Appendices

A1. The criminal exploitation of the Internet: Views of the academic advisors

The past is much easier than the future to predict, and in an area as dynamic and rapid in its development as eCrimes, it is risky to predict far ahead. There are many ways of approaching the issue of threats, but one helpful way is to break them down into the components of capabilities, intent, and vulnerabilities, both technical and social. An important component of organised crime is scalability, and this is what the web (or webs) have brought to us, enabling much smoother interaction between distant and personally unknown offenders than was possible before, and a huge increase in certain forms of criminality, industrialising crime capabilities to the less technically competent via online kit sales. This in turn creates substantial and permanent problems to individuals, businesses and nation states for awareness of risk, prevention and cross-border policing, as crimes can occur simultaneously in multiple jurisdictions from which the offender is absent, as well as problems for justice systems which have enough difficulty in coping with offline crimes, let alone online ones. Although legal frameworks are important both to surveillance and to cross-border cooperation and evidential admissibility for forensic purposes, even with large increases in cyber-staffing and retraining that are hard to achieve in the climate of European austerity, it is impossible to prosecute our way to eliminating or even very substantially reducing e-crimes. We need to prioritise our resources, leverage public-private cooperative relationships, and marshal our resources carefully to maximise their impact on harms of different kinds. All crime for gain lies at the intersection between what offenders seek to do and what we do (intentionally or not) to counteract it, and we need to live in a constant state of preparedness to manage evolving risks. We need to find ways of motivating European and non-EU MS to act on our behalf against offenders who may not be harming victims in their own jurisdiction, and to support Europol in their analytical and co-ordinating efforts in that direction.

We feel privileged to have contributed to the accompanying threat assessment, and here we offer some brief collective comments on a set of issues that we think are important, to supplement the material that Europol has generated with our modest input as ‘critical friends’.

Crime-as-a-Service

Malware

The volume of new malware, speed at which it evolves and the new methods by which it is being deployed cannot be underestimated. Criminals are finding new victims who fall for old tricks as well as developing new ways of infecting even the most knowledgeable. The current commercial product sets struggle to keep up and we feel that there is a growing need for new approaches to defence in this space.

Attacks on Mobile Devices

As we pass the point where the majority of people around the globe use mobiles to connect to the Internet we believe that mobile devices are the current battleground where criminals have the upper hand. With a steady stream of vulnerabilities identified in the Android operating system, which is the single most widely used platform, as well as exploits emerging for what were previously considered secure systems such as iOS, we believe that law enforcement will continue to see cyber-crime on mobile devices as the single biggest challenge.

Credit, Payment Card and Bank Online Fraud

The success of EMV has driven an increasing proportion of crime on European payment cards to Card Not Present, where the PIN may not have to be known. The PIN-less world is shrinking, and even the US is adopting it, so the proportion of card fraud that is online will continue to grow unless the cards themselves can be compromised technically on an industrial scale, which we consider to be unlikely in the period of this assessment.

However, there remain serious risks on the horizon. One is risks arising from mobile phone and tablet banking. Dynamic and spoofed IP addresses make user-reported IP addresses ineffective for identifying devices. Mobile devices frequently change location, and their locations may not match addresses of record. Mobile emulators allow devices to represent themselves with false operating systems.

Another major risk is synthetic (i.e. made up) as contrasted with copied/stolen identities, used to commit fraud. European data protection rules do not allow credit reference agencies to use ‘problematic addresses’ to aggregate credit applications. Boarded up pubs and residences can accumulate a large number of applications using artificially created data without disturbance by natural surveillance. There is increased chatter in Dark Web Forums about techniques for synthetic id creation, so it will spread. This may mean fewer problems for legitimate people, but commercial risks remain from first party fraud ‘bust outs’.

Child Sexual Exploitation Online

The most harmful forms of child sexual abuse imagery involve the exploitation of the children themselves. Much has been achieved by the aggregation of images internationally and by the cooperation of payment card services in cutting off opportunities. There is a tendency for the worst images to be exchanged in networking sites which are vetted by existing members, so they are not freely available. This will continue to be the case, as a form of criminal risk management from law enforcement, and the enforcement challenge is to gain access to and disrupt/destroy the networks.

Data Breaches

Data security is everybody’s business, but the periodic massive leakages of financially exploitable personal data and health data by insider compromise, by outsider hacking and by carelessness in throwing away both paper and electronic records remains an enduring feature, increasing public distrust and fear of both business and government. American surveys show that the public tend to blame retailers rather than bankers for data breaches, but despite high profile sackings (at Target), there is a need for regularly reinforced messages to third party data holders and more managerial attention to data leak risks, though corrupt approaches from organised criminals require a different control strategy.

Attacks on Critical Infrastructure

Despite many scare stories we have yet to see tangible evidence of wide scale cyber-crime involving critical infrastructure. However, the potential for damage is high and so we believe it is vital that vigilance is maintained in this area. Many argue that critical infrastructure is likely to be more a target for nation states than criminals. But, it is more a matter of when rather than if crimes emerge involving attacks on critical infrastructure. Critical infrastructure represents a relatively soft target in some cases and the tools are available so it is difficult not to conclude that criminals will work out how to exploit this unfortunate combination.

Enablers

Social Networking

Social Media is a fact of life and is considered my many as a fundamental human right. We do not see its demise in any foreseeable future. That being so, it will remain a very active attack vector for criminals. New variants of phishing attacks via social media are inevitable in our view, and law enforcement will have an increasing battle to keep up with this threat. As more people use social media (and that increase shows no sign of slowing) the scale of the issue for law enforcement can only get larger.

Virtual Currencies

The suspicions about why virtual currencies need to exist has only been heightened with the emergence of new forms of the currencies. Bitcoin and other similar currencies that offer pseudo anonymity raised considerable concern as they could be used for criminal transactions and ultimately exchanged for national fiat currencies through exchanges. As a result law enforcement have had a considerable challenge in tracking such transactions or even identifying activities such as money laundering. We feel it should concern everyone that the latest cyber currencies are intended to be truly anonymous and to facilitate anonymous transactions. We face a situation where law enforcement may be completely unable to trace even very large criminal transactions.

Big Data

The tools that are emerging for use in deriving information from unstructured data gathered from around the Internet are impressive. However, as with all tools there is scope for misuse: subverting the original purpose to, for example, profile potential victims or to commit identify fraud. Law enforcement agencies will have little choice but to deal with the consequences of this. The onus can no longer be put on individuals to protect their data as it may have been given away piece-meal and reconstituted by criminals using Big Data tools. We must all assume that data that would previously have been thought personal and sensitive by the way in which it is combined, can now be formed from storage of component data none of us intended to be used in the way criminals will now do. If nothing else, we expect the trade in personal data on the Darknet to increase even without the large single data breaches that continue to occur despite bad publicity, regulatory sanctions and the costs of remediation.

The Internet of Everything

The IOE is inevitable. We must expect a rapidly growing number of devices to be rendered “smart” and thence to become interconnected. Unfortunately, we feel that it is equally inevitable that many of these devices will leave vulnerabilities via which access to networks can be gained by criminals. History suggests that as new types devices become connected to the Internet security can take some time to mature. This is exactly what has happened with mobile phones. The IoE represents a whole new attack vector that we believe criminals will already be looking for ways to exploit.

Cloud Services

The falling price, global distribution and relative anonymity of cloud services means that criminals are bound to see it as a good platform for mounting criminal activity. We feel that the law enforcement agencies must assume that cloud will form an increasingly large part of future criminal activity ranging from acting as command and control platforms for distributing and exploiting malware, right through to acting as a “back office” IT in all manner of technology enabled crimes. This means that law enforcement agencies will have to cooperate globally if they are to stand any chance of both preventing crime and bringing the guilty to justice.

TOR and other anonymizing tools and services

There is a seemingly insatiable desire for anonymity amongst the population as a whole. It is considered synonymous with privacy. Whilst we believe that some technologies that are considered to provide anonymity will soon be shown to be vulnerable to tracing, we believe this will drive a burgeoning number of anonymisation tools and services. The law enforcement agencies cannot hope to prevent these technologies being used as they have legitimate uses. Therefore, we feel that law enforcement agencies will need to put in place programmes for studying these emerging technologies in order to find means of countering their use by criminals. This “arms race” is expensive and so it is an obvious candidate for multi-national collaboration, and the establishment of centres of excellence.

Emerging and Future Developments

Increase in targeted and more sophisticated attacks, including cyber espionage

• Instead of large scale but not very specific attacks, we in addition see an increasing number of attacks that are very specifically designed to attack a concrete target.
• An increase in attacks related to identification instruments, tax and social security benefits using business fronts, often set up specifically for this purpose.
• Attacks on vulnerable individuals, on (and/or via) financial services staff who get into financial or sexually discrediting ’trouble’ and are compromised, and to high-value IP hacking targets, via spear-phishing or social engineering perhaps using social media.
• Cyber-espionage is a continuing threat. The search for ‘business intelligence’ by hacking/social engineering is a major threat to European economic actors.
• Increasing attacks against mobile services (such as mobile banking). Due to advanced man-in-the-middle attacks, the very basic two-step verification will not be efficient anymore.

Extortion/Ransomware

• Although extortion is a traditional crime which continues to exist off-line, recent developments show a relation between it and ICT. Offences are committed by using information and communication technology as well as virtual payment systems.
• Increased use of ransomware: Rise in the number of people and organisations hit by this type of attack but also novel variants emerging such as ransomware-affected intelligent devices such as found in transport or even medical devices.

Internet of Everything

• As processing power is increasingly incorporated into everyday objects, it obviously increases the attack surface available for criminal activity. This activity may also be about co-opting these intelligent devices to participate in crime (e.g. becoming part of a botnet). Devices in the IoE are likely to be more vulnerable simply because they are new, and history suggests that such technology remains vulnerable for an initial period.
• Attacks via the Internet of Everything will become increasingly common and that is very disruptive socially.

Data Breaches

• Taking into account the clear trends to Big Data leads to a logical consequence of increasing relevance of attacks against the integrity and confidentiality of data. Taking into account the significant final losses caused by such attacks underlines the threat.
• Data Breaches are precursors for other things – especially when personal data is involved.

Reflection attacks

Reflection attacks, particularly against choke points on the Internet such as Internet Exchanges can be expected. Having seen DDOS attacks mounted using appropriately configured DNS servers and now NTP servers, we can suspect that criminals will find ways of exploiting other UDP based protocols to increase the volumes they can use in attacking the infrastructure of any organisation, disrupting their function.

Anti-Forensics and Anonymisation technologies

Increased use of anti-forensic software and anonymising technologies; Tor, with its fixed, known exit nodes, loses favour with criminals who will switch to P2P based anonymisations e.g. I2P. Post Snowden, we will see other anonymising technologies being developed for laudable purposes, but these will be rapidly enlisted by criminals to hide their tracks. Despite recent reports about the vulnerability of anonymous communication technology, law enforcement does not yet have the full toolset (both technical and legal) to identify offenders using such technology.

State involvement

State involvement in the commission of crimes, such as attacks against computer systems or espionage are an increasing challenge for law enforcement agencies, as “regular” offenders and state actors operate in different environments, and different legal regimes might apply. There will continue to be controversies over the attribution of criminal acts to state, to state-sponsored, and to state-tolerated actors.