ATM makers Diebold Nixdorf warn of new ATM ‘black box’ attacks in Belgium that make ProCash 2050xe ATM terminals spew cash
Hackers are using a new type of ATM “black box” attack to make ATMs spew cash. These new black box attacks were first spotted in Belgium targetting Diebold Nixdorf manufactured ProCash 2050xe ATM terminals.
ATM “black box” attack is a type of ATM jackpotting attack. Jackpotting means manipulating the ATM operating system to spew out cash as they show in the movies. Jackpotting usually involves hackers physically accessing the ATM terminal through a malware-laden device. Black box attack is more of a technical attack that involves wiring. To execute a black-box attack, the hacker has to first open the outer casing of the terminal and access to its ports or make a hole to directly access its internal wiring.
Once the criminals cut holes into the fascia or top of the ATM to gain access to its internal infrastructure, they disconnect the ATM’s cash dispenser and attach it to an external electronic device called a black box. The black box sends commands to the dispenser to push out cash, bypassing the need for a card or transaction authorization.
The black box is a small networked device, usually a laptop or a Raspberry Pi. It has pre-written software to directly connect to ATM’s core cash dispenser and release cash from the storage cassettes. The black box attack was first discovered in 2012. Black box ATM attack usually involves a non-bank ATMs as they are often secluded. However, black-box ATM attacks have been rare as they were replaced by the malware attacks which require lesser electrical knowledge.
Diebold Nixdorf is one of the largest ATM makers in the world and most of the ATMs in Europe are their installations. They have issued a security alert regarding a new variation of ATM black box attacks being executed in Europe. Diebold Nixdorf says that new attacks have been exploited only against ProCash 2050xe ATM terminals [PDF], with the attackers connecting to the device via USB ports. The attackers seem to have deep knowledge of ProCash dispensers according to the the report.
In the recent incidents, attackers are focusing on outdoor systems and are destroying parts of the fascia in order to gain physical access to the head compartment. Next, the USB cable between the CMD-V4 dispenser and the special electronics, or the cable between special electronics and the ATM PC, was unplugged. This cable is connected to the black box of the attacker in order to send illegitimate dispense commands.
Diebold Nixdorf report
The new version of the Black box attack was first discovered during the last week of June 2020 when a series of jackpotting incidents were reported in Belgium. The attacks forced Belgian savings bank Argenta to shut down 143 ATMs last month after suffering two mysterious ATM jackpotting attacks, one in June, and one last weekend. Both were of Diebold Nixdorf ProCash 2050xe ATM terminals.
Brussels Times reported that this was the first time jackpotting attacks happened in Belgium and the hackers used exactly the same technique described in the Diebold Nixdorf alert to empty the ATM.