iOCATA 2015

The 2015 Internet Organised Crime Threat Assessment (IOCTA) shows that cybercrime is becoming more aggressive and confrontational. While certain elements of cybercrime such as social engineering have always had an element of interaction between victim and attacker, such contact would typically be of a passive, persuasive nature; otherwise cybercriminals were content to stealthily steal what they wanted with confrontation actively avoided. Today, however, cybercrime is becoming increasingly hostile. Instead of subterfuge and covertness, there is a growing trend of aggression in many cyber-attacks, and in particular the use of extortion, whether it is through sexual extortion, ransomware or by Distributed Denial of Service (DDoS) attacks. This boosts the psychological impact of fear and uncertainty it has on its victims. Whilst the cautious, stealthy approach goes with the stereotype of the uncertain, geeky hacker, the aggressive, confrontational approach of putting blunt pressure on individuals and businesses bears the signature of organised crime.

Cybercrime remains a growth industry. The Crime-as-a-Service (CaaS) business model, which grants easy access to criminal products and services, enables a broad base of unskilled, entry-level cybercriminals to launch attacks of a scale and scope disproportionate to their technical capability and asymmetric in terms of risks, costs and profits.

The sphere of cybercrime encompasses an extremely diverse range of criminality. In the context of ‘pure’ cybercrime, malware predictably persists as a key threat. As projected in the 2014 IOCTA, ransomware attacks, particularly those incorporating encryption, have grown in terms of scale and impact and almost unanimously represent one of the primary threats encountered by EU businesses and citizens as reported by law enforcement (LE). Information stealing malware, such as banking Trojans, and the criminal use of Remote Access Tools (RATs) also feature heavily in law enforcement investigations.

Banking malware remains a common threat for citizens and the financial sector alike, whilst generating sizeable profits for cybercriminals. A coordinated effort between law enforcement, the financial sector and the Internet security industry will be required in order to effectively tackle this problem. This will necessitate better sharing of banking malware samples and criminal intelligence, particularly relating to enabling factors such as money mules.

The media commonly referred to 2014 as the "Year of the data breach", with record numbers of network attacks recorded. Although this undoubtedly represents an actual increase in attacks, it also signifies a change in attitude by victim organisations. The perception of how an organisation handles a breach - which today is considered inevitable – is crucial. This has led to greater publicity and more frequent involvement of law enforcement in such attacks. Nonetheless, is it is evident that data has become a key target and commodity for cybercrime.

Notably, there is blurring of the lines between Advanced Persistent Threat (APT) groups and profit-driven cybercriminals with both camps borrowing tools, techniques and methodologies from each other's portfolios.

While it is possible for organisations to invest in technological means to protect themselves, the human element will always remain as an unpredictable variable and a potential vulnerability. As such social engineering is a common and effective tool used for anything from complex multi-stage attacks to fraud. Indeed, CEO fraud - where the attackers conduct detailed research on selected victims and their behaviour before initiating the scam - presents itself as a prominent emerging threat which can result in large losses for those affected.

Child sexual exploitation (CSE) online poses major concerns in several respects. Hidden services within the Darknet are used as a platform for the distribution of child abuse material (CAM). The nature of these services drives the abuse of new victims because the production of fresh material is demanded for membership on child abuse forums and it reinforces the status of the contributors. These offences will require more intensive cooperation and capacity building in jurisdictions where they occur. Law enforcement must focus on identifying and dismantling these communities and forums in which offenders congregate. The identification and rescue of victims must also be paramount.

The apparent proliferation of self-generated indecent material (SGIM) can be attributed to the increased availability of mobile devices and their ease of use in producing such content and communicating it to others. Photos and videos of this nature that are initially shared with innocent intent often find their way to those who collect this material or intend to further exploit the victim, in particular by means of extortion. The volume of SGIM and the rate of its growth represents a serious challenge for LE.

The live streaming of child abuse may grow, fuelled by increasing broadband coverage in developing countries. Commercial streaming is expected to become more prolific as streaming tools incorporating anonymous payment mechanisms are adopted by offenders. This development further reinforces the necessity for closer cooperation and enhanced capacity building within the international law enforcement community.

Furthermore, child abuse offenders are facilitated by many of the same services and products as mainstream cybercriminals including encryption, anonymisation and anti-forensic tools. Use of these methods among offenders is no longer the exception but the norm. Increasing abuse of remote storage facilities and virtual currencies was also observed last year and has continued to grow since.

Card-not-present (CNP) fraud grows steadily as compromised card details stemming from data breaches, social engineering attacks and data stealing malware become more readily available. The push towards CNP fraud is further driven by the effective implementation of measures against card-present fraud such as EMV (chip and PIN), anti-skimming ATM slots and geoblocking. This trend is only likely to increase as the USA, a primary cash-out destination for compromised EU cards, will implement EMV technology as of October 2015.

It is a common axiom that technology, and cybercrime with it, develops so fast that law enforcement cannot keep up. Whilst this may be true in some respects, the vast majority of cybercrimes consist of using vulnerabilities that were well-known for quite a while. It is the lack of digital hygiene of citizens and businesses that provides fertile ground for the profitable CaaS market of reselling proven exploit kits to the expanding army of non-tech-savvy cybercriminals. Ingenuity often only extends to finding new ways to use or implement such tools and methods. The scope and pace of true innovation within the digital underground is therefore more limited than many may believe. Furthermore, a key driver of innovation within cybercrime may be law enforcement itself. Every law enforcement success provides impetus for criminals to innovate and target harden with the aim of preventing or mitigating further detection and disruption of their activities.

That said, where genuine innovation exists in technology, criminals will rapidly seek ways to exploit it for criminal gain. Developing technologies such as Darknets, the Internet of Things, artificial intelligence, and blockchain technology all provide new attack vectors and opportunities for cybercrime, often combined with existing tools and techniques such as steganography.

The attention of industry is yet not fully focussed on cyber security or privacy-by-design. Many of the so-called smart devices are actually quite dumb when it comes to their security posture, being unaware of the fact that they are part of a botnet or being used for criminal attacks. The Simple Service Discovery Protocol (SSDP), which is enabled by default on millions of Internet devices using the Universal Plug and Play (UPnP) protocol including routers, webcams, smart TVs or printers, became the leading DDoS amplification attack vector in the first quarter of 20151.

The response of law enforcement has produced several successes in the fight against cybercrime. Strong elements in the approach taken are the increasing level of international cooperation between main cybercrime divisions within the EU and with those of non-EU partners. The alignment of priorities under the operational actions of EMPACT and the establishment of the Joint Cybercrime Action Taskforce (J-CAT) have clearly contributed to that. But also the close involvement of private sector partners, especially in the Internet security industry and among financial institutions has helped to get a better grip on cybercrime.

Tactically, some consideration should be given to the investigative focus and approach to increase the effectiveness of operational activities even further. Merely trying to investigate what gets reported is unlikely to lead to the best results. It is important to identify the different components and facilitating factors to understand with which tactics specific types of crime can be addressed most effectively. The key enablers of the pertinent threats reported by EU law enforcement that are deemed most important to take out by means of criminal investigations are bulletproof hosting, criminal expert forums, malware distribution through botnets, CaaS vending sites, counter-anti-virus services and carding sites. Also, financial facilitation by the criminal use of Bitcoins, laundering services and money mules deserve priority. To the extent possible and realistic, the focus should primarily be on the arrest of key perpetrators and organised crime groups (OCGs). Yet such an approach should be complemented by dismantling, awareness raising, prevention, dissuasion and asset recovery.

The main investigative challenges for law enforcement are common to all areas of cybercrime: attribution, anonymisation, encryption and jurisdiction. Even cybercriminals with minimal operational security awareness can pose a challenge in terms of attribution due to the range of easily accessible products and services that obfuscate their activity and identity. These include the abuse of privacy networks like I2P and The Onion Router (Tor) for communications and trade, and virtual currencies for criminal transactions. Effective investigations require an increasing volume of digitised data and yet law enforcement often faces inadequate data retention periods and regulations. Encryption is increasingly used to safeguard communications and stored data but also to frustrate forensic analysis and criminal investigations. Cybercriminals continue to operate from - or house infrastructure in - jurisdictions where EU law enforcement lacks adequate basis for support.