The cybercriminals in 2017 and 2018 extensively used a specific tool kit named KoffeyMaker in numbers of black box ATM attacks of the Eastern European financial institutions. The investigator of MoffeyMaker from Kaspersky Lab eventually found that laptops that were used to perform the attacks contained ATM dispenser drivers along with patched KDISG tools. The attackers ultimately took the opportunity of this security vulnerability, and got into the ATM counters, exploited the system by connecting the device to cash dispenser and vanished. Then they used a USB GPRS modem for accessing the device remotely, and ultimately run the KDIAG tools and performed the command to ATM for dispensing money for another attacker to collect.
These types of ATM black box attacks are new forms of logical attacks which are increasingly happening in recent times. Instead of exploiting the numerous software vulnerabilities, the users prefer logical attacks using existing protocols, communications to the machine, and middleware to perform and achieve the purposes. The attackers usually physically access the USB ports of the ATMs in order to download malware or attach the black box devices. These types of strategies to attack ATMs are though different and newer but equivalent or more effective in comparison to the traditional networking-based attacks or the card-skimming attacks.
The black box attackers usually do not have any idea of ATMs’ application software or internal operating systems. Eventually, the black boxes further depend on outputs against the inputs and generally do not leave a trace on the payment terminal. The investigators, as well as researchers, found out that the input as request submission from the backbox and the output resulting in cash disposal or termination. The ATMs that are located far from the bank or the ATMs with outdated and poor systems of barriers are most vulnerable to these types of attacks because the attackers can easily exploit the vulnerabilities and easily infiltrate the physical hardware.
It has been observed by the experts that even ATMs that are installed in the premises are also vulnerable to these types of attacks. Some immediate measures in this regard may be helpful to resist the attackers such as regular updating of software as well as hardware with special focus on the black box, regular monitoring and careful inspection of ATMs especially the machines which are not installed in the premises, using hardware encryption with the machine’s dispenser and computer, and implementing stronger data security measures.