ATM explosive attack gang members arrested in successful Police operation

On 17 May 2022 three people were arrested in the Netherlands in connection with a series of ATM explosive attacks in Germany.  The arrests, which took place in Haarlem and Vianen, followed the arrests of 3 other members of the same criminal group on 30 March 2022 in Hessen, Germany.

This gang is believed to have targeted 8 ATMs in Germany between October and November 2021, stealing over €958,000 in cash.  Typically these attacks took place in the early hours of the morning – to access the cash the gang blew open the ATMs with explosives.  These explosions caused nearly €1 million in collateral damage to the buildings where the ATMs were located and the criminals showed reckless disregard for the safety of people in the vicinity of the attacks, or living nearby.

International Police Operation

The arrests were made by the Dutch Police (Politie Noord-Holland), working together with the German Police Directorate of Hochtaunus (Polizeidirektion Hochtaunus)Europol coordinated the operation (Op Pfeil/Pentagon), which was the culmination of many months of meticulous planning between the German and Dutch authorities.  Europol brought together the national investigators, who have been working closely together with Europol’s Serious Organised Crime Centre, to establish a joint strategy to take down the criminal gang. On the action day a Europol mobile office was deployed to Haarlem to facilitate the extensive exchange of information and evidence, and to support with the analysis of the seized electronic devices.

Police Appeal

In addition to the 6 members arrested so far, law enforcement is seeking to identify a seventh member of this gang.  The German Prosecutor General’s Office Frankfurt am Main are urging members of the public with information to come forward. Anyone who has any knowledge of these fugitives’ whereabouts should get in touch with any information that can help to track down the fugitives.

For more information click here

Cross Border Cooperation

The EAST Expert Group on ATM and ATS Physical Attacks (EGAP) is a cross-border European specialist expert forum for discussion of ATM, ATS and CIT related physical attack trends, attack methodologies and counter-measures, threat protection, and for the provision of regularly updated lists of manufacturers of ATM protective devices.  The Group meets twice each year to enable in-depth and technical discussion to take place. The 17th EAST EGAP Meeting took place on 2nd March 2022.  Information exchange linked to the prevention of ATM explosive attacks is a key focus of the Group.

EAST EGAF holds 26th Meeting in Amsterdam

The 26th Meeting of the EAST Expert Group on All Terminal Fraud (EGAF) took place on Wednesday 11th May 2022 at ING Bank in Amsterdam.  This was the first in-person EGAF meeting since January 2020.  The hybrid meeting was chaired by Otto de Jong from ING Bank.

It was attended by 26 key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts. 10 people were in the room and there were 16 virtual participants.

Experts from the following organisations contributed to the meeting: Atruvia AG, Bits A/S, BKA, BVK, Cartes Bancaires (CB), Cennox, Damage Control, Diebold Nixdorf, Europol, Gendarmerie Nationale (IRCGN), GMV, Group-IB, INTERPOL, LINK Scheme, Mastercard, NatWest Group, NCR, Polish Bank Association, PSA, Swedish National Anti-Fraud Centre, TietoEVRY, TMD Security, and Worldline.

EAST EGAF, which meets three times a year in advance of each of the meetings of EAST National and Global Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Data Compromise and other issues relating to terminal fraud.

Discussion at the meeting focussed on two recent EAST Fraud Alerts relating to Active Shimmer (Wedge) / Relay attacks.

EAST EGAF generates EAST Fraud Alerts for all EAST Members (National, Global and Associate). In total 270 Fraud Alerts have been issued as can be seen in the table below.

‘RaidForums’ marketplace taken down

The U.S. Department of Justice (DOJ) has seized the website and user database for RaidForums, a cybercrime forum that sold access to more than 10 billion consumer records stolen in some of the world’s largest data breaches since 2015. The DOJ also charged the alleged administrator of RaidForums, 21-year-old Diogo Santos Coelho, of Portugal, with six criminal counts, including conspiracy, access device fraud and aggravated identity theft.  Two accomplices have also been arrested.

Launched in 2015, RaidForums was considered one of the world’s biggest hacking forums with a community of over half a million users.  This marketplace had made a name for itself by selling access to high-profile database leaks belonging to a number of US corporations across different industries. These contained information for millions of credit cards, bank account numbers and routing information, and the usernames and associated passwords needed to access online accounts.  These datasets were obtained from data breaches and other exploits carried out in recent years.

Europol’s European Cybercrime Centre coordinated Operation TOURNIQUET, a complex law enforcement effort to support independent investigations of the United States, United Kingdom, Sweden, Portugal, and Romania. The operation was the culmination of a year of meticulous planning between the law enforcement authorities involved in preparation for the action, which enabled the investigators to define the different roles the targets played within this marketplace, i.e.: the administrator, the money launderers, the users in charge of stealing/uploading the data, and the buyers.

The following authorities took part in the RaidForums investigation:

  • Sweden: Swedish Police Authority (Polisen)
  • Romania: National Police (Poliţia Română)
  • Portugal: Judicial Police (Polícia Judiciária)
  • Germany: Federal Criminal Police Office (Bundeskriminalamt)
  • United States: US Secret Service (USSS), Federal Bureau of Investigation (FBI), Internal Revenue Service Criminal Investigation (IRS-CI)
  • United Kingdom: National Crime Agency (NCA)
  • Europol: European Cybercrime Centre (EC3), Joint Cybercrime Action Taskforce (J-CAT)

EAST EPTF holds 12th Meeting

The 12th Meeting of the EAST Expert Group on Payment and Transaction Fraud (EPTF) took place on Wednesday 13th April 2022.  It was conducted as a virtual meeting and was chaired by Rui Carvalho, EAST Development Director.

The meeting was attended by 17 key representatives from Card Issuers, International Banks, Law Enforcement, Payment Processors, Payment Services Providers, and Solution Providers.

Europol, INTERPOL and the DCPCU provided the law enforcement perspective, and the Ukrainian Interbank Payment Systems Member Association “EMA” gave a keynote presentation on the payments and fraud situation in Ukraine.

Short presentations were also made by Barclays, Cartes Bancaires, Diebold Nixdorf, HSBCING BankPAN-Nordic Card AssociationSIBs, STMP, TietoEVRY and Worldline.  Social engineering linked to non-banking fraud continues to be of concern and Investment Fraud is a rising issue.

EAST EPTF, which meets three times a year, adds value to the payments industry by using the unique and extensive EAST National Member and EAST Global Member platforms, and the Associate Member network, to provide information and outputs that are not currently available elsewhere.  It is a is a specialist group that discusses security issues affecting the payments industry and that gathers, collates, and disseminates related information, trends and general statistics.

EAST National & Global Members represent 35 countries and outputs from the group are presented to EAST Global Congress Meetings.  There are 212 EAST Associate Member Organisations from 52 countries and territories.

ATM jackpotting attacks fall in Europe

EAST has published a European Payment Terminal Crime Report covering 2021 which highlights a fall in ATM jackpotting attacks.

ATM JackpottingATM malware and logical attacks against ATMs were down 74% (from 202 to 52). All the reported attacks were aimed at ATM jackpotting, either using black box attacks or malware. A black box attack is the connection of an unauthorised device which sends dispense commands directly to the ATM cash dispenser, to ‘cash-out’ or ‘jackpot’ the ATM. Related losses fell from €1.2 million to €0.7 million).

EAST Executive Director Lachlan Gunn said, “This fall in ATM malware and logical attacks is great news and reflects the hard work that has been put in by the industry and law enforcement to address the issue. Most such attacks remain unsuccessful. A recent trend is a shift from logical black box attacks to malware attacks aimed at ATM jackpotting. When executed similar holes are made in the ATM fascia and so it can be difficult to work out which type of attack took place. Our Expert Group on All Terminal Fraud (EGAF) is focussed on countering such attacks, with close cooperation between industry partners and law enforcement. EGAF is working with Europol right now to update a document entitled ‘Guidance & recommendations regarding logical attacks on ATMs’, which has been a key tool in the fight against such attacks.”

Terminal related fraud attacks were down 8% (from 6,523 to 5,969 incidents). All fraud types were down except for cash trapping at ATMs, which increased by 14% (from 1,829 to 2,086 incidents). Total losses of €198 million were reported, down 9% from the €218 million reported in 2020. Most losses remain international issuer losses due to card skimming, which were €166 million.

ATM related physical attacks were up 6% (from 3,722 to 3,947 incidents). Attacks due to ram raids and ATM burglary were down 40% (from 749 to 447 incidents). ATM explosive attacks (including explosive gas and solid explosive attacks) were down 32% (from 923 to 629 incidents). Losses due to ATM related physical attacks were €10 million, a 55% decrease from the €22 million reported during 2020. 64% of these losses were due to explosive attacks, which were down 56% from €14.59 million to €6.35 million.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National, Global and Associate)

Vishing network taken down by Police

108 people have been detained on suspicion of being involved in investment fraud related ‘vishing’ activities from international call centres in Riga, Latvia and Vilnius, Lithuania.  The suspects are accused of defrauding victims across the world.

‘Vishing’, also known as ‘voice phishing’, is the criminal practice of using social engineering over the telephone system to gain access to private personal and financial information from the public for the purpose of financial reward.

The operation was carried out by the Latvian State Police (Valsts policija) and the Lithuanian Police (Lietuvos Policija), supported by Europol and Eurojust.  On 24 and 25 March 2022 hundreds of officers, including special intervention teams, raided three call centres belonging to the same organised crime group (OCG).  The OCG controlled up to 200 fake ‘traders’, speaking English, Russian, Polish and Hindi.  These fraudsters would call unsuspecting victims promising lucrative investment opportunities and persuading them to part with their savings.  The promoted investments in bitcoin, commodities, and foreign currencies were all fake.  It is estimated that the fraudsters were monthly making profits of €3 million from the scam.

The coordinated police operation resulted in:

  • The detention of 80 people in Latvia and 28 in Lithuania
  • The seizure of cash, bank accounts and luxury vehicles
  • The seizure of €95,000 in cryptocurrencies

Europol’s European Financial and Economic Crime Centre (EFECC) supported the investigation by bringing together the national investigators from Latvia and Lithuania to establish a joint strategy and to organise the intensive exchange of evidence needed to prepare for final phase of the investigation. Europol experts from both the EFECC and the European Cybercrime Centre (EC3) were deployed to Latvia and Lithuania to assist the national authorities with the action days.

Eurojust supported the investigation by setting up a joint investigation team (JIT) into the case within one week and organising a rapid coordination meeting. Further assistance was given with the execution of a European Investigation Order during the action day.

The EAST Expert Group on Payment and Transaction Fraud (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud, including investment fraud and ‘vishing’. The 11th EAST EPTF meeting took place on 10 November 2021.

EAST Publishes Fraud Update 1-2022

EAST has published its first Fraud Update for 2022.  This is based on country crime updates given by representatives of 22 countries in the Single Euro Payments Area (SEPA), and 6 non-SEPA countries, at the 6th (virtual) EAST Interim Meeting held on 9th February 2022.

The following countries supplied full or partial information for this Update:

Armenia, Austria; Belgium; Canada; Cyprus; Czech Republic; Finland; France; Germany; Greece; Hungary; Italy; Liechtenstein; Luxembourg; Malta; Mexico; Netherlands; Norway; Poland; Portugal; Romania; Russia; South Africa; Spain; Sweden; Switzerland; Ukraine; United Kingdom.

FRAUD TYPE

EAST Update

EAST Update

To date in 2022 the EAST Expert Group on All Terminal Fraud (EGAF) has published one related Fraud Alert.

FRAUD ORIGIN

DUE DILIGENCE

PHYSICAL ATTACKS

The full European Fraud Update is available to EAST Members (National, Global and Associate).

Information on the Fraud Definitions and Terminology used by EAST can be found as follows:

FRAUD  DEFINITIONS

FRAUD TERMINOLOGY

TERMINAL FRAUD DEFINITIONS

TERMINOLOGY FOR LOCATIONS OF CDC DEVICES AT ATMS AND OTHER TERMINALS

TERMINAL PHYSICAL ATTACK DEFINITIONS AND TERMINOLOGY

EAST EGAP holds 17th Meeting

The 17th Meeting of the EAST Expert Group on ATM and ATS Physical Attacks (EGAP) took place on Wednesday 2nd March 2022.  Due to the Covid-19 situation, it was conducted as a virtual meeting and was chaired by Graham Mott of the LINK Scheme.

The meeting was attended by 55 key representatives from Law Enforcement, Terminal Deployers, ATM Networks and Security Equipment Vendors.

  • Europol gave a central assessment of the ATM physical attack situation in Europe
  • The ECB gave an update on the latest bank notes in circulation, cash usage statistics, and Intelligent Banknote Neutralisation Systems (IBNS) used in the Euro area
  • National Threat Assessments were shared by representatives from 17 countries:
CountryUpdate(s) Given By
AustriaCriminal Intelligence Service
BrazilTecBan
CroatiaMUP Croatia
Czech RepublicCriminal Police
FranceGendarmerie - OCLDI
GermanyBKA
GreeceHellenic Police
HungaryNational Bureau of Investigation
IrelandAn Garda Siochana
ItalyMIB
LuxembourgService de Police Judiciare
NetherlandsNational Police
PolandNational Police
PortugalPolicia Judiciare
SpainGuardia Civil / National Police / Autonomous Police of Catalonia
SwitzerlandFederal Office of Police (FEDPOL)
United KingdomSaferCash / West Midlands Police (ROCU)

Experts from the following organisations also participated in the meeting:  ATM Safe, Barclays, Cardtronics, Cennox, Diebold Nixdorf, Feerica S.A., Gunnebo, Guarda Nacional Republicana, Mactwin Security, National Bureau of Investigation (FI), NCR, Oberthur Cash Protection, Payment Services Austria (PSA), Petersen-Bach, Policia de Seguranca Publica, Professional Witnesses Grouyp (PWG), Secure Banking Technology,  Spinnaker.

EAST EGAP is a European specialist expert forum for discussion of ATM, ATS and CIT related physical attack trends, attack methodologies and counter-measures, threat protection, and for the provision of regularly updated lists of manufacturers of ATM protective devices. The latest lists can be downloaded from the ‘Stained Banknotes’ page on this website (bottom of page).

The Group meets twice each year to enable in-depth and technical discussion to take place. The areas covered include:

  • The latest incidents and criminal MOs
  • The collection and distribution of best practice guidelines
  • The evolution of threats and counter-measures
  • Lessons from and on law enforcement

National & Global Fraud Intelligence sharing – 6th Interim EAST Meeting

The sixth Interim Meeting of EAST National and Global Members took place on Wednesday 9th February 2022 as a virtual meeting. The meeting was chaired by Thomas Von der Gathen from Payment Services Austria (PSA).  The key focus was on the sharing of global, regional, and national, payment and terminal fraud intelligence.

Law enforcement overviews were provided by Europol, the Gulf Cooperation Council Police (GCCPOL), and the United States Secret Service (USSS).  An update was provided from Europol’s European Cybercrime Centre (EC3) on various fraud types and a presentation from Europol’s Organised Property Crime Unit covered recent Physical ATM attacks across Europe.  The GCCPOL presentation covered payment and fraud issues seen by their 6 member countries focussing on Technological Fraud (crimes committed using different forms/types of machines and technology) and Non-Technological Fraud (conducted directly against the victim). The USSS update covered card fraud and recent man-in-the-middle black box attacks.

Private sector fraud intelligence updates were received from 28 countries, either directly or via regional/global updates by Citi, HSBC and Worldline.  Regional Updates were also provided for ASP, MENA and LATAM. Each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).  The importance of raising consumer awareness to counter the rising threats related to social engineering remains a key issue, particularly for elderly people.

EAST Fraud Update 1-2022 will be produced early next month, based on the country updates provided at the Interim EAST Meeting.  EAST Fraud, Payment and Physical Attack Alerts are available on the EAST Intranet to EAST Members.

The next meeting of this group, scheduled for 16th June 2022, will hopefully be the 1st EAST Global Congress, which is planned as Hybrid Meeting.  This is dependant on the prevailing travel situation at that time, and the meeting will revert to a virtual Interim Meeting if required.

Phoebus Christodoulides retires from EAST

Phoebus Christodoulides will retire from EAST on 31st January 2022. He attended his first EAST meeting in 2006, representing Cyprus, a role he has held since then.  The final EAST Meeting he attended was the 5th Interim EAST Meeting on 6th October 2021.

EAST Executive Director Lachlan Gunn said: “When Phoebus joined EAST in 2006, he came as a well-respected professional with a strong background in the prevention of financial crime.  He has been an active supporter of EAST and has made significant contributions to our work by gathering and collating information and data from the market in Cyprus that has been of great benefit to Law Enforcement and the industry. 

It has been a real pleasure to work with him over the years and my only regret is that, due to the pandemic, we were not able to meet in person to properly say goodbye.  On behalf of the EAST Executive Team, the EAST Board, and of all our members, I wish him a happy, fulfilling, and well-earned retirement.”

Cyprus is represented at EAST by the National Member JCC Payment Systems and Phoebus’s role as EAST national representative will be taken over by Constantinos Adamou – Head Fraud Monitoring, supported by Yiannis Isaias – Manager Information Security & Risk Management.