ATM Malware attacks hit Europe

EAST has just published a European Payment Terminal Crime Report covering 2017 which reports that ATM malware attacks have started in Western and Central Europe. A total of 192 ATM malware and logical attacks were reported, up from 58 in 2016, a 231% increase.  189 of the attacks were logical attacks where equipment typically referred to as a ‘black box’ is used to send dispense commands directly to the ATM cash dispenser in order to cash-out the ATM.

The use of malware for cash-out was seen for the first time in Western and Central Europe with 3 such attacks reported by two countries.  Related losses were up 230%, from €0.46 million to €1.52 million.  EAST Executive Director Lachlan Gunn said, “The use of malware, such as Cutlet Maker, to cash-out ATMs has been around for some time but has not been reported in Western or Central Europe until 2017.  Early indications are that such attacks are continuing this year, although the recent related arrests announced by Europol are encouraging.  Our Expert Group on All Terminal Fraud (EGAF) is actively monitoring all malware threats to payment terminals, while our Payments Task Force (EPTF) is focusing on malware threats against the wider banking infrastructure.”

Overall payment terminal related fraud attacks fell 11% when compared with 2016 (down from 23,588 to 20,971 incidents).  This fall was mainly driven by a 23% decrease in card skimming incidents (down from 3,315 to 2,556 incidents).  This is the seventh successive year that the number of skimming incidents has fallen and the number of incidents reported in 2017 is the lowest since EAST first began gathering data in 2004.

Losses due to payment terminal related fraud attacks were up 6% when compared with 2016 (up from €332 million to €353 million).  Within these totals international skimming losses rose by 5% (up from €267 million to €280 million) and domestic skimming losses were up 21% (from €53 million to €64 million).

ATM related physical attacks rose 21% when compared with 2016 (up from 2,974 to 3,584 incidents).  Within this total ATM explosive attacks (including explosive gas and solid explosive attacks) were up 9% (up from 988 to 1,081 incidents).  Losses due to ATM related physical attacks were €31 million, a 37% drop from the €49 million reported during 2016.  Part of this decrease is due to the fact that one major ATM deploying country that used to report this data is currently unable to do so.

The average cash loss for a robbery is estimated at €16,899 per incident, the average cash loss for a ram raid or burglary attack is €12,804 and the average cash loss per explosive or gas attack is €12,591.  These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National and Associate)

ATM Black Box Attacks continue to rise

ATM black box attacksEAST has just published a European Payment Terminal Crime Report covering the first six months of 2017 which reports that ATM black box attacks took place in eleven countries.

A total of 114 such attacks were reported, up from 28 during the same period in 2016, a 307% increase.  ‘Black Box’ is the connection of an unauthorised device which sends dispense commands directly to the ATM cash dispenser in order to ‘cash-out’ the ATM.  Related losses were up 268%, from €0.41 million to €1.51 million.  EAST Executive Director Lachlan Gunn said, “This sees the continuation of a trend that we first reported in April of this year when we published full year statistics for 2016.  Our Expert Group on All Terminal Fraud (EGAF) is actively monitoring all logical threats against payment terminals and against the wider banking infrastructure.”

Overall payment terminal related fraud attacks rose 10% when compared with H1 2016 (up from 10,820 to 11,934 incidents).  This rise was mainly driven by an 88% increase in transaction reversal fraud (up from 4,840 to 9,081 incidents).  The downward trend for card skimming continues with 1,221 card skimming incidents reported, down 22% from 1,573 in H1 2016.  This is the lowest number of skimming incidents reported since EAST first began gathering data in 2004.

Losses due to payment terminal related fraud attacks were down 29% when compared with the same period in 2016 (down from €174 million to €124 million).  Within these totals international skimming losses fell 32% (down from €142 million to €96 million) and Domestic skimming losses fell 15% (down from €26 million to €22 million).

ATM related physical attacks rose 6% when compared with H1 2016 (up from 1,604 to 1,696 incidents).  Within this total ATM explosive attacks (including explosive gas and solid explosive attacks) were down 2% (down from 492 to 481 incidents).  Losses due to ATM related physical attacks were €12.2 million, a 55% drop from the €27 million reported during the same period in 2016.  Part of this decrease is due to the fact that one major ATM deploying country that used to report this data is currently unable to do so.

The average cash loss per explosive or gas attack is estimated at €14,575, the average cash loss for a robbery is €10,357 per incident and the average cash loss for a ram raid or burglary attack is €9,761.  These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

A summary of the report statistics under the main headings is in the table below.

ATM Black Box Attacks

The full Crime Report is available to EAST Members (National and Associate)