Symantec has detailed a way in which hackers can use text messages to fraudulently take money from any cash machine running a version of Windows XP.
The operating system and its variants run on around 95 per cent of the world's cash machines and support for the OS runs out on April 8 this year.
Regardless of the deadline, it has been discovered that hackers are already using a flaw in the OS to steal money from cash machines.
First found in Mexico, malware by the name of Ploutus allows criminals to text a message to an infected cash machine and retrieve money dispensed from it.
Daniel Regalado, a Symantec malware analyst, in a blog post said that the risk is not a hypothetical one but one that is already being exploited.
"With the looming end-of-life for Windows XP slated for April 8, 2014, the banking industry is facing a serious risk of cyberattacks aimed at their ATM fleet," he said.
"It may seem incredible but this technique is being used in a number of places across the world at this time."
In order to carry out this theft, criminals would have to first install a mobile phone within the cash machine and use USB tethering to connect it to the ATM and keep it powered up. The phone then acts as a packet sniffer and if it is sent a text message in a specified format, it convert that into a network packet is forwarded to the ATM via the USB cable.
The initial message contains an activation ID to start the malware on the cash machine. A second message then give a valid command to the ATM to dispense money.
The IT security firm said that it has now detected variants of the malware localised in the English language, which suggests criminals are now seeking to expand their operations to other countries.
Other "improvements" to the code mean that withdrawals are now automated and money mules sent to get the cash no longer need to be given access codes for the malware meaning the master criminal has complete control over these withdrawals.
"Using SMS messages to remotely control the ATM is a much more convenient method for all of the parties in this scheme, because it is discrete and works almost instantly. The master criminal knows exactly how much the money mule will be getting and the money mule does not need to linger for extended periods around an ATM waiting for it to issue the cash," said Regalado.
As reported by IT Pro, banks are facing the prospect of paying out millions to Microsoft in order to keep cash machines running XP or XP embedded running after the April deadline.
