France Breaks Up ATM Jackpotting Network

According to French prosecutors an international network engaged in ATM jackpotting has been broken up by police (Source: AFP/SecurityWeek).

In a statement on Friday 15 May Paris prosecutor Remy Heitz said that two suspects (aged 26 and 31) and already known to the authorities, have been charged and placed in detention.  He said that, between May 10-12, several individuals from the “Russian-speaking community” suspected of belonging to an “international jackpotting organisation” were detained in Colombes outside Paris, Laval in western France and the southern city of Nice, while trying to damage an ATM.  The criminal group worked across Europe to insert malware into ATMs, attacking the machines at night. “A hacker, operating from abroad, would take control of the cash dispensing software,” the statement said.

Nineteen incidents across France have already come to light, with the financial damage estimated at €280,000.

“We have a new wave of ‘jackpotting’ in France,” Francois-Xavier Masson, head of France’s agency for combating crimes in information and communication technologies (OCLCTIC), told AFP, adding that more than 60 incidents have been identified since the end of 2019.  “There was a previous wave in 2018 and then it came to a halt, before resuming at the end of 2019. The way the groups act is changing, the teams are more international. But we are also changing how we act”, he added.

ATM jackpotting has become a recognised problem across the world in recent years.  This is done by either using malware, or by using an unauthorised device (known as a black box), to ‘jackpot’ or  ‘cash-out’ an ATM. Typically all the cash in the machine is illegally ejected in such attacks, and collected by the criminals at the scene.  The EAST Expert Group on All Terminal Fraud (EGAF) focuses on the prevention of malware and black box attacks and, since 2016, has produced 48 malware and black box related Fraud Alerts from 24 countries, which are available to EAST Members.

EAST EGAF has also produced standard definitions for both methods, which can be seen in the below images (for a full list of all Terminal Fraud Definitions and related criminal benefits see the Terminal Fraud Definitions page on this website). 



Countering ATM Black Box attacks

black boxBlack box attacks on ATMs are a form of logical attack.  To perform these ‘cash-out’ or ‘jackpotting’ attacks the criminals connect an unauthorised device (typically an unknown box or laptop) to an ATM.  This device then sends dispense commands directly to the ATM cash dispenser in order to get it to spit out banknotes.  In order to physically connect such a device the criminals gain access to the ATM’s Top Box by either drilling or melting holes.

The latest statistics published by EAST show that, while the number of black box attacks in Europe is increasing, related losses have fallen when comparing 2016 with 2015.  This drop can be partly attributed to the recent arrests by law enforcement agencies across Europe (in an operation supported by EC3, Europol’s European Cybercrime Centre) and partly to actions taken by the industry to counter such attacks.  The first black box attacks in the Czech Republic took place in August 2016 and three arrests were subsequently made there by the Police.  The industry also took actions to counter such attacks and, at the upcoming EAST Financial Crime & Security Forum (EAST FCS 2017), Petr Ullmann from NCR in the Czech Republic will give an update on the actions taken.

About Petr Ullmann

After graduating in 2007 Petr Ullmann started his career as an IT and network administrator in the automotive industry and went on to work for various Czech companies in IT administration and project management roles.  His key area of expertise was Enterprise Resource Planning (ERP) software – business process management software that allows an organization to use a system of integrated applications to manage the business and automate many back office functions related to technology, services and human resources.

In 2011 he joined NCR Česká republika, initially working as a member of a team working on a project for Tesco Plc in Central Europe.  Since then he has worked on several specific projects for NCR customers (banks and financial institutions) including the migration to Windows 7 and implementation of McAfee ePO.

Who Is Attending?

Over 150 delegates will attend EAST FCS 2017 from ATM networks, banks, law enforcement, vendors, and EAST national and associate members.

Book soon to ensure you don’t miss this great opportunity to attend what has been described as an “excellent event for helping to make a difference in the area of financial crime prevention”.

There are some sponsorship slots still available so, if you are in the business of ATM crime and fraud prevention and wish to showcase your brand to a key audience, contact us.

International Criminal Group responsible for ATM Malware attacks taken down

Europol Jan 16 CybercrimeThe Romanian National Police and the Directorate for Investigating Organised Crimes and Terrorism (DIICOT), assisted by Europol and Eurojust as well as a number of European Law Enforcement authorities, disrupted an international criminal group responsible for ATM malware attacks.

This operation, one of the first in Europe against this kind of threat, resulted in multiple house searches in Romania and the Republic of Moldova and the final arrest of 8 individuals. The criminals used Tyupkin ATM malware which allowed the attackers to manipulate ATMs across Europe and illegally empty ATM cash cassettes.

The criminal group, composed of Romanian and Moldovan nationals, was involved in large scale ATM “Jackpotting”, causing substantial losses across Europe to the ATM industry.  ATM “Jackpotting” refers to the use of a Trojan horse, physically launched via an executable file in order to target an ATM, thus allowing the attackers to empty the ATM cash cassettes via direct manipulation, using the ATM PIN pad to submit commands to the Trojan.

The criminal group, composed of Romanian and Moldovan nationals, was involved in large scale ATM “Jackpotting”, causing substantial losses across Europe to the ATM industry.  ATM “Jackpotting” refers to the use of a Trojan horse, physically launched via an executable file in order to target an ATM, thus allowing the attackers to empty the ATM cash cassettes via direct manipulation, using the ATM PIN pad to submit commands to the Trojan.

Europol’s European Cybercrime Centre (EC3) supported police forces across Europe in their efforts to identify the suspects by hosting a number of international operational meetings and analysing intelligence. This joint international effort follows on a previous successful action against the threat posed by this type of malware.  For more information visit the EC3 Website.

Europol malware guidelinesEC3 recognises the severity of the threat presented by ATM logical and malware attacks and has prepared security guidelines regarding this new cyber threat to ATMs. The production of this document was coordinated by EAST, and is the first of its kind.

The guidance and recommendations regarding logical attacks on ATMs, which also covers malware attacks, is an excellent example of a coordinated central response from both Law Enforcement and the industry to fighting ATM malware threats in an effort to respond much more quickly and effectively.

These guidelines are available to Law Enforcement through Europol channels and to EAST Members (National and Associate).

EAST FCS 2015 highlights emerging threats to the ATM Channel

malicious softwareOver the last few years there has been a spike in malicious software, capable of infecting and jackpotting ATMs, shifting the focus away from innovative, high-tech skimming devices and targeting a rapidly ageing ATM infrastructure. From Malware such as Plotous (originating in Mexico) to Tyupkin, attacks are evolving and growing both in sophistication and frequency.

EAST ATM Crime Report 2014In a European ATM Crime Report covering H1 2014 EAST reported an estimated 20 incidents of ATM Malware. These were ‘cash out’ or ‘jackpotting’ attacks and all occurred on the same ATM type from a single ATM deployer in one country.  The report stated that, while many ATM Malware attacks have been seen over the past few years in Russia, Ukraine and parts of Latin America, this was the first time that such attacks were reported in Western Europe.

In a European Crime Report covering the full year 2014 EAST reported 51 such incidents, with related losses of €1.23 million.

east thumbThe EAST Financial Crime and Security Forum (EAST FCS 2015), that will be held in The Hague on 11th and 12th June 2015, will include strategic and technical presentations about this emerging problem as follows:

ATM Jackpotting and Cyber-Skimming – an Update from Ukraine will highlight payment fraud issues identified in Ukraine and neighbouring countries, trends in skimming and recent developments in Jackpotting attacks

ATM Compromise with and without Whitelisting A demonstration to show how a Windows ATM platform can be compromised through malware infection

Pen-testing – Current and Future Exploits in ATM Networks  A Case Study on work carried out to secure a national ATM Network

ATM Compromise with and without Whitelisting

system penetrationATM compromise through the use of malicious software is on the increase across the world.  At EAST FCS 2015 a demonstration will show how a Windows ATM platform can be compromised through malware infection – this will be done using advanced techniques that evade anti-virus and whitelisting protection.  A virtual ATM machine running on Windows XP and Windows 7, with an XFS layer both with and without application whitelisting, will be infected using known ATM malware.

The demo will be carried out by Alexandru (Alex) Mihai Gherman, Principal Security Consultant, FortConsult. In a follow up demo, he will then show how to compromise a Windows ATM platform that is protected by a well known whitelisting solution used by many banks, highlighting the various security features. The ATM will be infected with malware used for a jackpotting attack. The infection will use process and library memory injection techniques and will attempt to exploit vulnerabilities in the binaries that are supposedly protected by the whitelisting solution, leading to deactivation and system compromise.

About Alexandru Mihai Gherman

Mihai_Alexandru_Petrea_FortconsultAlex is a computer security specialist with over 14 years experience.  As Principal Security Consultant at FortConsult he specialises in Research & Development, Security Incident Response, Forensic and Malware Analysis, Application Security, and Mobile Security.

He has a strong focus in reverse engineering malware, incident response and forensics, reverse engineering software (including ARM and MIPS embedded systems), vulnerability research and analysis, and in smartphone hardware, software and malware analysis (Android and Apple iOS).

His professional experience includes attack techniques such as Shell Coding, ELF and dynamic-linking, stack overflows, Ret2libc, Return-Oriented Programming (ROP), heap spraying, application-level heap attacks, stack flapping and defeating ASLR and DEP.  He is well versed in Python, Java, C/C+ and has specialised in internal and external penetration testing applications, networks, applications and wireless networks, testing Web Application Programming Interfaces (REST-based, JSON, SOAP) against OWASP vulnerabilities.

He is currently involved in researching reverse engineering software running on Atmel microcontrollers, ARM and MIPS embedded devices and car hacking.