ATM heists: 27 arrested as police move against ‘black box’ attacks

Europol has confirmed the arrests of 27 people accused of being connected to a growing spate of “black box” attacks on bank ATMs.

The suspects were picked up in a number of countries in the last 18 months, with 11 arrests in France, four in Estonia, three each in Norway and the Czech Republic, and two each in Spain, Romania and the Netherlands, the organisation said.

At a time when global cybercrime’s attention has shifted to spectaculars such as the recent WannaCry Worm-ransomware, ATM heists in which criminals siphon money from hole-in-the-wall cash machines might seem like a relic from a bygone age.

In fact, ATM attacks have been a constant menace over the last decade, initially using card skimmers and fake keypads and even cameras designed to record PIN numbers.

As this tactic’s effectiveness waned with better physical security, thieves moved on to hacking into remote ATM management, targeting machines directly using malware.

This brings us to extraordinary fact number one – it seems that many ATMs still run Windows XP. Finding vulnerabilities to use against such vulnerable and (in the case of ATMs) rarely patched software wasn’t exactly hard.

Attackers had two options, the more involved of which was to intercept card details and PINs entered by customers, allowing hackers to clone cards which could be used to withdraw funds.

The second and most brazen option was simply to remotely instruct the ATM to start spitting cash at a given moment to a waiting money mule.

But as ATM vendors have started implementing software countermeasures, European criminals have gone back to old-style physical attacks with a twist. Instead of skimming cards, the new trend has been to cut physical holes in ATMs (the location of which varies by vendor), connecting the dispenser to an external “black box” that tells the machine to dispense money.

Europol’s arrest announcement includes two images of this.  The technique is both alarmingly simple – the external black box can be an ordinary smartphone so no complicated hardware is required – but also surprisingly sophisticated.

In one incident, the criminals even set the black box up to spoof the connection between the dispenser and the ATM’s controller so that everything would appear to be normal from the machine’s side.

It’s been apparent for years that there is a developed criminal underworld that specialises in targeting ATMs. But the black box attacks suggest it’s one that has put in the research hours to find weaknesses that can bypass every new defence.

Part of the problem is simply that ATMs were designed long before specially written malware and powerful smartphones existed. The once-hailed standardisation on operating systems such as XP turned out to have downsides.

Vendors have responded to black box attacks by encrypting internal ATM communication channels and retrofitting physical protection and alarms to make it harder to attack the physical interfaces.

Nevertheless, the message from the latest arrests is that even the best physical and software security is only ever a stopgap. It turns out that cybercrime is like old-world crime after all – the answer is to catch the people stealing stuff.