ATM hacks, how safe is your cash?

Mar 06 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that exposes more fraudulent activity than a leaked Matt Hancock email.

Today’s hottest cyber security stories:

  • They Mexican’t get away with this! Mexican ATMs compromised
  • Don’t get bitten by WhiteSnake
  • Freeze, this is a stick up! Hand over the data and nobody gets hurt!
  • Indigo to hell, Russian hackers!


Planning a trip to Mexico? Pick up your Pesos at the Post Office before you leave would be our advice. Aside from the favourable exchange rate, you’ll avoid the latest nasty strain of ATM infecting malware.

The new infection, dubbed FiXS, has been rearing its ugly head all over the otherwise charming country with the frequency (and potency) of the tequila bars and taco stands.

Having first been detected in February 2023, FiXS is spreading like Wild Fire hot sauce… Not a sponsor. Good, though!

ATM scams are nothing new of course but this latest instance is sneakier than El Chapo when it comes to evading capture, as Latin American cybersecurity firm Metabase Q explains…

It said: “”The ATM malware is hidden inside another not-malicious-looking program.” Ah, the Trojan Horse effect. We know it all too well.

So, let’s get technical for just a hot minute…

Another thing that sets FiXS apart is its ability to dispense money 30 minutes after the last ATM reboot by leveraging the Windows GetTickCount API.

The sample analysed by Metabase Q is delivered via a dropper known as Neshta (conhost.exe), a file infector virus that’s coded in Delphi and which was initially observed in 2003.

FiXS is implemented with the CEN XFS APIs which helps to run mostly on every Windows-based ATM with little adjustments, similar to other malware like RIPPER,” the cybersecurity company said.

“The way FiXS interacts with the criminal is via an external keyboard.”

Stay safe out there, amigos!


There’s a snake on the loose, folks. This particular snake is named Whitesnake and like a twister it was born to F*** S*** UP.

It’s a new info-stealer dubbed WhiteSnake has been observed targeting both Windows and Linux users.

The malware, being offered via MaaS subscription (more on this below!), is designed to gather a range of sensitive information, including:

  • Credit card numbers
  • Passwords
  • Screenshots from the victim’s system

Its operators are reportedly updating the malware binary on a daily basis, as it is still in its development phase.

Hang on, what the hell is ‘Maas’?

Maas is for the masses. And it’s got masses of malware for masses of scam artists, hackers, and other would-be wankers of the cyber persuasion.

Honestly, this is what stood out to us the most from this story. So, Maas is basically like a supermarket for cyber criminals.

They rock up to the online superstore (presumably located on Dark Web Street), Bitcoins in hand, and peruse the isles looking for the most scrumptious scams to pop in their baskets and subscribe to, so that they can unleash them on you, and me, the unsuspecting masses.

Although WhiteSnake info-stealer is still in its development phase, its potential victim base has been expanded upon by the development of both Windows and Linux variants.

Here we go again on our own…


Hackers held up a website at gun point – point of sale, that is!

The targeted site allows people to buy and sell guns, and the malware its been infected with exposes the identities of its users.

The breach exposed reams of sensitive personal data for more than 550,000 users, including customers’:

  • Full names
  • Home addresses
  • Email addresses
  • Plaintext passwords
  • Phone numbers

Also, the stolen data allegedly makes it possible to link a particular person with the sale or purchase of a specific weapon. This could be massive if any of these weapons are used to commit crimes, which is certainly a possibility.

Troy Hunt, a cybersecurity expert who runs the popular data breach repository and alerting service Have I BeenPwned, said:

“With this data, you can then take a public listing…and resolve it back to the [data in the stolen database] so you have the name, email and physical address and phone number of [the seller] and presumably, the location of the gun.”

Only in America, eh guys?


Subscribers may remember we covered Indigo, the Canadian bookseller, who was embroiled in a ransdomware stand off with hackers who basically locked them out of the system and a week went by and them more time and nobody knew what was going on.

Well, we have an update. And it seems like good news!

We don’t negotiate with terrorists!

Indigo said: “Given we cannot be assured that any ransom payment would not end up in the hands of terrorists or others on sanctions lists, Indigo has determined it would be inappropriate to pay the ransom.”

It’s refreshing to see a company stand up to these bastard ransomware hackers. And so far, the criminals haven’t published any data or done anything. Here’s hoping they’ll admit defeat and move on. 

So yeah, Indigo For The WIN! 

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles