ATM Black Box attacks: 27 arrested all over Europe
Written by   
Thursday, 18 May 2017 11:25

The efforts of a number of EU Member States and Norway, supported by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), culminated in the arrest of 27 individuals linked with so-called ATM Black Box attacks across Europe.

Black Box attacks

Perpetrators responsible for this new and sophisticated method of ATM jackpotting were identified in a number of countries over different periods of time in 2016 and 2017. There were arrests in Czech Republic (3), Estonia (4), France (11), the Netherlands (2), Romania (2), Spain (2) and Norway (3).

Black Box attacks

The ATM Black Box phenomenon first appeared in Western Europe in 2015, but most arrests took place in 2016 and 2017, with the most recent in Spain this month.

Black Box is a sort of ATM logical attack through connection of an unauthorised device (usually unknown Box or laptop) which sends dispenses commands directly to the ATM cash dispenser in order to “cash-out” the ATM.

Criminals gain access to the ATM Top Box usually by drilling holes or melting in order to physically connect such device. The device can send relay commands that cause the ATM to dispense all cash. Therefore losses can be significant and counted in hundreds of thousands of Euros. This new Modus Operandi also demonstrates connections between illegal cash-outs due to cyber related techniques used in the background.

Law enforcement cooperation

Perpetrators involved in ATM Black Box attacks come mainly from countries such as Romania, Moldova, Russia and Ukraine. Some of the investigations are still on-going and further arrests are expected in the near future.

The EC3 Analysis Project (AP) Terminal, involved in the operational coordination of cases at the European level, cooperates also with the ATM industry in order to detect Black Box incidents properly. It is worth stressing that most attacks are unsuccessful attempts, as joint public and private cooperation in this domain is improving. The above release shall be a warning sign for those who try to commit such attacks but also encourage the ATM industry to implement proper protective measures against the threat.

A report from the European ATM Security Team (EAST) discloses that criminals carried out ATM Black Box attacks in 10 reporting countries during 2016. According to the EAST 2016 Crime Report, 58 such attacks in 2016 were reported by their National Members, compared with 15 in 2015; therefore a 287 percent increase was noted. Also, losses linked with overall ATM-related fraud rose 2 percent compared with 2015 (up from €327 million to €332 million).

Steven Wilson, Head of Europol’s European Cybercrime Centre, said: “Our joint efforts to tackle this new criminal phenomenon resulted in significant arrests across Europe. However the arrest of offenders is only one part of stopping this form of criminality. Increasingly we need to work closely with the ATM industry to design out vulnerabilities at source and prevent the crime taking place. This industry and law enforcement cooperation combined with the work with banks and prosecutors can make a major difference in stopping this growing form of crime.”

HandBrake malware attack led to theft of Panic apps’ source code
Written by   
Thursday, 18 May 2017 10:04

Oregon-based software company Panic Inc. has announced that some of the source code for their offerings has been stolen, and they are being blackmailed by the attackers.

Panic develops a string of popular apps for Macs and iOS, including FTP client Transmit and web editor Coda.

Panic apps source code

How were they compromised?

As discovered[1] the weekend before last, a malicious version of macOS video transcoding app HandBrake was offered for download for three days on an official but compromised download mirror.

Panic Inc. developer and co-founder Steven Frank had the bad luck of downloading a Trojanized version of the app, and not noticing something was amiss when it asked for admin privileges. This resulted in his machine being infected with the Proton RAT.

The Proton RAT allows attackers to monitor keystrokes, upload files to and download files from a remote machine under their control, perform webcam surveillance, and connect remotely to the infected machine.

“By the time news broke of the HandBrake infection, git credentials had already been stolen from my Mac and used to clone several of our source code repositories, according to our logs,” Frank explained[2].

“As soon as I discovered the infection on my Mac, I disabled it, took the Mac out of commission, and we began the incredibly lengthy process of changing all of my passwords, rotating the relevant secret keys throughout our infrastructure, and so on, to re-lock our doors and hopefully prevent anything else from being stolen.”

The investigation and a comb-through of the logs revealed that the attackers managed to clone some of the company’s source code, but Frank says that there is no indication that they obtained any customer information, Panic Sync data, or that their web server had been compromised.

What now?

The attackers got in touch via email, confirmed the theft of the source code, and demanded a large bitcoin ransom to prevent its public release.

But Panic developers decided that even if they pay, there is no guarantee that the attackers will go away without demanding more and more money. So, after debating how the release of the source code would affect their bottom line, they ultimately decided to risk it and revealed the breach themselves.

Their rationale for the decision was as follows: there are already cracked version of their apps out there, and they don’t believe other Mac developers would ever risk using the leaked code in their own apps.

Panic is worried, though, that the code will be used to create malware-infected builds of their apps, and that those will be used to compromise other users.

They have notified the FBI about this breach, and asked Apple for help.

“Apple rallied the right security people quickly to learn all they could about our situation. They walked us through the best way to roll our Developer ID and invalidate the old one, which we don’t think was leaked, but we’re being overly cautious. And more importantly, the right people at Apple are now standing by to quickly shut down any stolen/malware-infested versions of our apps that we may discover,” Frank explained.

Still, he asked users to help them by notifying them it they find cracked or otherwise unofficial versions of their apps in the wild, or the stolen source code.

Finally, he advised everyone to download Panic-made apps only from the Mac App Store or the Panic website. “We are going to be hyper-vigilant about the authenticity of downloads on our servers,” he promised.


  1. ^ discovered (
  2. ^ explained (
<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>

Page 10 of 20