ATM / POS Fraud , Endpoint Security , Fraud Management & Cybercrime

Police Bust ATM Black Box Hacking Suspects

Jackpotting Attacks Trick ATMs Into Cashing Out on Demand
Police Bust ATM Black Box Hacking Suspects
An ATM targeted in a black box attack. (Source: Europol EC3)

Coordinated police operations in Europe have resulted in the arrest of 17 suspects as part of an EU-wide investigation into ATM black box attacks, according to the EU's law enforcement intelligence agency, Europol. Such attacks trick an ATM cash dispenser into dispensing cash on demand, which is referred to as a "jackpotting" or "cash-out" attack.

See Also: The Route to Trusted IDs

Europol's European Cybercrime Center, or EC3, as well as the EU Joint Cybercrime Action Taskforce - J-CAT - helped coordinate operations, which led to police in seven countries making arrests.

Police arrested suspects in the following countries: Czech Republic (3 suspects), Estonia (4), France (11), the Netherlands (2), Norway (3), Romania (2) and Spain (2). The suspects were first identified in 2016 as well as this year, Europol says.

"Perpetrators involved in ATM black box attacks come mainly from countries such as Romania, Moldova, Russia and Ukraine," Europol says. "Some of the investigations are still ongoing and further arrests are expected in the near future."

Steven Wilson, head of Europol's EC3, notes: "Our joint efforts to tackle this new criminal phenomenon resulted in significant arrests across Europe."

Europol spokesman Alex Niculae tells Information Security Media Group that the arrests in Norway and Spain occurred this year, while the other arrests took place in 2016.

Jackpotting Attacks Rise in Europe

Black box attacks involve logical attacks against ATM hardware, typically using custom-built software together with purpose-built hardware - or a laptop - that attackers directly connect to the device, for example, via a USB port.

"Criminals gain access to the ATM top box usually by drilling holes or melting in order to physically connect such device," according to Europol. "The device can send relay commands that cause the ATM to dispense all cash. Therefore, losses can be significant and counted in hundreds of thousands of euros."

The European ATM Security Team - EAST - reports that criminals in Europe carried out ATM black box attacks in 10 European nations in 2016. The 28 European countries that participate in EAST collectively reported 58 such attacks in 2016, compared with just 15 in 2015. Even so, in the same time frame, losses fell by one-third, from €740,000 ($825,000) to €450,000 ($500,000).

Experts say that the majority of black-box attack attempts don't succeed.

"While the rise in ATM black box attacks is a concern, we are pleased to note that many of these attacks were not successful," says Lachlan Gunn, executive director of Edinburgh-based EAST. Since 2015, EAST has also worked with Europol to disseminate best practices for preventing logical attacks against ATMs, including blocking black box attacks.

ATM vendors such as NCR offer guidance for ATM operators about how to best protect machines from logical attacks.

But EC3's Wilson says more work needs to be done to make ATMs harder to hack. "The arrest of offenders is only one part of stopping this form of criminality," he says. "Increasingly, we need to work closely with the ATM industry to design out vulnerabilities at source and prevent the crime taking place. This industry and law enforcement cooperation, combined with the work with banks and prosecutors, can make a major difference in stopping this growing form of crime."

ATM-Related Fraud Losses Rise

Source: EAST

While criminals' haul from black box ATM attacks declined from 2015 to 2016, overall levels of ATM-related fraud in Europe increased during that time period by 2 percent - from €327 million ($364 million) to €332 million ($370 million).

EAST estimates the average losses in 2016 for a ram raid or burglary attack at €14,890 ($17,000); an explosive attack at €17,403 ($19,000); and for a robbery at €20,293 ($23,000). "These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks," according to a report from EAST.

Physical attacks against ATMs in Europe rose to 2,974 in 2016 from 2,657 in 2015 - an increase of 12 percent. Such attacks include explosive gas and solid explosive attacks against ATMs, which increased 47 percent - from 673 to 988 incidents - in the same time frame (see Attackers 'Hack' ATM Security with Explosives).

Losses related to physical attacks against ATMs, in both 2015 and 2016, remained unchanged at €49 million ($55 million) per year.


May 22: Story updated to reflect that related arrests took place this year as well as in 2016.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.