Cybercrime is becoming more aggressive and confrontational, suggests the 2015 Internet Organised Crime Threat Assessment (IOCTA). This annual presentation of the cybercrime threat landscape by Europol’s European Cybercrime Centre (EC3) covers the developments, changes and emerging threats in cybercrime.
Covered are payment fraud, online child sexual exploitation, social engineering, data breaches and attacks on critical infrastructure; besides criminals’ communications and finance online.
The document speaks of a shift from hidden, stealthy interventions by highly competent hackers towards direct, confrontational contact between the criminal and the victim, “where the victim is put under considerable pressure to comply with the perpetrator’s demands.” Examples of are DDoS attacks, deployment of ransomware, and sextortion; and breaches of sensitive personal data, such as dating sites. “The psychological impact on victims is much stronger due to the brutal confrontational manner in which the victim is coerced. It can be likened to the difference between a burglary where the victim detects afterwards that things have been stolen, versus an armed robbery where the victim is forced to hand over personal belongings to the criminal.”
The assessment offers a view mainly from a law enforcement perspective, based on contributions by EU member states and the input of Europol staff, with input from private industry, the financial sector and academia. The 76-page assessment also points to:
Malware, particularly ransomware, remains a key threat for private citizens and businesses both in terms of quantity and impact.
A lack of digital hygiene and security awareness contributes to the long lifecycle of exploit kits using well-known attack vectors but also provides new attack vectors as the number of devices in the Internet of Things grows.
Growing Internet coverage in developing countries and the development of pay-as-you-go streaming solutions providing a high degree of anonymity to the viewer, are furthering the trend in the commercial live streaming of child sexual abuse.
The use of anonymisation and encryption technologies is widening. Attackers and abusers use these to protect their identities, communications, data and payment methods.
CEO fraud
The document points to an increase in what it calls ‘CEO fraud’, ‘which is now leading to significant losses’. The modus operandi involves social engineering to gather ‘actionable intelligence’, so that someone can impersonate the CEO, or CFO (chief finance officer) of the company. “The attacker will contact an employee targeted for their access and request an urgent transaction into a bank account under the attacker’s control. The request may be channelled via email or telephone. Subsidiaries of multinational companies are often targeted, as employees working for regional cells do not usually personally know senior management in the holding company and may be fearful of losing their job if they do not obey their ultimate boss. The scam does not require advanced technical knowledge as everything the attacker needs to know can be found online.” The document describes social engineering as ‘one of the most prevalent attack vectors and one of the hardest to defend against’.
Society, and crime, is turning to cyber, which includes digital evidence in a case of murder: “Mobile devices, CCTV footage, board computers, cloud storage, online purchases and virtual currencies can all contribute to establishing the whereabouts, contacts and financial transactions of the victim that may lead to finding the killer. Knowing the possibilities will increase the chances of solving crimes, also those that are not related to any form of cybercrime. It will, however, put increasing pressure on the computer forensic capabilities to keep up with the increasing workload.”
As for catching the criminals, the report says that law enforcement has convincingly demonstrated its competence in dealing with cybercrime, thanks to international work and partnering with private industry. “Fighting cybercrime is a shared responsibility and one that cannot be shouldered by law enforcement alone.” That said, the report points to what it terms ‘the lack of judicial cooperation possibilities’ with such named countries as Russia and regions as eastern Europe and south-east Asia; not enough exchange of information with the private sector; and ‘unclear or unaligned legal frameworks within the European Union’. The report questions whether going after the coders of malware will work, as ‘there is no shortage of skilled coders’. As cybercrime investigation is often complex, the report suggests going after the criminal infrastructure, such as ‘groups providing enabling services’ so that others can carry out spam and phishing attacks; and educating computer users ‘to build a solid defensive foundation’.
As for user awareness, however, the report warns: “Cyber security is lagging behind. Although solutions for many of the exploited vulnerabilities are available, the delay in implementing the remedies or even the absence thereof contributes to the ease with which malware can be re-sold and re-used successfully, even by technically unskilled criminals” Given the lack of self-regulation by cyber firms, the report’s authors suggest ‘minimum security requirements’ in cyber become law, without detailing who would make and enforce such standards.
The document admits: “Now, where traditional high-volume crimes, like burglaries and shoplifting, are dealt with in the first instance by local police services, the modern types of simple high-volume crimes, like the use of stolen payment credentials for online shopping, are often too complicated for the local police to deal with.”
The document admits that breached organisations haven’t seen law enforcers as a first port of call, but suggests that maybe changing, as how an organisation responds to a breach becomes as important as whether it has had one.
In an appendix, the report goes into the ‘encryption debate’, quoting Prime Minister, David Cameron, and the conflict between law enforcement wanting to decipher criminal use of encryption, and citizens wanting privacy from Government. For example a blanket ban on encryption would be likely to be flawed unless all providers did exactly the same. The only practical answer may be an ‘obligation to disclose’ your use of encryption, likened to refusing to take a breath test to see if you are over the drink-driving alcohol limits.
The document takes a look at possible futures, such as artificial intelligence (AI)-based machines used in the commission of crime. Do we expect AI to act better than humans?
To view online visit https://www.europol.europa.eu/.
