Saturday, May 20, 2017

Europol Announces 27 ATM Black Box arrests

On 18MAY2017 Europol announced that 27 thieves have been arrested across Europe for participating in a ring that conducts ATM Black Box attacks.  The arrests were conducted in France (11), Estonia (4), Czech Republic (3), Norway (3), the Netherlands (2), Romania (2), and Spain (2) over the course of 2016 and 2017.  Much of the data about how the attacks are conducted is being shared between member countries and the institutions within those countries by a little-known group called E.A.S.T. and their Expert Group on ATM Fraud (EGAF).  When EAST holds their Financial Crime & Security Forum next month members will want to also attend the Expert Group on ATM Physical Attacks (EGAP).

What is an ATM Black Box attack?

In an ATM Black Box attack, criminals have identified access points in the physical architecture of the ATM that would grant them access to cables or ports allowing them to attach a laptop to the internal computer of the ATM.  Once attached, the laptop can issue commands to the ATM resulting in the ultimate payout, a full distribution of all of the cash in the machine!   

The technique of causing an ATM machine to dump all of its cash is called "Jackpotting."  Most of us first heard about jackpotting as a result of the Barnaby Jack presentation at BlackHat 2010 and repeated on two models of ATMs for DEF CON 18 (video link below):

Barnaby Jack at DEF CON 18
Last September, Kaspersky demonstrated an ATM Black Box, however in their proof of concept approach, the criminals physically open the computer using a maintenance workers key, and flip a physical switch in the ATM to cause it to enter Supervisor mode.   The Black Box is connected to the ATM through a simple USB port that was at that time available in most ATM machines.

Black box demo video from Kaspersky


The new Europol arrest report shows that the current evolution on ATM Black Box attacks is to physically cut in to the ATM with drills, saws, or acetylene torches, and gain physical access to cables to which the laptop or black box will be attached.  In the current round of Black Box attacks, the target is not the ATM Computer, but rather the cables that connect the ATM computer to the Banknote Dispenser.  By directly connecting to the Dispenser, the connected laptop's malware simply issues commands to the Dispenser that normally would come from the ATM Computer and gives the order to dispense bills.
Image from Europol


Image from Europol

Information shared in the EAST working groups has produced some uncharacteristic good news in this space!  Although the number of ATM Black Box attacks went up considerably, with 15 attacks in 2015 and 58 attacks in 2016, many of these attacks were unsuccessful.  In their 11APR2017 report, EAST explained:

[In 2016] a total of 58 such attacks were reported by ten countries, up from 15 attacks during 2015.  ‘Black Box’ is the connection of an unauthorised device which sends dispense commands directly to the ATM cash dispenser in order to ‘cash-out’ the ATM.  Related losses were down 39%, from €0.74 million to €0.45 million.

 and illustrated this information with the following chart:

from EAST Report on ATM Fraud



The mitigation guidelines issued by EAST should be significantly updated at the upcoming meeting with guidance on Logical Attacks, Black Box Attacks, and Explosive Attacks, as well as Regional ATM Crime trend reports from Europol, Russia, the US Secret Service, Latin America,and ASEANAPOL.

Other ATM Attacks Still Dominate 

While ATM Black Box attacks are interesting, as the chart above shows they aren't where most of the money is being stolen.  Traditional skimming and white-carding is still stealing over 300 Million Euros per year, while physical attacks of other sorts are claimed nearly 50 Million Euros in 2016 alone!

One other trend that is sweeping Europe is the technique of pumping an ATM full of an explosive gas to blow the front off the machine giving the criminals access to the full contents of the dispenser.   The Italian police shared this interesting video of the technique:

Italian police shared this video from Feb 2013
This technique was recently used by two British men to blow up at least thirteen ATMs along the Costa del Sol in Southern Spain.  In the first half of 2016, 492 ATM Explosive attacks occurred across Europe, yielding the criminals an average of $18,300 per attack!  For the full year-over-year comparison, in 2015 there were 673 ATM Explosive attacks in Europe, and in 2016 there were 988 such attacks.  This accounts for roughly 1/3rd of the Physical attacks on ATMs in the EAST reporting.

Skimming dominates arrests to date

While we aren't sure exactly which attacks are included in the statistics above, several major ATM attacking gangs have been previously arrested and disclosed. While jackpotting arrests are rare, there must be a hundred reports of arrests for implanting skimming devices and creating counterfeit ATM cards based on the results.

One rare Jackpotting arrest was in January 2016 when a Romanian ATM attack gang was arrested for attacks in Germany, France, Norway, Sweden, Poland, and Romania.  In that case, the Tyupkin trojan, targeting a particular model of NCR ATMs, was inserted by gaining physical access to the ATM and booting a malicious CD in the ATM computer.  (See www.zdnet.com/article/atm-malware-gang-behind-euro-attacks-targeted-in-police-swoops/ ).

In April 2016, the Italian police arrested 16 Romanians for running a large ATM skimming ring who stole at least €1.2 million. 

In May 2016, the French Gendarmerie of Pau, in cooperation with the Italian State Police and Europol, arrested nine for running an ATM Skimming Ring that stole more than 500,000 Euros.

In March 2017, a group of five Romanians were arrested for skimming in York County, Pennsylvania as well.