The Polish authorities, supported by Europol, have arrested two individuals committing ‘Black Box’ attacks against ATMs. The two suspects, both Belarusian nationals, were arrested in Warsaw on 17 July 2021. The investigation uncovered that these criminals committed dozens of black box attacks in at least seven European countries, stealing an estimated €230,000 in cash. The same brand and model of ATM were targeted in all the attacks.
To perpetrate such attacks criminals connect electronic devices (referred to as black boxes) to a cash machine and remotely force it to spew out all its cash. For a full definition visit the Terminal Fraud Definitions page on this website. In these cases they gained access to the ATM wires by drilling holes or melting parts of the ATM fascia in order to physically connect the machine to a laptop, which was then used to send relay commands that caused the machine to dispense all its cash.
The police operation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).
Europol (supported by the Joint Cybercrime Action Taskforce or J-CAT), brought together the national investigators, provided continuous intelligence development and analysis to support the field investigators, and has been working closely with the ATM manufacturer targeted by these criminals, making the link with the different law enforcement authorities involved in the investigation (from Poland, Germany, Austria, Switzerland, Czech Republic and Slovakia).
The EAST Expert Group on All Terminal Fraud (EGAF) focusses on the analysis and prevention of such attacks and, to date, has put out 48 related Fraud Alerts for EAST Members, the most recent of which was released in June 2021, covering Black Box attacks in Poland.
The EAST Payments Task Force has changed its name to become the EAST Expert Group on Payment and Transaction Fraud (EAST EPTF). The decision was made at the 10th EPTF Meeting held on 7th July 2021. This brings it into line with the other two EAST Expert Groups (EAST EGAF and EAST EGAP). The EAST Payments Task Force was first convened in 2016. At that time EAST was undergoing a strategic review of its operations to reflect the fast changing payments landscape. As part of that review EAST changed its name to become the European Association for Secure Transactions, which was first announced in June 2017.
EAST Executive Director Lachlan Gunn said: “The Payments Task Force fulfilled its initial remit, which was to support EAST as it changed direction from focussing solely on payment terminal fraud and ATM physical attacks, to increasingly focus on payment and transaction related fraud. At their 10th Meeting this month the EPTF members agreed that the name should change to better reflect the increasingly important input and direction that the group provides for EAST and all EAST members. I would like to thank Rui and all the team for the excellent work that they done to date, and to wish them all the best for the future as we slowly emerge from the effects of the pandemic into what is becoming called the ‘new normal’.”
To date the EAST EPTF has produced 20 Payment Alerts for EAST members, and has also published Fraud Terminology and Fraud Definitions. To help standardise how fraud is categorised and reported, the aim is for the terminology and definitions to be adopted globally when describing or reporting payment and terminal fraud.
Ransomware is malware that locks your computer and mobile devices or encrypts your electronic files. When this happens, you can’t get to the data unless you pay a ransom. To counter ransomware a free scheme called No More Ransom is helping victims fight back without paying the hackers. Europol has announced that a new No More Ransom website has been launched to mark the project’s fifth year. Modern and more user-friendly, the new home of the Crypto Sheriff offers updated information on ransomware, as well as advice on how to prevent a ransomware infection.
The decryptors available in the No More Ransom repository have helped more than six million people to recover their files for free. This prevented criminals from earning almost a billion euros through ransomware attacks. Currently offering 121 free tools able to decrypt 151 ransomware families, it unites 170 partners from the public and private sector. The portal is available in 37 languages.
Ransomware infections occur in different ways, such as through insecure and fraudulent websites, software downloads and malicious attachments. Anyone can be a target – individuals and companies of all sizes. For best advice on prevention read all the prevention advice on the No More Ransom website.
The Tenth Meeting of the EAST Payments Task Force (EPTF) took place on Wednesday 7th July 2021. Due to the Covid-19 situation it was conducted as a virtual meeting and 18 EPTF members participated.
The EPTF is a specialist task force that discusses security issues affecting the payments industry and that gathers, collates and disseminates related information, trends and general statistics.
The meeting was chaired by Mr Rui Carvalho, EAST Development Director, and key representatives from Card Issuers, International Banks, Law Enforcement, Payment Processors and Solution Providers took part.
INTERPOL and Europol provided the law enforcement perspective, and short presentations were also made by Cartes Bancaires, Group-IB, ING Bank, JP Morgan Chase, LINK Scheme, MasterCard Members’ Association, PAN-Nordic Card Association, PSA, PLUSCARD, SIBs, tietoEVRY, Trend Micro and Worldline. Social engineering linked to non-banking fraud was reported as a rising issue.
The Group, which meets three times a year, adds value to the payments industry by using the unique and extensive EAST National Member and EAST Global Member platforms, and the Associate Member network, to provide information and outputs that are not currently available elsewhere.
EAST National & Global Members represent 35 countries and outputs from the group are presented to EAST Global Congress Meetings. There are 210 EAST Associate Member Organisations from 52 countries and territories.
An alleged prolific cybercriminal has been apprehended in Morocco following a joint two-year investigation by INTERPOL, the Moroccan police and Group-IB. Acting under the signature name of ‘Dr Hex’, the suspect is believed to have targeted thousands of unsuspecting victims over several years through global phishing, fraud, and carding activities involving credit card fraud. He is also accused of defacing numerous websites by modifying their appearance and content, and targeting French-speaking communications companies, multiple banks and multinational companies with malware campaigns, and is alleged to have helped develop carding and phishing kits, which were then sold to other individuals through online forums to allow them to facilitate similar malicious campaigns against victims. These were then used to impersonate online banking facilities, allowing the suspect and others to steal sensitive information and defraud trusting individuals for financial gain – the losses of individuals and companies were then published online in order to advertise these malicious services.
Under Operation Lyrebird, INTERPOL’s Cybercrime Directorate worked closely with Group-IB and with Moroccan Police, via the INTERPOL National Central Bureau, in Rabat to eventually locate and apprehend the individual, who remains under investigation. INTERPOL Executive Director of Police Services Stephen Kavanagh said: “This is a significant success against a suspect who is accused of targeting unsuspecting individuals and companies across multiple regions for years, and the case highlights the threat posed by cybercrime worldwide. The arrest of this suspect is down to outstanding international investigative work and new ways of collaboration both with Moroccan police and our vital private sector partners such as Group-IB.”
Group-IB determined that the suspect was involved in attacks on 134 websites from 2009-2018, leaving behind his signature name on web pages. Its participation in the operation came under Project Gateway, an initiative which facilitates cooperation and information sharing between INTERPOL and private sector partners.
In May 2021 INTERPOL launched a new cyber operations desk to boost the capacity of 49 African countries to fight cybercrime. The Africa desk will help shape a regional strategy to drive intelligence-led coordinated actions against cybercriminals and support joint operations such as Lyrebird.
At a time of increasing cyber threats, members of the public, businesses and organisations are reminded to protect themselves from phishing attempts by following the advice showcased in INTERPOL’s #WashYourCyberHands and #OnlineCrimeIsRealCrime campaigns.
The EAST Payments Task Force (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud.
EAST has just published its second Fraud Update for 2021. This is based on country crime updates given by representatives of 22 countries in the Single Euro Payments Area (SEPA), and 9 non-SEPA countries, at the 4th (virtual) EAST Interim Meeting held on 9th June 2021.
The following countries supplied full or partial information for this Update:
Armenia, Austria; Belgium; Brazil; Canada; Cyprus; Finland; France; Germany; Greece; Hungary; Ireland; Italy; Liechtenstein; Luxembourg; Mexico; Netherlands; Norway; Poland; Portugal; Romania; Russia; Slovakia; South Africa; Spain; Sweden; Switzerland; Turkey; Ukraine; United Arab Emirates; United Kingdom.
To date in 2021 the EAST Payments Task Force (EPTF) has published one related Payment Alert and the EAST Expert Group on All Terminal Fraud (EGAF) has published four related Fraud Alerts.
To date in 2021 the EPTF has published one related Payment Alert.
To date in 2021 the EPTF has published one related Payment Alert and EAST EGAF has published two related Fraud Alerts.
The full European Fraud Update is available to EAST Members (National, Global and Associate).
Information on the Fraud Definitions and Terminology used by EAST can be found as follows:
TERMINAL FRAUD DEFINITIONS
TERMINOLOGY FOR LOCATIONS OF CDC DEVICES AT ATMS AND OTHER TERMINALS
TERMINAL PHYSICAL ATTACK DEFINITIONS AND TERMINOLOGY
Law enforcement and judicial authorities in Europe, the US and Canada have seized the web domains and server infrastructure of DoubleVPN. This is a virtual private network (VPN) service which provided a safe haven for cybercriminals to attack their victims. DoubleVPN was used by ransomware groups.
Servers were seized across the world where DoubleVPN had hosted content, and the web domains were replaced with a law enforcement splash page. This coordinated takedown was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).
DoubleVPN was heavily advertised on both Russian and English-speaking underground cybercrime forums as a means to mask the location and identities of ransomware operators and phishing fraudsters. The service claimed to provide a high level of anonymity by offering single, double, triple and even quadruple VPN connections to its clients. It was being used to compromise networks all around the world and its cheapest VPN connection cost as little as €22 ($25).
The coordinated takedown was led by the Dutch National Police (Politie), under the jurisdiction of the National Public Prosecutor’s Office (Landelijk Parket), with international activity coordinated by Europol and Eurojust. International cooperation was central to the success of this investigation as the critical infrastructure was scattered across the world.
- Europol’s European Cybercrime Centre (EC3) supported the investigation from the onset, bringing together all the involved countries to establish a joint strategy. Its cybercrime specialists organised over 30 coordination meetings and four workshops to prepare for the final phase of the takedown, alongside providing analytical and crypto-tracing support. A virtual command post was set up by Europol on the action day to ensure seamless coordination between all the authorities involved in the takedown.
- Eurojust facilitated the judicial cross-border cooperation and coordination, to ensure an adequate response in order to take down the network. For this purpose, and since October last year, six dedicated coordination meetings took place, organised by Eurojust, and set up a coordination centre during the action day, during which the operation was rolled on the ground by the various national authorities involved.
The EAST Payments Task Force (EPTF), which meets three times each year, focuses on the prevention of payment fraud. It has provided fraud definitions to be adopted globally when describing or reporting payment or terminal fraud. Ransomware is classified as a form of Data Compromise.
A fourth Interim Meeting of EAST National and Global Members took place on Wednesday 9th June 2021. Due to the Covid-19 situation, it was conducted as a virtual meeting. The meeting was chaired by Graham Mott from the LINK Scheme. The key focus was on the sharing of global, regional, and national, payment and terminal fraud intelligence.
Law enforcement overviews were provided by Europol, the Gulf Cooperation Council Police (GCCPOL), the United States Secret Service (USSS) and INTERPOL. Two presentations were made by Europol: one from the European Cybercrime Centre (EC3) covered recent successful cross-border operations; the other covered Physical ATM attacks across Europe. The GCCPOL presentation covered payment and fraud issues seen by their 6 member countries focussing on Technological Fraud (crimes committed using different forms/types of machines and technology) and Non-Technological Fraud (conducted directly against the victim. The USSS presentation covered US Fraud Trends (2020/2021), along with prevention/detection techniques, and the INTERPOL presentation covered recent issues relating to financial crimes, money laundering, and asset tracing.
Private sector fraud intelligence updates were received from 31 countries, either directly or via regional/global updates by Citi, HSBC and Worldline. Each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT). A key issue, highlighted by most of the countries, continues to be the importance of raising consumer awareness to counter the rising threats related to social engineering.
EAST Fraud Update 2-2021 will be produced during July, based on the country updates provided at the Interim EAST Meeting. EAST Fraud, Payment and Physical Attack Updates are available on the EAST Intranet to EAST Members.
The next meeting of this group, scheduled for 6th October 2021, will also be a virtual Interim meeting. The 1st EAST Global Congress is now scheduled to be held in February 2022, dependant on the prevailing status of the Covid-19 pandemic.
The 23rd Meeting of the EAST Expert Group on All Terminal Fraud (EGAF) took place on Wednesday 12th May 2021. Due to the Covid-19 situation, it was conducted as a virtual meeting and was chaired by Otto de Jong of ING Bank.
The meeting was attended by 28 key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts.
EAST EGAF, which meets three times a year in advance of each of the meetings of EAST National and Global Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Data Compromise and other issues relating to terminal fraud.
Presentations were made by Europol, INTERPOL, Swedish Police, Damage Control Mexico, and Diebold Nixdorf.
Experts from the following organisations also contributed to the meeting: Bits A/S, BVK, Cennox, GMV, Mastercard, NatWest Group, NCR, PSA, KAL, Santander Bank, TietoEVRY, TMD Security, and TrendMicro.
The meeting approved a list of recommended Countermeasures against ATM Malware and Black Box attacks, which will be shown, as applicable, in future EAST Fraud Alerts.
EAST EGAF generates EAST Fraud Alerts for all EAST Members (National, Global and Associate). In total 260 EAST Fraud Alerts have been issued as can be seen in the table below.
On 11 May 2021, a large criminal network involved in investment fraud and money laundering was dismantled as a result of a cross border operation supported by Europol and Eurojust. This was a large-scale online investment fraud network with hundreds of victims across Europe.
LAW ENFORCEMENT ACTION
The investigation, led by Germany, involved law enforcement and judicial authorities from Bulgaria, Israel, Latvia, North-Macedonia, Poland, Spain and Sweden. The final results were:
- 11 arrests (5 in Bulgaria and 1 in Israel on the action day and 5 previously in Spain)
- 12 locations were searched in Bulgaria, Israel, Poland, North Macedonia and Sweden
- Seizures included numerous electronic devices, real estate, jewellery, high-end vehicles and approximately €2 million in cash
- Bank accounts have also been frozen
Europol supported the operation by facilitating information exchange and providing analytical support and operational coordination. During the action day, Europol experts cross-checked operational information in real-time against Europol’s databases to provide leads to investigators in the field.
HOW THE INVESTMENT FRAUD WORKED
The criminal network, organised mainly by Israeli nationals, created different, professional looking, online trading platforms advertising substantial profits from investments in high-risk options and cryptocurrencies. The victims were targeted through advertisements in social media and search engines. The criminals posed as experienced brokers when contacting the victims via the call centres they had set-up, operating from Bulgaria and North Macedonia. They used manipulated software to show the gains from the investments and to encourage the victims to keep investing.
Victims across Europe are estimated to have lost at least €30 million to the fraud. Victims in Germany suffered at least €7 million of these losses, while 300 complaints were filed in Spain. The suspects laundered the illegal profits through bank accounts controlled or owned by shell companies based in different EU countries.
The EAST Payments Task Force (EPTF), which meets three times each year, focuses on the prevention of payment fraud. It has provided fraud definitions to be adopted globally when describing or reporting payment or terminal fraud. Investment Fraud is classified as a form of Technological Fraud (Attacks against Technology).