Bank of America Employee & ATM Malware

A Bank of America employee installed malicious software on their ATMs allowing him to make thousands of dollars in fraudulent withdrawals without leaving so much as a transaction record, according to prosecutors.  Rodney Caverly, 37, was a member of the bank’s IT staff when he installed the malware.  He then made fraudulent withdrawals over a seven-month period ending in October 2009, and is now charged with one count of computer fraud.

The government won’t say how much money Caverly stole; the charging document (.pdf), filed April 1, states only that his payoff surpassed the statutory minimum of $5,000.  According to court records, he has entered into a plea agreement with prosecutors and is set to appear in court on April 13.  

Caverly was formerly the founder and CEO of Sovidian LLC, a North Carolina-based software development company established in 1999.  The company merged in April 2003 with Data On CD, a document management and archiving firm.  Caverly took the job with Bank of America some time around 2007. 

The code, initially spotted last year on some 20 ATMs in Russia and Ukraine, was designed primarily to capture bank card PINs and magstripe data, but also allowed thieves to instruct the machine to eject whatever cash was in it.  At least 16 versions of the East European malware have been found so far and were designed to attack ATMs made by Diebold and NCR.