Project Alice is the name that an individual or a group of threat authors have opted to use for their piece of ATMmalware that was discovered by cybersecurity experts in December 2016. Although the threat was identified just now, many malware experts suspect that it has been active for over two years, and during this time it was able to take hundreds or thousands of dollars from banks around the world. Alice is a truly interesting piece of ATM malware because it works in a rather simple, yet efficient way that is usually not included as a feature in some of the most popular pieces of ATM malware.
Infecting an ATM with malware is never an easy task for cyber crooks, and it may be even more difficult for the operators of Alice because this threat requires physical access to the device’s USB ports or CD-ROM drive. Keep in mind that ATMs are regular computers that run some version of the Windows operating system, and the interface their users see is usually a specialized ATM software. The Alice threat also may be used to infect a regular computer that runs Windows, but this will not lead to any harmful consequences since this threat is only able to disrupt the operations of ATM devices.
Usually, the authors of an ATM malware implement a long list of corrupted modules in their products so that they’ll be able to perform all kinds of operations once they infect an ATM device – collect credit card data, log PIN codes, manipulate transactions, etc. However, Alice works in an entirely different way – once the cyber crooks acquire physical access to the ATM device’s ports and deploy Alice’s payload, they need to connect a keyboard to operate the payload. Upon launch, Alice asks the user to enter 4-digit PIN code required to gain access to the threat’s panels. This simple security measure serves two purposes:
- It prevents bank employees from accessing the threat’s interface and discovering that their ATM has been infected.
- The unique PIN-codes can be used as personal identification modules since Alice’s operators use money mules to carry off from ATMs.
The usage of money mules is older than the ATM malware, but the authors of Alice have opted to take advantage of it because it is less risky for them. They offer common crooks the opportunity to get their hands on Alice in exchange for a fraction of the profits they make via the threat. Every operator of Alice receives a unique PIN code that also serves as an identification number that allows the authors of the threat to keep track on where the threat is being used, as well as how much money it has collected. The way Alice takes money is very peculiar – it just instructs the ATM device to empty its cash cassettes. Since most ATM devices are limited to spitting out 40 bank notes at a time, the crooks using Alice may have to repeat the operation multiple times to get away with as much money as possible.