The efforts of a number of EU Member States and Norway, supported by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), culminated in the arrest of 27 individuals linked with so-called ATM "Black Box" attacks across Europe.
Perpetrators responsible for this new and sophisticated method of ATM jackpotting were identified in a number of countries over different periods of time in 2016 and 2017. There were arrests in Czech Republic (3), Estonia (4), France (11), the Netherlands (2), Romania (2), Spain (2) and Norway (3).
The ATM "Black Box" phenomenon first appeared in Western Europe in 2015, but most arrests took place in 2016 and 2017, with the most recent in Spain this month.
"Black box" is a sort of ATM logical attack through connection of an unauthorised device (usually unknown Box or laptop) which sends dispenses commands directly to the ATM cash dispenser in order to "cash-out" the ATM. Criminals gain access to the ATM Top Box usually by drilling holes or melting in order to physically connect such device. The device can send relay commands that cause the ATM to dispense all cash. Therefore losses can be significant and counted in hundreds of thousands of Euros. This new Modus Operandi also demonstrates connections between illegal cash-outs due to cyber related techniques used in the background.
Europol’s European Cybercrime Centre organised 4 operational meetings in 2016 and 2017 at its headquarters in The Hague to tackle this rising threat appropriately.
The following 20 countries took part in meetings in order to exchange intelligence and experience related to this new type of ATM threat: Croatia, Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Ireland, Italy, the Netherlands, Poland, Romania, Slovak Republic, Slovenia, Spain, the United Kingdom, Moldova, Norway and the United States.
Perpetrators involved in ATM Black Box attacks come mainly from countries such as Romania, Moldova, Russia and Ukraine. Some of the investigations are still on-going and further arrests are expected in the near future.
The EC3 Analysis Project (AP) Terminal, involved in the operational coordination of cases at the European level, cooperates also with the ATM industry in order to detect Black Box incidents properly. It is worth stressing that most attacks are unsuccessful attempts, as joint public and private cooperation in this domain is improving. The above release shall be a warning sign for those who try to commit such attacks but also encourage the ATM industry to implement proper protective measures against the threat.
A newly published report from the European ATM Security Team (EAST) discloses that criminals carried out ATM Black Box attacks in 10 reporting countries during 2016. According to the EAST 2016 Crime Report, 58 such attacks in 2016 were reported by their National Members, compared with 15 in 2015; therefore a 287 percent increase was noted. Also, losses linked with overall ATM-related fraud rose 2 percent compared with 2015 (up from €327 million to €332 million).
Steven Wilson, Head of Europol’s European Cybercrime Centre, said: "Our joint efforts to tackle this new criminal phenomenon resulted in significant arrests across Europe. However the arrest of offenders is only one part of stopping this form of criminality. Increasingly we need to work closely with the ATM industry to design out vulnerabilities at source and prevent the crime taking place. This industry and law enforcement cooperation combined with the work with banks and prosecutors can make a major difference in stopping this growing form of crime.”
EAST Executive Director Lachlan Gunn, said: "While the rise in ATM Black Box attacks is a concern, we are pleased to note that many of these attacks were not successful. The EAST Expert Group on ATM Fraud (EGAF) collaborates with Europol’s EC3 and produced "Guidance and recommendations regarding logical attacks on ATMs" released jointly in 2015 and available for law enforcement and industry in English, German, Spanish, and Italian languages. The document is intended to help the industry counter such attacks."