Ransomware groups and cyber criminals in all forms have used the pandemic to their advantage, according to the new edition of Europol’s Internet Organised Crime Threat Assessment (IOCTA). The market for criminal goods and services – personal, marketable information – is booming, according to the report.
Europol’s Executive Director Catherine De Bolle said in a foreword to the document that cybercriminals have continued exploiting opportunities created by lockdowns and continued teleworking. “Ransomware affiliate programs have increased in prominence and are tied to a multitude of high-profile attacks against healthcare institutions and services providers. Mobile malware operators and fraudsters have leveraged the increased reliance on online shopping services and are increasingly using it as a part of their modi operandi to access their victims’ bank accounts.
“Children spending more time online has made them more susceptible to grooming, leading to an increase of self-produced exploitation material. Many of the threats in the cybercrime landscape are exacerbated by the growing crime-as-a-service market on the Dark Web. Malware-as-a-service offerings and the auctioning of people’s stolen data enable the planning of future attacks. Criminals also continue improving their operational security by abusing end-to-end encrypted communication services and cryptocurrencies.”
In more detail, ransomware groups are scanning potential targets’ networks for insecure remote desktop protocol (RDP) connections and keeping an eye on known virtual private network (VPN) vulnerabilities. As mobile banking has become more popular, so have mobile banking trojans become a threat.
Ransomware criminals are focusing more on high-value attacks on large organisations, and their supply chains; while social engineers are shifting their attention towards upper-level management, the report says. Here it points to the well-publicised cyber attacks on software – Microsoft Exchange Server, SolarWinds and Kaseya.
Much of the 2021 report was going on pre-covid; such as ransomware ‘crews’ deploying double-extortion methods by exfiltrating victims’ data; and threatening to publish it. The report says: “In the past 12 months, the arsenal of coercion methods has expanded with cold-calling journalists, victims’ clients, business partners and employees.”
As for investment fraud, criminals set up local call centres to increase their credibility with different language-speaking victims, as well as retargeting their ‘customers’ – ‘once a person has realised that their investments have been stolen, fraudsters contact them again under the pretext of representing law firms or law enforcement’. Dark Web users are increasingly using Wickr and Telegram as communication channels or to bypass market fees; and ‘grey infrastructure’ is increasingly helping Dark Web users thrive.
And as for what to do about the threats, the report advises that companies, ‘especially those operating outside the European Union’, have to improve their Know Your Customer (KYC) and information disclosure practices. But, the report admits, ‘cybercrime has become entrenched in our society’. And it’s ‘rapidly evolving’. Criminal markets ‘provide all the necessary tools, goods and services to novice and established criminals’.
The report details online frauds such as shopping delivery fraud and business email compromise (BEC); concerns over proliferation of child sexual abuse material (including online grooming); how ‘crime-as-a-service continues to proliferate’; and use of grey infrastructure enhances criminals’ operational security. DDoS attacks have re-emerged, accompanied by ransom demands.
More reading
You can freely download the 45-page document at the website of Europol, the European Union’s policing agency.
Comment
Chris Waynforth, AVP Northern Europe at cyber product firm Imperva said: “This is further evidence of how much of a threat ransom attacks pose to businesses, including those that go beyond ransomware. Our research has seen a surge in ransom-focused DDoS attacks, partly because they can be even easier to carry out than ransomware attacks. It’s no coincidence that the number of DDoS attacks has quadrupled in the last year. Using rapid-fire attacks, averaging just 6 minutes, cyber-criminals demonstrate their capabilities to businesses before sending an extortion demand, threatening much larger attacks if payments aren’t made.
“Hackers are carrying out ransom attacks because they are one of the fastest ways to big profits, and their tactics go beyond just using malware. Businesses need to have proper cyber-resiliency strategies in place so that no matter what sort of ransom attack comes their way, the impact is minimised and operations can continue.”
