Europol said in a statement last week that 27 people have been arrested for their connection to a string of successful black box attacks against ATMs across Europe. Since 2016, these attacks have resulted in more than €0.45 million in losses.
Attacks against ATMs are not unknown to the security world, especially not since security researcher Barnaby Jack coined the term jackpotting during the Black Hat conference in 2010.
Last year, researchers at Kaspersky Labs demonstrated a black box attack using a maintenance worker's key, and opened the ATM directly to control the dispenser via a smartphone.
The 27 people recently arrested conducted their crimes by brute-forcing the ATM directly. These attacks first surfaced in 2015, but gained momentum in early 2016, resulting in the theft of millions of Euro.
The brute-force black box attack starts by punching a hole into the ATM's casing (sometimes the case is melted), and connecting a laptop to the exposed cables or ports. From there, the criminals issue commands to the ATM dispenser to cash-out the machine.
The average loss, according to reports from the European ATM Security Team (EAST) will range from €14,890 to €20,293, but their figures also include other physical attacks, not just black boxing.
The arrests reported by Europol were part of a coordinated law enforcement effort in the Netherlands (2 people), Romania (2 people), Spain (2 people), Norway (3 people), Czech Republic (3 people), Estonia (4 people), and France (11 people).
The investigations though are still ongoing, and more arrests are expected.
"Our joint efforts to tackle this new criminal phenomenon resulted in significant arrests across Europe. However the arrest of offenders is only one part of stopping this form of criminality. Increasingly we need to work closely with the ATM industry to design out vulnerabilities at source and prevent the crime taking place," said Steven Wilson, Head of Europol’s European Cybercrime Centre
According to EAST, while the number of black box attacks against ATMs are up, the other physical attacks are the most common, and often result in additional collateral damage.
"ATM related physical attacks rose 12% when compared with 2015 (up from 2,657 to 2,974 incidents). Within this total ATM explosive attacks (including explosive gas and solid explosive attacks) were up 47% from the previous year (up from 673 to 988 incidents)." – EAST, 11 April 2017 (2016 ATM Crime Report)