Hackers have stolen money from at least 35 Italian ATMs (Automatic Teller Machines) using the black box attack technique. Such attacks are not a new, but these hackers employed a new technique that was first used in Belgium earlier in the year. Italian law enforcement officers confirmed that the hackers stole around €800,000 over a seven-month period.
ATM Black Box Attack Explained
A Black Box attack is a type of jackpot attack. Jackpot attacks are carried out by using either malware and/or a piece of hardware to trick ATMs into dispensing all their cash. The hardware used is called a “black box”, which is attached to the ATM machine.
For hackers to be able to attach the black box to the ATM, they need to remove the outer casing or cut a hole into it. This exposes the machines ports, internal wiring and other hidden internal connectors. The hackers then use these connectors to attach the black box device. Next, the black box is used to send commands to the ATM’s cash dispenser to release all the cash from its storage cassettes.
ATM black box attacks are extremely popular with hackers, as such attacks are easy to perform. These attacks are simpler and cheaper to perform than the old-fashioned techniques of card skimming or card cloning, for example. Black Box attacks can be conducted by lower-skilled hackers since all they need to do is purchase the black box. These devices are available on the dark web, as is any associated malware required to compromise the ATMs. Furthermore, there is no need to launder the money.
New Variation to the Black Box Attack
In July, Diebold Nixdorf, a leading ATM manufacturer, sent out a security alert warning all banks using their equipment. The warning was issued after the Belgian Bank Argenta was forced to close its 143 ATMs following a Black Box attack on two of its machines. This was the first time that the new Black Box attack variant was seen in Europe.
Diebold Nixdorf’s researchers discovered that the hackers were no longer deploying malware to interact with the ATM machines. Instead the hackers seemed to have used a copy of the ATMs’ firmware. The hackers then installed the ATMs’ firmware on their black box and used it to interact with the cash dispenser.
Diebold Nixdorf is currently investigating as to how the hackers managed to obtain the code to their ATMs’ firmware. “One possibility could be via an offline attack against an unencrypted hard disc,” speculates the company in the security alert.
Italian ATMs Targeted
The new Black Box attack variant was used in recent attacks against 35 different ATMs operated by Italian banks. Also attacked were post office cash dispensers. Italian law enforcement confirmed that the criminal gang stole about € 800,000 from Italian ATMs in the last 7 months.
Investigations into the Black Box attacks in Italy revealed that the gang comprised of 12 members. 6 gang members have already been arrested. Of the remaining 6 gang members, 3 are being held in Poland. One returned to Moldova where he was also detained. Italian media does not provide the whereabouts of the other 2 members, but it says that they may no longer be in Italy.
Italian media also states that the gang had several logistical bases located in the provinces of Milan, Monza, Bologna, Modena, Rome, Mantua, Vincenza and Parma. The criminals were apparently very careful and used many precautions to evade capture. They changed their identities, used cars registered in fake names, and used multiple throwaway mobiles. The gang also planned each hit in great detail and assigned specific tasks to each member.
Surge in ATM Black Box Attacks
The European Association for Secure Transactions (EAST) reports that Black Box attacks have surged in the last year. EAST counted 35 Black Box attacks in the first half of 2019 and 129 attacks in the first half of this year. This represents a 269% increase in attacks. Losses rose from under € 1,000 in the first half of last year to just over € 1 million this year.
In the US, Atlanta based ATM manufacturer NCR has warned that it has seen a surge in attacks against ATMs in the US. NCR has urged operators to better defend ATMs by potentially using armor for them. It has also suggested using ink or glue to mark the stolen money.