Banking and Finance

News in Houston this morning reported a Bank of America ATM spitting out hundred dollar bills. Apparently this is not the first time. A quick Google search shows several instances of ATM hacking in Houston, some sounding like our Jackpotting report about a year ago. It might be worth having another look...

Wapack Labs reported on similar activity --although maybe not related, we detailed how one piece of malware could be used to 'jackpot' an ATM --program the ATM to spit out money until the cassettes were empty:


Wapack Labs observed ATM malware being sold on the dark web site ATMjackpot (ATMJ). The ATMJ malware targets all models of Wincore Nixdorf ATMs.

ATMJ explains the Wincore 200xe ATMs are the easiest cash machines to exploit. The malware currently costs $1500.00 in Bitcoin for the first month (beginning 15 October 2017). After the first month, the ‘registration’ fee will be doubled. $1500.00 buys the buyer 1 credit, which is valid for a one time use on one ATM.

To execute the attack users must log-in to their ATMJ account and receive a code (for 1 credit). The malware will then show the attacker the amount of cash in each money cassette that resides inside the ATM. The malware will then bypass the normal ATM system processes and the ATM will dispense all the bills in a desired cassette. ATMJ provides video links on their Tor site, demonstrating the method to fraudulently withdraw money.

ATMJ provide a free 10-page step-by-step Word document which explains how to use their malware. This guide describes in detail the tools required, software instructions, and details referencing different types of ATMs. This includes how the ATMs operate and how to find the interior USB ports. To properly execute an ATM attack, attackers need to purchase a development board called, Teensy 3.2, which is available on Amazon for $29.95.1 ATMJ provides a source code (free to download)2 that must be programmed to Teensy 3.2. Once programmed and plugged into the USB hub, the ATM will automatically locate the suspect flash drive and run both cm17F.exe and stimulatior22.exe on the ATM. From this point on the attackers must follow the .docx ATMJ guide to finish the attack.

The full report is available in Wapackapedia, Wapack Labs' Media Wiki in the Cyber Threat Analysis Environment:$$/TR-141-2017_ATMjackpot_Selling_ATM_Malware

E-mail me when people leave their comments –

Jeff Stutzman

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance