ATM vendor warns customers of black box attacks in Europe

In a new type of attack, criminals connect an external device to an ATM's internals and command it to spit out cash

ATM maker Diebold Nixdorf has issued an alert to warn customers of a new type of black box 'jackpotting' attack, which involves cyber crooks using proprietary software to steal cash from the machines.

Diebold Nixdorf says it recently became aware of several black box jackpotting attacks targeting ProCash terminals in some European countries. In most of these incidents, the criminals weree targetting ProCash 2050xe USB terminals.

In a traditional black box attack, attackers attach an external device (usually a laptop or Raspberry Pi board) to the ATM dispenser, which enables them to dispense cash from the machine by giving commands to its cash-handling compartment. However, to achieve that an intruder has to unfasten an ATM outer case or to cut a hole in the casing in order to access its ports, internal wiring or other connectors.

The new variant of the black box attack appears to contain parts of Diebold Nixdorf's proprietary software stack. The attackers connect their external device to the ATM internals and issue commands for the machine to spit out cash.

In recent incidents the attackers destroyed parts of the fascia to gain physical access to the ATM's head compartment and unplugged the cable between the CMD-V4 dispenser/ATM PC and the special electronics. Then they connected the cable to their own black box to issue illegitimate dispense commands.

Diebold is currently investigating how fraudsters were able to obtain the parts of the company's proprietary software. An offline attack against an unencrypted hard disc could be one possibility, the firm believes.

The attackers' new modus operandi was uncovered after a series of ATM attacks in Belgium last month. Following these attacks, Belgian bank Argenta was forced to shut down 143 of its ATMs.

Law enforcement agencies are yet to apprehend the criminals behind the attacks.

Diebold Nixdorf is urging banks and other customers to continually review their ATMs, specifically those in outdoor locations, to ensure that they have not been tampered with by cyber criminals.

"Diebold Nixdorf is continuing to analyse these new attacks," the firm says in its alert [pdf].

"During this process, the company would like to point to the recommendations for countermeasures against the known logical attack vectors and the importance of their implementation."

To mitigate the risks of attacks against ATM, the firm recommends: