ATM manufacturer Diebold Nixdorf has issued an alert warning banks of a spike in ATM “black box” attacks targeting ProCash terminals in certain European countries.
An ATM black box attack (aka jackpotting) is a type of attack in which criminals gain access to ATM's internal infrastructure by cutting holes into the fascia or top of the device. From there they disconnect the machine’s cash dispenser and attach it to an external electronic device, so called “black box,” which uses native ATM commands to force the machine to release currency, bypassing the need for a card or transaction authorization.
According to Diebold Nixdorf, it spotted a new variation of the ATM black box attack targeting ATMs in Europe.
“In the recent incidents, attackers are focusing on outdoor systems and are destroying parts of the fascia in order to gain physical access to the head compartment. Next, the USB cable between the CMD-V4 dispenser and the special electronics, or the cable between special electronics and the ATM PC, was unplugged. This cable is connected to the black box of the attacker in order to send illegitimate dispense commands,” the ATM maker explained.
The interesting part was that in some cases the black box contained individual parts of the software stack of the attacked ATM. Currently, Diebold Nixdorf is investigating how criminals have obtained a copy of the ATM software. One theory is that fraudsters obtained the firmware via offline attack against an unencrypted hard disk.
The Diebold Nixdorf has started its investigation after it received reports about a series of jackpotting attacks targeting ATMs in Belgium that have been occurring since June. According to The Brussels News, in mid-July the Antwerp-based savings bank Argenta had to shut down 143 cash machines after a series of jackpotting attacks aimed at ATMs manufactured by Diebold Nixdorf that were due to be replaced in the near future. Argenta did not reveal how much (if any) money was stolen in the attacks.