Significant progress in the fight against cybercrime has been made in recent years and this needs to be recognised and highlighted. To put the positive change into better perspective, it’s helpful to look back five or ten years and reflect on what the finance sector faced at the time. The Russian Business Network (RBN) was the famous bulletproof hoster, and early banking Trojans such as WSNPoem/Zeus and Sinowal/Torpig stunned the European banking industry with their high success rates. For many European banks these were their first encounters with complex targeted online banking Trojans. This wave of cybercriminal activity came unexpectedly and thrust a number of changes into motion. The seeds of intelligence sharing communities were planted, and banks began to collaborate amongst themselves and with law enforcement. Nearly a decade later, many positive changes across various industries have impacted cybercriminal activity.
Significant positive change has happened amongst ISPs and hosters. Often a phone call or email to an abuse@ email address will result in fast takedown of phishing sites, drive-by malware, or fraudulent email accounts. This is in contrast to a decade ago, when such takedowns were more difficult, often requiring a formal legal process.
Tech companies are becoming proactive against crime, with more collaborative investigations and takedowns together with law enforcement. Europol’s EC3 is a prime example, with numerous botnet takedowns executed together with Microsoft and other tech companies in recent years. These voluntary acts of collaboration didn't happen as easily in the past.
Tech companies are taking more responsibility for the security of their products. Platforms are becoming locked down by default with a trend towards controlled app stores for software distribution.
Providers are taking more responsibility for the security and health of their own networks and services. ISPs are actively detecting and filtering DDoS attacks, implementing standards such as BCP38 to reduce IP spoofing, detecting fraudulent logins, and other malicious activity.
Financial institutions have made many positive changes to combat criminal activity with payments and funds transfers. They are sharing more threat intelligence information between themselves, with law enforcement, and with tech industry partners. A number of inter-bank information sharing communities exist today. Some operate at a regional level within a country, others operate at an international level. Banks still need to be conscious of what they can legally share within their regulatory framework, and regulators and legislators are working to make changes that improve the ability to share information to protect clients and citizens.
Many of the current intelligence sharing groups started out of necessity, or grew out of early industry crisis meetings. The focus was to protect customers, help banks detect and stop fraudulent activity, and to help law enforcement obtain the evidence needed for the successful arrest and prosecution of criminals.
Other positive changes across the finance industry have been a trend towards two factor authentication (2FA) or additional authentication for unusual payments. Banks are detecting anomalies indicative of malware infection or fraud and reaching out to inform clients. A decade ago, banks did not consider this to be within their scope of responsibility.
Among banking staff, there is an increased awareness and understanding of criminal activity. Client relationship managers are more vigilant and suspicious of activity. They are challenging suspicious payments, and reconfirming payment orders received through less secure channels.
A number of positive changes have been happening within government and law enforcement. Locally and internationally, law enforcement agencies are finding new ways to efficiently collaborate on investigations involving the internet across borders and jurisdictions. Agencies are not relying solely on formal processes like MLATs to exchange intelligence information. An excellent example of international law enforcement collaboration is the EC3 J-CAT initiative which brings multiple agencies together in a single location with the purpose of investigating transnational cybercrimes.
There has also been significant change in the engagement with the private sector to share information and collaborate with private industry organisations. A good example is Europol's private sector Advisory Groups in Finance and Technology. Law enforcement have also gained a better understanding of private sector industries. They know what questions to ask, what data to request, and who to approach to best support ongoing investigations. They have a better understanding of technical capabilities available within the private sector, and how those capabilities can be leveraged to fight crime.
More cybercrime related arrests are being made now than at any other point in the history of the internet. Publicity surrounding arrested cybercriminals has a strong deterrent effect. People participating in cybercriminal activities perceive a higher risk. Public awareness of successful arrests helps to reduce the number of criminals willing to take this risk. Compare this to a decade ago, when the risk of getting caught for internet based crime was perceived as low.
Public-private partnerships (PPPs) have also proliferated in the past decade. Governmental CERTs dedicated to assisting the private sector with cyber related problems have appeared. Some countries have even created dedicated "FinCerts" or financial CERTs which focus on finance sector issues. These public-private interfaces facilitate intelligence sharing and collaboration.
The general public has also made positive progress in the past decade. People are more aware of the risks online and more suspicious of activity. Online fraud, social engineering, theft, and impersonation are better understood by the public today. There is improved recognition of phishing sites, spam mails, and scams.
There is more concern and interest in security and privacy. The public expects companies and suppliers to protect their personal data. The public is taking more steps to protect their own privacy online, managing the security of their electronic devices, and teaching children about online risks.
Media coverage of issues has also changed. Information about malicious attacks and new risks are actively and prominently published by the media. Banks, governmental CERTs, law enforcement, and industry, can easily approach the media to issue warnings through the press. Social media channels facilitate rapid dissemination of threat information to the public.
The criminals themselves have also been changing. They have become more industrialised, forming an underground economy. They specialise in different services such as recruiting money mules, distributing malware, maintaining botnets, etc, and sell these services to other criminals. The technical expertise needed is decreasing as criminals move to a "Crime-as-a-Service" model, where cybercriminal activity is easier to execute, and support from the seller is provided.
The cost and complexity to develop and deploy malware has created more interest in social engineering attacks. Social engineering is simpler and often just as effective as technical exploitation. Consider the recent wave of business email compromise (BEC) and CEO fraud attacks targeting businesses, or the fake support phone calls and vishing attacks that target the public.
There is also an increased use of stolen data circulating in the Darknet or on data leak sites. This data contains credentials which can be used to gain unauthorised access to accounts such as email, online stores, social media sites, bank accounts, and other user accounts.
The positive changes outlined above have helped to slow (or even reduce) the growth of cybercriminal activity in many areas. For example, many banks have seen a decrease in banking Trojans and phishing attacks compared to half a decade ago. This decrease in activity is partly due to the combination of positive changes described in this appendix.
However, we cannot let these positive changes make us complacent in our fight against crime. Criminals are creative and always finding new ways to commit crimes. The global crime fighting community needs to evolve together with the criminals to keep society safe.
The amount of criminal activity can often seem overwhelming, and it sometimes feels like we are losing the battle. But remember how things were five or ten years ago, and how far we have come since then. A lot of amazing work has been done and has had a very positive effect. We need to keep making positive changes - it makes a difference.