By GoldSparrow in Trojans

Threat Scorecard

Threat Level: 90 % (High)
Infected Computers: 177
First Seen: December 28, 2016
Last Seen: December 7, 2022
OS(es) Affected: Windows

Alice is a threat that con artists can use to gain cash illicitly from Automatic Teller Machines (ATM). Alice was first detected in November 2016. Alice is used to targeting ATMs, allowing con artists that have physical access to the ATM's ports to force the machine to give money to the con artist. Alice receives its name because its creator referred to the Alice code as 'Project Alice.' It is possible that versions of Alice have been active since at least 2014.

How Con Artists may Use Alice to Profit Illicitly

The people using Alice need access to the ATM ports, either through the USB or CD-ROM ports. If they have access, they can load Alice into the ATM and then connect a keyboard to interact with the ATM. In most cases, ATMs are based on the Windows XP, which allows con artists to launch Alice with a keyboard. To do this, the con artists need a PIN access code to start up Alice. This PIN is part of the Alice attack and is designed in a way that bank employees and security researchers cannot inspect or interact with Alice. The PIN also works as an affiliate identifier, allowing gangs to monitor who is using Alice and whether it is being shared with other groups without the con artists' authorization.

Once Alice's PIN is entered, Alice carries out its attack. Alice is designed for one thing only, to dispense cash to the con artist. This is different from many other ATM threat families, which have numerous features that allow the con artists to carry out a variety of tasks on the targeted ATM. Alice connects to the infected ATM's cash dispenser module and displays an interactive interface. This window shows information on how much money is in the ATM and allows the con artists to use the keyboard to order the affected ATM to dispense money while keeping track of the ATM's cash content. Most ATMs are limited to 40 bills per transaction. This means that the attackers would repeat the operation several times, depending on the amount being collected.

Alice’s Features and Other ATM Threats

Alice allows third parties to connect to the affected ATM using RDP (Remote Desktop Protocol), in theory allowing them to collect money remotely. However, security researchers have noted that this feature has not been observed in the wild. One of the reasons for this is that it would be necessary to find the affected ATM's RDP password, which would require a brute force attack or other sophisticated operation that could expose the attackers potentially. ATM threats have been around for nearly a decade, with the first ATM threat variants being observed in 2007. In general, an ATM threat either lies hidden and collects card data and sends it to the con artists, or it is designed to allow the con artists to take control of the ATM. Although Alice falls into the category of threats that allow con artists control the affected ATM, Alice is quite different from other ATM families.

The Probable Future of Alice and Other ATM Threats

One of the ways in which Alice is different is that it does not allow third parties to control the ATM using its number pad. Rather than creating a module to control communication between the threat and the PIN pad, Alice's creators focused simply on making sure that Alice can make the affected ATM dispense money. One of the reasons why Alice is so focused is that its creators may not be as sophisticated as other threat developers. Collecting card data and reselling it can be a time- consuming process, and collecting cash directly cuts down on complexity and makes their task easier. There are hundreds of thousands of ATMs around the world, with many being poorly guarded. Threat researchers are expecting an explosion in the number of ATM threats like Alice in the coming years.

Related Posts


Most Viewed