Cryptoware (encrypting ransomware) has become the most prominent malware threat, overshadowing data stealing malware and banking Trojans. With cryptoware becoming a key threat for citizens and enterprises alike, law enforcement and the internet security industry have responded rapidly and in concert, with prevention and awareness campaigns and technical support, and operations targeting the criminal groups and infrastructure involved.
As mobile devices increasingly operate less as simple phones and more as mobile computers, the nature and complexity of malware attacking mobile devices and the methods of infecting those devices are beginning to more closely mirror those of ‘conventional’ desktop malware.
There is a notable difference in the malware threat landscape as perceived by both law enforcement and the financial sector on one side, and the internet security industry on the other, with each encountering different ends of the attack chain. Law enforcement largely encounters the ‘payload’ malware, which results in actual damage or financial loss, whereas the internet security industry has greater awareness of ‘upstream’ malware threats, such as droppers and exploit kits that enable such attacks to occur.
Following grooming or social engineering, victims of child sexual exploitation are increasingly subjected to coercion and extortion. Offenders apply this influence to obtain further child abuse material, financial gain or physical access to the victim.
While peer-to-peer (P2P) networks continue to represent a popular platform for the exchange of child sexual exploitation material (CSEM), a growing number of Darknet forums facilitating the exchange of CSEM, coupled with the ease of access to these networks, is leading to an increase in the volume of material being exchanged on the Darknet.
The use of end-to-end encrypted platforms for sharing media, coupled with the use of largely anonymous payment systems, is facilitating an escalation in the live streaming of child abuse. Offenders target regions where there are high levels of poverty, limited domestic child protection measures and easy access to children.
EMV (chip and PIN), geoblocking and other industry measures continue to erode card-present fraud within the EU, forcing criminals to migrate ‘cash out’ operations to other regions, mainly the Americas and South East Asia. Meanwhile, logical and malware attacks directly against ATMs continue to evolve and proliferate.
The proportion of card fraud attributed to card-not-present (CNP) transactions continues to grow. Levels of fraud have increased across almost all sectors, with the purchases of physical goods, airline tickets, car rentals and accommodation causing the heaviest losses.
There are indications that organised crime groups (OCGs) are starting to manipulate or compromise payments involving contactless (NFC) cards. This demonstrates how quickly criminals can adapt to and abuse emerging technologies.
An increase of targeted phishing aimed at high value targets was reported by law enforcement and the private sector alike. A rising quality and apparent authenticity of phishing campaigns was also observed, making these increasingly difficult to tell apart from the genuine communication.
A refined variant of spear phishing, CEO fraud, has evolved into a key threat as a growing number of businesses are targeted by organised groups of professional fraudsters. Successful CEO frauds often result in significant losses for the targeted companies.
DDoS attacks continue to grow in intensity and complexity, with many attacks blending network and application layer attacks. Booters/stressers are readily available “as-a-service”, accounting for an increasing number of DDoS attacks.
Companies that store financial credentials remain a key target for financially motivated cybercriminals carrying out network attacks and data breaches. As such, the accommodation and retail sectors are common targets. There is, however, a growing trend in the compromise of further data types for other purposes, such as medical records. This additionally highlights a need for such businesses to store data in an encrypted format.
Data remains a key commodity for cybercriminals, however data is no longer just procured for immediate financial gain. Increasingly it is acquired for the furtherance of more complex fraud, encrypted for ransom, or used directly for extortion. When considering intellectual property, the illegal acquisition of this data can reflect the loss of years of research and substantial investment by the victim.
For criminal to criminal (C2C) payments, payment systems which ensure that both parties can maintain a high level of anonymity are preferred, with Bitcoin being the payment system of choice for many C2C transactions. Bitcoin has also become the standard solution for extortion payments, whether as a consequence of ransomware or DDoS attacks.
Cybercriminals use whatever communication method they deem to be the most convenient and/or that which they perceive to be sufficiently secure. The communication channels used by any particular cybercriminal may be indicative of their level of sophistication, and range from simple email to end-to-end encrypted channels such as Jabber. Forums within either the deep web or Darknet remain an important communication platform for criminals.
The use of encryption by criminals to protect their communications or stored data represents a considerable challenge for law enforcement, denying access to essential intelligence and evidence. This is a cross-cutting issue that affects all crime areas. The growing regularity of native encryption on mobile devices compounds this problem.
While law enforcement strives to disrupt criminal forums and marketplaces on the Darknet, the natural volatility of these hidden services acts as an internal control. In 2015/2016 a number of high profile markets either closed down or were abandoned as their administrators exited with their customers’ money. Such activity has the additional disruptive effect of spreading distrust and uncertainty throughout the community.
The extent to which extremist groups currently use cyber techniques to conduct attacks appears to be limited. While such factions make extensive use of the internet, particularly social media, for the purposes of recruitment, propaganda and incitement, there is currently little evidence to suggest that their cyber-attack capability extends beyond common website defacement. The availability of cybercrime tools and services, and illicit commodities (including firearms) on the Darknet provide ample opportunities for this situation to change.
