No Card Required: 'Black Box' ATM Attacks Move Into EuropeJackpotting Attacks Cost Banks Nearly $2 Million
Fraudsters are now gingerly testing the waters in central and Western Europe with attacks that drain cash machines of their funds, according to a trade group that studies criminal activity around ATMs.
The European Association for Secure Transactions, or EAST, says the attacks, sometimes referred to as "jackpotting," rose 231 percent in 2017 compared to 2016. Last year, 193 incidents were reported compared to 58 in 2016.
EAST published its year-end report on ATM attacks, which covers some 367,000 ATM in 21 European countries. There are about 413,000 ATMs in Europe.
Most of the 192 incidents were logical attacks. Those incidents usually involve attaching some sort of device, referred to as a black box, to an ATM. The black box then uses native ATM commands to cause the machine to dispense all of its cash.
Three of incidents, however, involved planting malware on ATMs, which occurred in two countries in central and western Europe for the first time, EAST says. All told, the 192 incidents caused $1.88 million in losses.
The banking industry has been bracing for ATM attacks since the first proof-of-concept attacks from security researchers appeared nearly a decade ago. Since then, incidents have become more prevalent, with criminals leveraging thorough knowledge of ATM software and hardware to steal cash.
Earlier this year, the U.S. Secret Service warned that jackpotting attempts had come to the U.S. The attacks used malware known as Ploutus.D, a variant of a malware first seen in Mexico. The malware was used in attacks against stand-along ATMs, mostly two older ATM models from Diebold Nixdorf, in big-box retailers and pharmacies, reported security blogger Brian Krebs (see First ATM 'Jackpotting' Attacks Hit US).
Black box attacks usually involve attaching a device to an open USB port. Rather than use software vulnerabilities, the malware mounts a "logical" attack, using the native protocols, middleware and communication within an ATM to achieve a fraudulent outcome.
Malware, such as Cutlet Maker, has also been used, but not in central and Western Europe until last year, says Lachlan Gunn, EAST's executive director.
Cutlet Maker is a "a run-of-the-mill program with a mildly amusing user interface," Trend Micro wrote in December. It runs from a USB stick and uses a dynamic link library from Diebold Nixdorf to send commands to the cash machine's dispensing unit, the company reported.
Gunn says such logical and malware attacks are continuing this year. Many logical attacks, however, aren't successful. Major ATM makers, such as NCR and Diebold Nixdorf, have issued guidance on how deployers can secure their machines. As a result, losses from black box attacks dropped off in the second half of last year, EAST notes.
Law enforcement has also been active. In May 2017, Europol announced the arrests of 17 suspects, most of originated from Romania, Moldova, Russia and Ukraine, for alleged involved in black box attacks (see Police Bust ATM Black Box Hacking Suspects).
Skimming, or the copying of payment details from the back of a card's magnetic stripe, continues to fall in the region. EAST attributes the continue decline to the broader implementation of the EMV standard.
Skimming fell 23 percent in 2017, with a total of 2,556 attacks. But the losses were 7 percent higher than 2016 at around 343 million. Banks that have implemented geo-blocking of cards that are suddenly used in unexpected places have been successful at minimizing losses, EAST says.
The EMV standard employed cards with a special microchip that's used to verify the card is authentic. If a fraudster copies a magnetic stripe of an EMV card and tries to use it in an ATM, the ATM should reject a card that is supposed to have a chip but doesn't.
As a result, EAST says there's been a shift toward lower-tech attacks, such as trapping the chip-enabled payment card in the machine and retrieving it later.
"If the PIN has been compromised, trapped EMV cards can be used by criminals to illegally withdraw cash from EMV compliant ATMs, and subsequent POS (point-of-sale) and CNP (card not present) transactions, until blocked by the card issuer," EAST says in its report.
But even that kind of attack fell 63 percent in 2017 compared to 2016.