EAST Publishes Fraud Update 3-2023

EAST has just published its third Fraud Update for 2023.  This is based on country crime updates given by representatives of 17 countries in the Single Euro Payments Area (SEPA), and 9 non-SEPA countries, at the 5th EAST Global Congress held on 11th October 2023.

The following countries supplied full or partial information for this Update:

Algeria; Armenia; Austria; Belgium; Canada; Finland; France; Germany; Italy; Kosovo; Liechtenstein; Luxembourg; Mexico; Morocco; Netherlands; Norway; Poland; Portugal; Romania; Spain; Sweden; Switzerland; Turkey; Ukraine; United Kingdom; United States.

Information was also received from two regions (ASP and MENA).

FRAUD TYPE

EAST Fraud Update - Technological Fraud

To date in 2023 the EAST Expert Group on All Terminal Fraud (EGAF) has published five related Fraud Alerts.

EAST Fraud Update - Non-technological fraud

To date in 2023 the EAST Expert Group on Payment and Transaction Fraud (EPTF) has published one related Payment Alert and EAST EGAF has published one related Fraud Alert.

FRAUD ORIGIN

EAST Fraud Update - Social Engineering

EAST Fraud Update - Data Compromise

DUE DILIGENCE

EAST Fraud Update - Due Diligence

PHYSICAL ATTACKS

EAST Fraud Update - Ram Raids-Burglary

To date in 2023 the EAST Expert Group on ATM and ATS Physical Attacks (EGAP) has published three related Physical Attack Alerts.

EAST Fraud Update - Robbery

 

The full EAST Fraud Update is available to EAST Members (National, Global and Associate).

Information on the Fraud Definitions and Terminology used by EAST can be found as follows:

FRAUD  DEFINITIONS

FRAUD TERMINOLOGY

TERMINAL FRAUD DEFINITIONS

TERMINOLOGY FOR LOCATIONS OF CDC DEVICES AT ATMS AND OTHER TERMINALS

TERMINAL PHYSICAL ATTACK DEFINITIONS AND TERMINOLOGY

 

 

Terminal related fraud attacks fall in Europe

EAST has just published a European Payment Terminal Crime Report covering H1 2023 which highlights a fall in terminal related fraud attacks.

Terminal related fraud attacks were down 40% (from 5,022 to 3,021 incidents).  This decrease was primarily due to a fall in cash trapping at ATMs. These attacks decreased by 40% (from 2,984 to 1,805 incidents).  Man-in-the middle/relay attacks continued to occur with 63 cases reported during the 6-month period.  The successful attacks resulted in cash out at ATMs. Total losses of €105 million were reported, up 8% from the €97 million reported in H1 2022.  Most losses remain international issuer losses due to card skimming, which were €88 million.

EAST Executive Director Lachlan Gunn said, “This fall in terminal related fraud attacks is very good news for the industry, for law enforcement, and for all stakeholders.  The excellent work done by our EAST Expert Group on All Terminal Fraud (EGAF) has played a major role in highlighting the risks of such attacks, and what can be done to mitigate them.  The group has also helped to counter ATM malware and logical attacks for which the numbers are now very low.  While terminal fraud levels are falling, social engineering, along with major scams, is a rising threat and our Expert Group on Payment and Transaction Fraud is focussed on countering this.”

ATM malware and logical attacks were down 33% (from 6 to 4) and all of the reported attacks were black box attacks.  A black box attack is the connection of an unauthorised device which sends dispense commands directly to the ATM cash dispenser, to ‘cash-out’ or ‘jackpot’ the ATM.  Most such attacks remain unsuccessful, and total losses of just €2,237 were reported.

ATM related physical attacks were down 4% (from 2,008 to 1,931 incidents).  Within this total, ATM explosive attacks (including explosive gas and solid explosive attacks) were up 7% (from 354 to 378 incidents) and attacks due to ram raids and ATM burglary were down 9% (from 274 to 249 incidents).  Losses due to ATM related physical attacks were €3.8 million, a 34% decrease from the €5.8 million reported during H1 2022. 57% of these losses were due to explosive attacks, which were down 1% from €2.19 million to €2.17 million.  While on average around 40% of such attacks do not result in cash loss, the loss figures shown do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National, Global and Associate)

National & Global Fraud Intelligence – 5th EAST Global Congress

The 5th EAST Global Congress took place on Wednesday 11th October 2023 at ING Bank in Amsterdam as a hybrid meeting, with some delegates participating online.

The meeting was chaired by Veronica Borgogna from Worldline.  The key focus was on the sharing of payment and terminal fraud intelligence (global, regional, national).

Law enforcement overviews were provided by Europol and the Gulf Cooperation Council Police.  Private sector fraud intelligence updates were received from 26 countries, either directly or via regional/global updates by BNP Paribas, HSBC, and Worldline.  Regional updates were also provided for ASP and MENA.  Each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).

Social engineering of victims by organised criminals remains a major concern across all the countries and it was noted that non-banking fraud is a rising issue.  Updates were given on Active Shimmer (Wedge) / Relay attacks, a continuing threat in several countries.

Updates from the three EAST Expert Groups were given:

EAST Fraud Update 3-2023 will be produced early next month, based on the country updates provided at the EAST Global Congress.  EAST Fraud, Payment, and Physical Attack Alerts are available on the EAST Intranet to EAST Members.

The 6th EAST Global Congress, scheduled for 7th February 2024, will also be held as a Hybrid Meeting.

EAST EGAF holds 30th Meeting in Amsterdam

The 30th Meeting of the EAST Expert Group on All Terminal Fraud (EGAF) took place on Wednesday 20th September 2023 hosted by the Dutch Banking Association (Nederlandse Vereniging van Banken) in Amsterdam.   The hybrid meeting was chaired by Otto de Jong from ING Bank.

It was attended by 23 key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts. 12 people were in the room and there were 11 virtual participants.

Experts from the following organisations contributed to the meeting: BKA, BNP Paribas, BVK Technology, Cartes Bancaires (CB), Cennox, Damage Control, Diebold Nixdorf, Dutch Banking Association, Europol, GMV, ING Bank, KAL, LINK Scheme, Mastercard, NCR ATLEOS, Payment Services Austria (PSA), Tietoevry, TMD Security, US Secret Service, and Visa.

EAST EGAF, which meets three times a year in advance of each of the meetings of EAST National and Global Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Data Compromise and other issues relating to terminal fraud.

Discussion at the meeting focussed on the follow up to five EAST Fraud Alerts relating to Active Shimmer (Wedge) / Relay attacks, to cash trapping, to transaction reversal fraud (TRF), and to prevention measures relating to black box attacks.

EAST EGAF generates EAST Fraud Alerts for all EAST Members (National, Global and Associate). In total 281 Fraud Alerts have been issued as can be seen in the table below.

Europol publishes report on malware-based cyber attacks

Europol has published a spotlight report “Cyber Attacks: The Apex of Crime-as-a-Service”, which sheds light on malware and DDoS attacks and unveils ransomware groups’ business structures as observed by Europol’s operational analysts.  The report, that follows Europol’s Internet Organised Crime Assessment (IOCTA) 2023, also outlines the types of criminal structures that are behind cyber-attacks, and how these increasingly professionalised groups are exploiting changes in geopolitics as part of their modi operandi.

This report is the first in a series of Spotlight Reports released by Europol as part of the IOCTA 2023.  Each takes a closer look at emerging trends in a specific area of cybercrime.  Other modules within the IOCTA 2023 look at online fraud and child sexual exploitation.

Key findings of the Report

  • Malware-based cyber attacks remain the most prominent threat to industry;
  • Ransomware affiliate programs have become established as the main form of business organisation for ransomware groups;
  • Phishing emails containing malware, Remote Desktop Protocol (RDP) brute forcing and Virtual Private Network (VPN) vulnerability exploitation are the most common intrusion tactics;
  • The Russian war of aggression against Ukraine led to a significant boost in Distributed Denial of Service (DDoS) attacks against EU targets;
  • Initial Access Brokers (IABs), droppers-as-a-service and crypter developers are key enablers utilised in the execution of cyber-attacks;
  • The war of aggression against Ukraine and Russia’s internal politics have uprooted cybercriminals, pushing them to move to other jurisdictions.

Europol’s response to Cybercrime

Europol provides dedicated support for cybercrime investigations in the EU and thus helps protect European citizens, businesses and governments from online crime.  Europol offers operational, strategic, analytical and forensic support to Member States’ investigations, including malware analysis, cryptocurrency-tracing training for investigators, and tool development projects.  Based in Europol’s European Cybercrime Centre (EC3), the Analysis Project Cyborg focuses on the threat of cyber-attacks and supports international investigations and operations into cyber criminality affecting critical computer and network infrastructures in the EU.

EAST response to Cybercrime

EAST focusses on tackling cybercrime through two of its Expert Groups – the EAST Expert Group on Payment and Transaction Fraud (EPTF) and the EAST Expert Group on All Terminal Fraud (EGAF).

EAST EGAP holds 20th Meeting at Europol in The Hague

The 20th Meeting of the EAST Expert Group on ATM and ATS Physical Attacks (EGAP) took place on Wednesday 6th September 2023 hosted by Europol in The Hague. The hybrid meeting was chaired by Graham Mott of the LINK Scheme.

It was attended by 46 key representatives from Law Enforcement, Terminal Deployers, ATM Networks and Security Equipment Vendors. 9 people were in the room and there were 37 virtual participants.

  • Europol gave a central assessment of the ATM physical attack situation in Europe.
  • The ECB gave a status update on the Eurosystem Intelligent Banknote Neutralisation Systems (IBNS) policy.
  • National Threat Assessments were shared by representatives from 16 countries.
CountryUpdate(s) Given By
AustriaCriminal Intelligence Service
BelgiumCennox
CroatiaMUP - General Police Directorate
CyprusCyprus Police
DenmarkPetersen-Bach
FinlandLoomis Automatia Oy, National Bureau of Investigation
FranceGendarmerie - OCLDI
GermanyBKA
GreeceHellenic Police
IrelandAn Garda Síochána
ItalyMIB
NetherlandsNational Police
PortugalPolicia Judiciaria, Policia de Seguranca Publica
SpainSpanish National Police, Guardia Civil, Autonomous Police of Catalonia
SwitzerlandFederal Office of Police (FEDPOL)
United KingdomWest Midlands Police (SaferCash)

Experts from the following organisations also participated in the meeting:  Batopin NV, BNP Paribas, Cennox, Diebold Nixdorf, Feerica SA, HSBC, National Police – OCLCO DCPCJ (France), NCR, Oberthur Cash Protection, Policia Di Stato – Servizio Centrale Operativo (Italy), Romanian Police, Secure Banking Technology, Secure Innovation, Service de Police Judiciare (Luxembourg), State Police of Latvia.

Consistent reporting of ATM physical attacks is key to enable law enforcement and the industry to counter the evolving threats.  To standarise reporting across Europe, EAST EGAP has produced updated ATM Crime definitions and a  reporting template for physical attacks on ATMs that is being rolled out to law enforcement agencies and the industry across Europe.  A copy of the definitions document can be downloaded here.

EAST EGAP is a European specialist expert forum for discussion of ATM, ATS and CIT related physical attack trends, attack methodologies and counter-measures, threat protection, and for the provision of regularly updated lists of manufacturers of ATM protective devices. The latest lists can be downloaded from the ‘Stained Banknotes’ page on this website (bottom of page).

The Group meets twice each year to enable in-depth and technical discussion to take place. The areas covered include:

  • The latest incidents and criminal MOs
  • The collection and distribution of best practice guidelines
  • The evolution of threats and counter-measures
  • Lessons from and on law enforcement

Police take down Qakbot malware infrastructure

The Qakbot malware infrastructure has been taken down by an international Police operation, supported by Europol.  The operation led to the seizure of nearly €8 million in cryptocurrencies and the investigation was also supported by Eurojust and judicial and law enforcement authorities from France, Germany, Latvia, the Netherlands, Romania, the United Kingdom, and the United States. Over 700,000 computers were infected worldwide and law enforcement detected servers infected with Qakbot in almost 30 countries in Europe, South and North America, Asia and Africa.

Qakbot, operated by a group of organised cybercriminals, targeted critical infrastructure and businesses across multiple countries, stealing financial data and login credentials. Cybercriminals used this persistent malware to commit ransomware, fraud, and other cyber-enabled crimes.  The below image shows how the criminals worked.

Background

Qakbot has been active since 2007 (also known as QBot or Pinkslipbot).  The malware has evolved over time using different techniques to infect users and compromise systems.  Victims’ computers were infiltrated through spam emails containing malicious attachments or hyperlinks.  Once installed on the targeted computer, the malware allowed for infections with next-stage payloads such as ransomware.   Additionally, the infected computer became part of a botnet (a network of compromised computers) simultaneously controlled by the cybercriminals, usually without the knowledge of the victims.

However, Qakbot’s primary focus was on stealing financial data and login credentials from web browsers.  A number of ransomware groups used Qakbot to carry out a large number of ransomware attacks on critical infrastructure and businesses.  The administrators of the botnet provided these groups with access to the infected networks for a fee.  The investigation suggests that between October 2021 and April 2023, the administrators received ransom fees from victims of nearly €54 million.

International Police Liaison and Coordination

Over the course of the investigation, Europol facilitated the information exchange between participating agencies, supported the coordination of operational activities, and funded operational meetings. Europol also provided analytical support linking available data to various criminal cases within and outside the EU.  The Joint Cybercrime Action Taskforce (J-CAT) at Europol also supported the operation.  This standing operational team consists of cybercrime liaison officers from different countries who work on high-profile cybercrime investigations.

Eurojust actively facilitated the cross-border judicial cooperation between the national authorities involved.  The Agency hosted a coordination meeting in July 2023 to facilitate evidence sharing and to prepare for this joint operation.

EAST response to Cybercrime

EAST focusses on tackling cybercrime through two of its Expert Groups – the EAST Expert Group on Payment and Transaction Fraud (EPTF) and the EAST Expert Group on All Terminal Fraud (EGAF).

Terminal Physical Attack Definitions updated by EAST EGAP

Terminal Physical Attack Definitions & TerminologyWorking with Europol, EAST has published simplified Terminal Physical Attack Definitions and Terminology to help the industry and law enforcement when reporting attacks against ATMs and other terminals.  A Workgroup of EAST EGAP members (private sector and Europol) created new attack definitions and a reporting template that can be shared with law enforcement and the industry.  This was presented to the 19th EAST EGAP Meeting held at Europol on 23rd March 2023 and has just been published.

The terminal types covered are broadly classified as:

  • ATM – Automated Teller Machine
  • ATS – Automated Teller Safe (also known as a Teller Cash Dispenser or TCD)

The aim is for these simplified physical attack definitions and terminology to be adopted globally by the industry and law enforcement when describing or reporting physical attacks on terminals.  A copy of the document is available here.

EAST Members (Global, National, Associate) can find a copy of the definitions with a ‘Reporting Summary’ on the EAST Intranet (log-in required).

EAST EGAP is a European specialist expert forum for discussion of ATM, ATS and CIT related physical attack trends, attack methodologies and counter-measures, threat protection, and for the provision of regularly updated lists of manufacturers of ATM protective devices. The latest lists can be downloaded from the ‘Stained Banknotes’ page on this website (bottom of page).

The Group meets twice each year to enable in-depth and technical discussion to take place. The areas covered include:

  • The latest incidents and criminal MOs
  • The collection and distribution of best practice guidelines
  • The evolution of threats and counter-measures
  • Lessons from and on law enforcement

Cybercrime – the Europol perspective

Cybercrime has become a big business, with an entire illicit economy set up to support it with service providers, recruiters and financial services. Europol has just published the first module of its 9th Internet Organised Crime Threat Assessment (IOCTA), which takes an in-depth look into the online criminal ecosystem, examining notable actors, their attack vectors and victims.

The increasing scale of cybercrime makes investigating cyber-attacks ever more challenging for law enforcement, with multiple specialised actors working on parts of the criminal process from every corner of the globe.

Europol’s IOCTA aims at providing and understanding of modern cybercrime to equip law enforcement with the knowledge to fight back.  This report and accompanying modules are based on operational information contributed to Europol’s European Cybercrime Centre (EC3), combined with expert insights and open source intelligence.

Focus of the report

  • Cybercriminal services are intertwined
  • Similar techniques for different goals
  • The central commodity is stolen data
  • Same victims, multiple offences
  • The underground communities to educate and recruit cybercriminals
  • What happens with the criminal profits?
  • Europol’s support

The current summary presents the main overarching findings concerning the different typologies of cybercrime, namely cyber-attacks, online fraud schemes and online child sexual exploitation.  It will be followed by a series of spotlight publications covering each of the crime areas in-depth.

EAST response to Cybercrime

EAST focusses on tackling cybercrime through two of its Expert Groups – the EAST Expert Group on Payment and Transaction Fraud (EPTF) and the EAST Expert Group on All Terminal Fraud (EGAF).

EAST Publishes Fraud Update 2-2023

EAST has just published its second Fraud Update for 2023.  This is based on country crime updates given by representatives of 19 countries in the Single Euro Payments Area (SEPA), and 8 non-SEPA countries, at the 4th EAST Global Congress held on 7th June 2023.

The following countries supplied full or partial information for this Update:

Algeria; Armenia; Austria; Belgium; Canada; Finland; France; Germany; Greece; Italy; Liechtenstein; Luxembourg; Malta; Mexico; Morocco; Netherlands; Norway; Portugal; Romania; Slovakia; South Africa; Spain; Sweden; Switzerland; Turkey; Ukraine; United Kingdom.

Information was also received from two regions (ASP and MENA).

FRAUD TYPE

Fraud Update - Technological Fraud

To date in 2023 the EAST Expert Group on All Terminal Fraud (EGAF) has published five related Fraud Alerts.

Fraud Update - non-technological fraud

To date in 2023 the EAST Expert Group on Payment and Transaction Fraud (EPTF) has published one related Payment Alert.

FRAUD ORIGIN

Fraud Update - social engineering

Fraud Update - due diligence

 

DUE DILIGENCE

PHYSICAL ATTACKS

To date in 2023 the EAST Expert Group on ATM and ATS Physical Attacks (EGAP) has published two related Physical Attack Alerts.

The full EAST Fraud Update is available to EAST Members (National, Global and Associate).

Information on the Fraud Definitions and Terminology used by EAST can be found as follows:

FRAUD  DEFINITIONS

FRAUD TERMINOLOGY

TERMINAL FRAUD DEFINITIONS

TERMINOLOGY FOR LOCATIONS OF CDC DEVICES AT ATMS AND OTHER TERMINALS

TERMINAL PHYSICAL ATTACK DEFINITIONS AND TERMINOLOGY