executive summary

The 2017 Internet Organised Crime Threat Assessment (IOCTA) reports how cybercrime continues to grow and evolve. While many aspects of cybercrime are firmly established, other areas of cybercrime have witnessed a striking upsurge in activity, including attacks of unprecedented scale, as cybercrime continues to take new forms and new directions. A handful of cyber-attacks have caused widespread public concern but only represented a small sample of the wide array of cyber threats now faced.

Because of the similar tools and techniques used, it is sometimes difficult to attribute cyber-attacks to particular groups, for example, financially motivated cybercriminals and Advanced Persistent Threat (APT) groups. Some of the reported cyber-attacks from mid-2017 illustrate this trend. For genuine financially motivated attacks, extortion remains a common tactic, with ransomware and Distributed Denial of Service (DDoS) attacks remaining priorities for EU law enforcement.

Ransomware attacks have eclipsed most other global cybercrime threats, with the first half of 2017 witnessing ransomware attacks on a scale previously unseen following the emergence of self-propagating ‘ransomworms’, as observed in the WannaCry and Petya/NotPetya cases. Moreover, while information-stealing malware such as banking Trojans remain a key threat, they often have a limited target profile. Ransomware has widened the range of potential malware victims, impacting victims indiscriminately across multiple industries in both the private and public sectors, and highlighting how connectivity and poor digital hygiene and security practices can allow such a threat to quickly spread and expand the attack vector.

The extent of this threat becomes more apparent when considering attacks on critical infrastructure. Previous reports have focused on worst-case scenarios, such as attacks on systems in power plants and heavy industry. However, it is clear that a greater variety of critical infrastructures are more vulnerable to ‘every-day’ cyber-attacks, highlighting the need for a coordinated EU law enforcement and cross-sector response to major cyber-attacks on critical infrastructure.

Law enforcement and industry action has led to a decline in the use of exploit kits. This has resulted in a shift towards alternative malware delivery methods, including spam botnets and social engineering. Along with technical attacks, social engineering techniques have become an essential tactic for the commission of many, often complex, cyber-dependent and cyber-facilitated crimes, including payment fraud and online child sexual exploitation.

The success of such attacks is demonstrated by the trend of large-scale data breaches. In a 12-month period, breaches relating to the disclosure of over 2 billion records were reported, all impacting EU citizens to some degree.

Previous reports have highlighted the potential for the abuse of insecure Internet of Things (IoT) devices. By the end of 2016 we had witnessed the first massive attack originating from such devices, as the Mirai malware transformed around 150 000 routers and CCTV cameras into a DDoS botnet. This botnet was responsible for a number of high profile attacks, including one severely disrupting internet infrastructure on the west coast of the United States (US).

The vast majority of child sexual exploitation material (CSEM) is still produced by hands-on offenders. Adding to this, however, is an increasing volume of self-generated explicit material (SGEM), which is either produced innocently, or as a result of the sexual coercion and extortion of minors. Offenders are increasingly using the Darknet to store and share material, and to form closed communities.

Card-not-present (CNP) fraud continues to dominate fraud related to non-cash payments, impacting heavily on the retail sector. Airline ticket fraud continues to have significant impact across the EU and facilitates a wide range of other crime types, from drug trafficking to illegal immigration. Card-present (CP) fraud accounts for a much smaller portion of non-cash payment fraud, yet the number of reported cases has reached record numbers. The US and Southeast Asia are still key locations for cashing-out compromised EU cards. The number of criminal groups specialising in direct, complex attacks on ATMs and banks is also increasing, resulting in dramatic losses for the victims.

A growing amount of illicit trade now has an online component, meaning that cybercrime investigative capabilities are increasingly in demand in all serious organised crime investigations. Darknet markets remain a key crosscutting enabler for other crime areas, providing access to, amongst other things, compromised financial data to commit various types of payment fraud, firearms, counterfeit documents to facilitate fraud, trafficking in human beings, and illegal immigration. Compared to more established Darknet market commodities, such as drugs, the availability of cybercrime tools and services on the Darknet appears to be growing more rapidly.

Cryptocurrencies continue to be exploited by cybercriminals, with Bitcoin being the currency of choice in criminal markets, and as payment for cyber-related extortion attempts, such as from ransomware or a DDoS attack. However, other cryptocurrencies such as Monero, Ethereum and Zcash are gaining popularity within the digital underground.

Law enforcement is witnessing a transition into the use of secure apps and other services by criminals across all crime areas. The majority of the apps used are the everyday brand names popular with the general population.

A combination of legislative and technical factors, which deny law enforcement access to timely and accurate electronic communications data and digital forensic opportunities, such as lack of data retention, the implementation of Carrier-Grade Network Address Translation (CGN), and criminal abuse of encryption, are leading to a loss of both investigative leads and the ability to effectively attribute and prosecute online criminal activity. Such issues require a coordinated and harmonised effort by law enforcement, policy makers, legislators, academia, civil society and training providers to effectively tackle them.

Despite the constant growth and evolution of cybercrime, joint cross-border law enforcement actions in cooperation with the private sector and other relevant EU and international partners against the key cyber threats have resulted in some significant successes, supported by effective prevention and disruption activities.

It is clear that continued, close cooperation with the private sector is essential to combat cybercrime in an agile, pro-active and coordinated manner with a comprehensive and up-to-date information posture at its heart. The IOCTA also highlights how adequate training of the public and employees to recognise and react appropriately to social engineering would have a significant impact on a wide range of cyber-attacks.