Europol launches updated ATM Logical Attack Guidelines at 1st EAST Global Congress

Europol has published updated guidelines to help industry and law enforcement counter the ATM Logical Attack threat.  The new document was officially launched at the 1st EAST Global Congress, which took place on Thursday 16th June 2022 at Europol’s HQ in The Hague.  Production of the document was coordinated by the EAST Expert Group on All Terminal Fraud (EGAF).

It has three sections:

  1. Description of Modi Operandi
  2. Mitigating the risk of ATM Logical Attacks, Setting up Lines of Defence
  3. Identifying and responding to Logical Attacks

This latest version has many updates including improved advice on lines of defence and countermeasures, and a direct link (QR code) to the countermeasures published by EAST.

The original Guidelines were published in 2015, with a first update in 2018.  They have been acknowledged as being of great value by both the industry and law enforcement, and the low success rate of ATM logical attack levels in Europe can no doubt be attributed to the fact that this guidance has been widely followed.

Lachlan Gunn, EAST Executive Director, said “This latest version draws upon feedback and expertise from both law enforcement and the private sector, cemented by a working partnership between Europol and EAST EGAF.  We are very grateful to Edvardas Šileris, Head of Europol’s European Cybercrime Centre (EC3), and his team at for making this possible.  I would like to thank Otto de Jong (ING Bank and EAST EGAF Chair) and Christian Beine (Diebold Nixdorf) for their key role in leading this exercise, and to also extend my thanks to GMV, INTERPOL, NCR, TMD Security and Trend Micro for their invaluable work and contributions”. 

ATM Logical Attacks

Pictured above at the launch are (Left to right) Lachlan Gunn, Edvardas Šileris, and Otto de Jong.

Circulation of the document is restricted to Law Enforcement and to the banking and payments industry, which includes EAST Members (National, Global, and Associate).

National & Global Fraud Intelligence sharing – 1st EAST Global Congress

The 1st EAST Global Congress took place on Thursday 16th June 2022 at Europol’s HQ in the Hague as a hybrid meeting, with some delegates participating online. This was the first in-person meeting of EAST Global and National Members since February 2020.  Six virtual interim meetings were held between that meeting and the Global Congress.

The meeting was chaired by Graham Mott from the LINK Scheme and the key focus was on the sharing of payment and terminal fraud intelligence (global, regional, national).  A special welcome was given to Olesya Danylchenko from the Ukrainian Interbank Payment Systems Member Association (EMA).

Law enforcement overviews were provided by Europol, the Gulf Cooperation Council Police (GCCPOL), and the United States Secret Service (USSS).  An update was provided from Europol’s European Cybercrime Centre (EC3) on various fraud types and an updated version of the document Guidance and Recommendations Regarding Logical Attacks Against ATMs‘  was officially launched.  A presentation from Europol’s Organised Property Crime Unit covered recent Physical ATM attacks across Europe. The USSS update covered recent reports from the FBI’s Internet Crime Complaint Centre (IC3), as well the latest fraud trends seen.

Private sector fraud intelligence updates were received from 25 countries, either directly or via regional/global updates by HSBC and Worldline.  Regional Updates were also provided for ASP, and MENA.  Each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).  The importance of raising consumer awareness to counter the rising threats related to social engineering remains a key issue.

Updates were also given by the Chairs of the three EAST Expert Groups:

EAST Fraud Update 2-2022 will be produced early next month, based on the country updates provided at the EAST Global Congress.  EAST Fraud, Payment, and Physical Attack Alerts are available on the EAST Intranet to EAST Members.

The 2nd EAST Global Congress, scheduled for 5th October 2022, will also be held as a Hybrid Meeting.

Police takedown SMS-based FluBot spyware affecting Android phones

The FluBot malware has been stopped by a successful Police operation.  FluBot had been spreading aggressively through SMS, stealing passwords, online banking details and other sensitive information from infected Android smartphones across the world.  It has been one of the fastest spreading mobile malware seen to date.

The takedown was the result of an international law enforcement operation involving 11 countries and coordinated by Europol’s European Cybercrime Centre (EC3).  This resulted in the Dutch police successfully disrupting the FluBot infrastructure and taking over its control during May 2022.  The investigation is ongoing to identify the individuals behind this global malware campaign.

How Flubot Worked

First spotted in December 2020, FluBot gained traction in 2021, compromising a huge number of devices worldwide, including significant incidents in Spain and Finland.  Cases were seen across Europe and in Australia.

The malware was installed via text messages, which asked Android users to click a link and install an application to track a package delivery or to listen to a fake voice mail message. Once installed, the malicious application would ask for accessibility permissions. The hackers would then use this access to steal banking app credentials, or cryptocurrency account details, and to disable built-in security mechanisms.

FluBot was able to quickly spread due its ability to access an infected smartphone’s contacts.  Messages containing links to the malware were then sent to these numbers, helping to spread the malware.

What to do if your Device has been infected?

FluBot malware is disguised as an application, so it can be difficult to spot. There are two ways to tell whether an app may be malware:

  • If you tap an app, and it doesn’t open
  • If you try to uninstall an app, and are instead shown an error message

If you think an app may be malware, reset the phone to factory settings.

Find out more on how to protect yourself from mobile malware.

FluBot

International Cooperation

This case highlights the importance of cross-border cooperation in taking down organised criminal groups.  EC3 brought together the national investigators in the affected countries to establish a joint strategy, provided digital forensic support and facilitated the exchange of operational information needed to prepare for the final phase of the action. The J-CAT, hosted at Europol, also supported the investigation.  A virtual command post was set up by Europol on the day of the takedown to ensure seamless coordination between all the authorities involved. The following authorities took part in the investigation:

  • Australia: Australian Federal Police
  • Belgium: Federal Police (Federale Politie / Police Fédérale)
  • Finland: National Bureau of Investigation (Poliisi)
  • Hungary : National Bureau of Investigation (Nemzeti Nyomozó Iroda)
  • Ireland: An Garda Síochána
  • Romania: Romanian Police (Poliția Română)
  • Sweden: Swedish Police Authority (Polisen)
  • Switzerland: Federal Office of Police (fedpol)
  • Spain: National Police (Policia Nacional) 
  • Netherlands: National Police (Politie)
  • United States: United States Secret Service

The EAST Expert Group on Payment and Transaction Fraud (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud, including mobile malware. The 12th EAST EPTF meeting took place on 13 April 2022.

ATM explosive attack gang members arrested in successful Police operation

On 17 May 2022 three people were arrested in the Netherlands in connection with a series of ATM explosive attacks in Germany.  The arrests, which took place in Haarlem and Vianen, followed the arrests of 3 other members of the same criminal group on 30 March 2022 in Hessen, Germany.

This gang is believed to have targeted 8 ATMs in Germany between October and November 2021, stealing over €958,000 in cash.  Typically these attacks took place in the early hours of the morning – to access the cash the gang blew open the ATMs with explosives.  These explosions caused nearly €1 million in collateral damage to the buildings where the ATMs were located and the criminals showed reckless disregard for the safety of people in the vicinity of the attacks, or living nearby.

International Police Operation

The arrests were made by the Dutch Police (Politie Noord-Holland), working together with the German Police Directorate of Hochtaunus (Polizeidirektion Hochtaunus)Europol coordinated the operation (Op Pfeil/Pentagon), which was the culmination of many months of meticulous planning between the German and Dutch authorities.  Europol brought together the national investigators, who have been working closely together with Europol’s Serious Organised Crime Centre, to establish a joint strategy to take down the criminal gang. On the action day a Europol mobile office was deployed to Haarlem to facilitate the extensive exchange of information and evidence, and to support with the analysis of the seized electronic devices.

Police Appeal

In addition to the 6 members arrested so far, law enforcement is seeking to identify a seventh member of this gang.  The German Prosecutor General’s Office Frankfurt am Main are urging members of the public with information to come forward. Anyone who has any knowledge of these fugitives’ whereabouts should get in touch with any information that can help to track down the fugitives.

For more information click here

Cross Border Cooperation

The EAST Expert Group on ATM and ATS Physical Attacks (EGAP) is a cross-border European specialist expert forum for discussion of ATM, ATS and CIT related physical attack trends, attack methodologies and counter-measures, threat protection, and for the provision of regularly updated lists of manufacturers of ATM protective devices.  The Group meets twice each year to enable in-depth and technical discussion to take place. The 17th EAST EGAP Meeting took place on 2nd March 2022.  Information exchange linked to the prevention of ATM explosive attacks is a key focus of the Group.

EAST EGAF holds 26th Meeting in Amsterdam

The 26th Meeting of the EAST Expert Group on All Terminal Fraud (EGAF) took place on Wednesday 11th May 2022 at ING Bank in Amsterdam.  This was the first in-person EGAF meeting since January 2020.  The hybrid meeting was chaired by Otto de Jong from ING Bank.

It was attended by 26 key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts. 10 people were in the room and there were 16 virtual participants.

Experts from the following organisations contributed to the meeting: Atruvia AG, Bits A/S, BKA, BVK, Cartes Bancaires (CB), Cennox, Damage Control, Diebold Nixdorf, Europol, Gendarmerie Nationale (IRCGN), GMV, Group-IB, INTERPOL, LINK Scheme, Mastercard, NatWest Group, NCR, Polish Bank Association, PSA, Swedish National Anti-Fraud Centre, TietoEVRY, TMD Security, and Worldline.

EAST EGAF, which meets three times a year in advance of each of the meetings of EAST National and Global Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Data Compromise and other issues relating to terminal fraud.

Discussion at the meeting focussed on two recent EAST Fraud Alerts relating to Active Shimmer (Wedge) / Relay attacks.

EAST EGAF generates EAST Fraud Alerts for all EAST Members (National, Global and Associate). In total 270 Fraud Alerts have been issued as can be seen in the table below.

‘RaidForums’ marketplace taken down

The U.S. Department of Justice (DOJ) has seized the website and user database for RaidForums, a cybercrime forum that sold access to more than 10 billion consumer records stolen in some of the world’s largest data breaches since 2015. The DOJ also charged the alleged administrator of RaidForums, 21-year-old Diogo Santos Coelho, of Portugal, with six criminal counts, including conspiracy, access device fraud and aggravated identity theft.  Two accomplices have also been arrested.

Launched in 2015, RaidForums was considered one of the world’s biggest hacking forums with a community of over half a million users.  This marketplace had made a name for itself by selling access to high-profile database leaks belonging to a number of US corporations across different industries. These contained information for millions of credit cards, bank account numbers and routing information, and the usernames and associated passwords needed to access online accounts.  These datasets were obtained from data breaches and other exploits carried out in recent years.

Europol’s European Cybercrime Centre coordinated Operation TOURNIQUET, a complex law enforcement effort to support independent investigations of the United States, United Kingdom, Sweden, Portugal, and Romania. The operation was the culmination of a year of meticulous planning between the law enforcement authorities involved in preparation for the action, which enabled the investigators to define the different roles the targets played within this marketplace, i.e.: the administrator, the money launderers, the users in charge of stealing/uploading the data, and the buyers.

The following authorities took part in the RaidForums investigation:

  • Sweden: Swedish Police Authority (Polisen)
  • Romania: National Police (Poliţia Română)
  • Portugal: Judicial Police (Polícia Judiciária)
  • Germany: Federal Criminal Police Office (Bundeskriminalamt)
  • United States: US Secret Service (USSS), Federal Bureau of Investigation (FBI), Internal Revenue Service Criminal Investigation (IRS-CI)
  • United Kingdom: National Crime Agency (NCA)
  • Europol: European Cybercrime Centre (EC3), Joint Cybercrime Action Taskforce (J-CAT)

EAST EPTF holds 12th Meeting

The 12th Meeting of the EAST Expert Group on Payment and Transaction Fraud (EPTF) took place on Wednesday 13th April 2022.  It was conducted as a virtual meeting and was chaired by Rui Carvalho, EAST Development Director.

The meeting was attended by 17 key representatives from Card Issuers, International Banks, Law Enforcement, Payment Processors, Payment Services Providers, and Solution Providers.

Europol, INTERPOL and the DCPCU provided the law enforcement perspective, and the Ukrainian Interbank Payment Systems Member Association “EMA” gave a keynote presentation on the payments and fraud situation in Ukraine.

Short presentations were also made by Barclays, Cartes Bancaires, Diebold Nixdorf, HSBCING BankPAN-Nordic Card AssociationSIBs, STMP, TietoEVRY and Worldline.  Social engineering linked to non-banking fraud continues to be of concern and Investment Fraud is a rising issue.

EAST EPTF, which meets three times a year, adds value to the payments industry by using the unique and extensive EAST National Member and EAST Global Member platforms, and the Associate Member network, to provide information and outputs that are not currently available elsewhere.  It is a is a specialist group that discusses security issues affecting the payments industry and that gathers, collates, and disseminates related information, trends and general statistics.

EAST National & Global Members represent 35 countries and outputs from the group are presented to EAST Global Congress Meetings.  There are 212 EAST Associate Member Organisations from 52 countries and territories.

ATM jackpotting attacks fall in Europe

EAST has published a European Payment Terminal Crime Report covering 2021 which highlights a fall in ATM jackpotting attacks.

ATM JackpottingATM malware and logical attacks against ATMs were down 74% (from 202 to 52). All the reported attacks were aimed at ATM jackpotting, either using black box attacks or malware. A black box attack is the connection of an unauthorised device which sends dispense commands directly to the ATM cash dispenser, to ‘cash-out’ or ‘jackpot’ the ATM. Related losses fell from €1.2 million to €0.7 million).

EAST Executive Director Lachlan Gunn said, “This fall in ATM malware and logical attacks is great news and reflects the hard work that has been put in by the industry and law enforcement to address the issue. Most such attacks remain unsuccessful. A recent trend is a shift from logical black box attacks to malware attacks aimed at ATM jackpotting. When executed similar holes are made in the ATM fascia and so it can be difficult to work out which type of attack took place. Our Expert Group on All Terminal Fraud (EGAF) is focussed on countering such attacks, with close cooperation between industry partners and law enforcement. EGAF is working with Europol right now to update a document entitled ‘Guidance & recommendations regarding logical attacks on ATMs’, which has been a key tool in the fight against such attacks.”

Terminal related fraud attacks were down 8% (from 6,523 to 5,969 incidents). All fraud types were down except for cash trapping at ATMs, which increased by 14% (from 1,829 to 2,086 incidents). Total losses of €198 million were reported, down 9% from the €218 million reported in 2020. Most losses remain international issuer losses due to card skimming, which were €166 million.

ATM related physical attacks were up 6% (from 3,722 to 3,947 incidents). Attacks due to ram raids and ATM burglary were down 40% (from 749 to 447 incidents). ATM explosive attacks (including explosive gas and solid explosive attacks) were down 32% (from 923 to 629 incidents). Losses due to ATM related physical attacks were €10 million, a 55% decrease from the €22 million reported during 2020. 64% of these losses were due to explosive attacks, which were down 56% from €14.59 million to €6.35 million.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National, Global and Associate)

Vishing network taken down by Police

108 people have been detained on suspicion of being involved in investment fraud related ‘vishing’ activities from international call centres in Riga, Latvia and Vilnius, Lithuania.  The suspects are accused of defrauding victims across the world.

‘Vishing’, also known as ‘voice phishing’, is the criminal practice of using social engineering over the telephone system to gain access to private personal and financial information from the public for the purpose of financial reward.

The operation was carried out by the Latvian State Police (Valsts policija) and the Lithuanian Police (Lietuvos Policija), supported by Europol and Eurojust.  On 24 and 25 March 2022 hundreds of officers, including special intervention teams, raided three call centres belonging to the same organised crime group (OCG).  The OCG controlled up to 200 fake ‘traders’, speaking English, Russian, Polish and Hindi.  These fraudsters would call unsuspecting victims promising lucrative investment opportunities and persuading them to part with their savings.  The promoted investments in bitcoin, commodities, and foreign currencies were all fake.  It is estimated that the fraudsters were monthly making profits of €3 million from the scam.

The coordinated police operation resulted in:

  • The detention of 80 people in Latvia and 28 in Lithuania
  • The seizure of cash, bank accounts and luxury vehicles
  • The seizure of €95,000 in cryptocurrencies

Europol’s European Financial and Economic Crime Centre (EFECC) supported the investigation by bringing together the national investigators from Latvia and Lithuania to establish a joint strategy and to organise the intensive exchange of evidence needed to prepare for final phase of the investigation. Europol experts from both the EFECC and the European Cybercrime Centre (EC3) were deployed to Latvia and Lithuania to assist the national authorities with the action days.

Eurojust supported the investigation by setting up a joint investigation team (JIT) into the case within one week and organising a rapid coordination meeting. Further assistance was given with the execution of a European Investigation Order during the action day.

The EAST Expert Group on Payment and Transaction Fraud (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud, including investment fraud and ‘vishing’. The 11th EAST EPTF meeting took place on 10 November 2021.

EAST Publishes Fraud Update 1-2022

EAST has published its first Fraud Update for 2022.  This is based on country crime updates given by representatives of 22 countries in the Single Euro Payments Area (SEPA), and 6 non-SEPA countries, at the 6th (virtual) EAST Interim Meeting held on 9th February 2022.

The following countries supplied full or partial information for this Update:

Armenia, Austria; Belgium; Canada; Cyprus; Czech Republic; Finland; France; Germany; Greece; Hungary; Italy; Liechtenstein; Luxembourg; Malta; Mexico; Netherlands; Norway; Poland; Portugal; Romania; Russia; South Africa; Spain; Sweden; Switzerland; Ukraine; United Kingdom.

FRAUD TYPE

EAST Update

EAST Update

To date in 2022 the EAST Expert Group on All Terminal Fraud (EGAF) has published one related Fraud Alert.

FRAUD ORIGIN

DUE DILIGENCE

PHYSICAL ATTACKS

The full European Fraud Update is available to EAST Members (National, Global and Associate).

Information on the Fraud Definitions and Terminology used by EAST can be found as follows:

FRAUD  DEFINITIONS

FRAUD TERMINOLOGY

TERMINAL FRAUD DEFINITIONS

TERMINOLOGY FOR LOCATIONS OF CDC DEVICES AT ATMS AND OTHER TERMINALS

TERMINAL PHYSICAL ATTACK DEFINITIONS AND TERMINOLOGY