Attacks combined physical and digital exploits to land criminals $273,000

Arrests made over European ATM 'jackpotting' spree

Two Belarusian nationals have been arrested in connection with a spate of ATM ‘jackpotting’ attacks in which cash machines across Europe were illegally induced into dispensing €230,000 ($273,000).

Attackers gained access to ATM wires by “drilling holes or melting parts of it in order to physically connect the machine to a laptop which was then used to send relay commands that caused the machine to dispense all its cash”, according to a press release published today (July 29) by Europol.

An investigation coordinated by the EU law enforcement agency and its Joint Cybercrime Action Taskforce (J-CAT) found that criminals had conducted dozens of these ‘black box’ attacks in at least seven European countries.

YOU MIGHT ALSO LIKE Security vulnerabilities in IDEMIA access control devices could allow attackers to ‘remotely open doors’

The criminals only targeted a specific ATM model, said Europol. The agency declined to reveal the particular cash machine brand that was susceptible to the attack technique in its advisory.

The two suspects were arrested by Polish police in Warsaw, Poland on July 17.

The operation also involved law enforcement authorities from Germany, Austria, Switzerland, Slovakia, and the Czech Republic.

ATM vulnerabilities rife

Despite being such a lucrative target, ATM machines often contain both serious physical and virtual vulnerabilities, according to Malwarebytes.

In a 2019 guide to the ATM attack phenomenon, the infosec firm noted that the cabinets holding them weren’t particularly secure against physical attacks, and that many ATMs still ran on Windows XP, lacked peripheral-OS authentication, and exposed a potential malware vector in the form of a USB port behind the front panel.

ATM exploits have been a recurrent theme at security conferences ever since hacker Barnaby Jack induced an ATM into emptying all its cash onstage at Black Hat USA in 2010.

In last year’s all-virtual edition, Kevin Perlow, currently cybersecurity director at GE, discussed ATM malware variants INJX_Pure and FASTCash, the latter used by North Korean hackers to cash out tens of millions of dollars worldwide.

And last month Wired reported that a researcher had uncovered multiple vulnerabilities that meant ATMs could be hacked with a wave of his phone over their contactless credit card readers.

These (still undisclosed) exploits apparently included forcing at least one brand of ATM to dispense cash, but only in combination with exploiting additional vulnerabilities.

More crudely, criminals often simply wrench ATMs out of their foundations using trucks, hand tools, and even explosives.

DON’T FORGET TO READ Schneider Electric fixes critical vulnerabilities in EVlink electric vehicle charging stations