Future of Alice and Other ATM Threats
One of the ways in which Alice is different is that it does not allow third parties to control the ATM using its number pad. Rather than creating a module to control communication between the threat and the PIN pad, Alice's creators focused simply on making sure that Alice can make the affected ATM dispense money. One of the reasons why Alice is so focused is that its creators may not be as sophisticated as other threat developers. Collecting card data and reselling it can be a time- consuming process, and collecting cash directly cuts down on complexity and makes their task easier. There are hundreds of thousands of ATMs around the world, with many being poorly guarded. Threat researchers are expecting an explosion in the number of ATM threats like Alice in the coming years.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.