EAST EGAP holds 15th Meeting

The 15th Meeting of the EAST Expert Group on ATM and ATS Physical Attacks (EGAP) took place on Wednesday 3rd March 2021.  Due to the Covid-19 situation, it was conducted as a virtual meeting and was chaired by Graham Mott of  the LINK Scheme.

The meeting was attended by 54 key representatives from Law Enforcement, Terminal Deployers, ATM Networks and Security Equipment Vendors.

  • Europol gave a central assessment of the ATM physical attack situation in Europe.
  • The ECB gave an update on the latest bank notes in circulation, cash usage statistics, and Intelligent Banknote Neutralisation Systems (IBNS) used in the Euro area.
  • National Threat Assessments were shared by representatives from 17 countries:
CountryUpdate(s) Given By
AustriaCriminal Intelligence Service
BrazilTecBan
FinlandAutomatia / National Bureau of Investigation
FranceGendarmerie - OCLDI
GermanyBKA
GreeceHellenic Police
HungaryNational Bureau of Investigation
IrelandAn Garda Siochana
ItalyMIB
LuxembourgService de Police Judiciare
NetherlandsNational Police
PolandNational Police HQ
PortugalPolicia Judiciare / Policia de Seguranca Publica
RomaniaRomanian Police - CID
SpainGuardia Civil / Autonomous Police of Catalonia
SwitzerlandFederal Office of Police (FEDPOL)
United KingdomSaferCash / West Midlands Police (ROCU)

Experts from the following organisations also particpated in the meeting:  ATM Safe, Barclays, Cennox, Diebold Nixdorf, Feerica S.A., Gunnebo, HSBC, Malta Police Force, NCR, Oberthur Cash Protection, Payment Services Austria (PSA), Petersen-Bach A/S, Professional Witnesses Group,  Spinnaker, Swedish Police, TMD Security.

EAST EGAP is a European specialist expert forum for discussion of ATM,  ATS and CIT related physical attack trends, attack methodologies and counter-measures, threat protection, and for the provision of regularly updated lists of manufacturers of ATM protective devices. The latest lists can be downloaded from the ‘Stained Banknotes’ page on this website (bottom of page).

The Group meets twice each year to enable in-depth and technical discussion to take place. The areas covered include:

  • The latest incidents and criminal MOs
  • The collection and distribution of best practice guidelines
  • The evolution of threats and counter-measures
  • Lessons from and on law enforcement

SIM swapping gang taken down by Police

Ten hackers who stole over $100 million in cryptocurrencies from celebrities and influencers in SIM swapping attacks have been apprehended in an international operation co-ordinated by Europol.

Eight criminals were arrested on 9 February as a result of an international investigation into the series of attacks targeting high-profile victims in the United States. These arrests followed earlier ones in Malta and Belgium of other members belonging to the same criminal network.

The attacks orchestrated by the gang targeted thousands of victims throughout 2020, including famous internet influencers, sport stars, musicians and their families.  The criminals are believed to have perpetrated the thefts after illegally gaining access to their phones.  The criminals worked together to access the victims’ phone numbers and take control of their apps or accounts by changing the passwords.  This enabled them to steal money, cryptocurrencies and personal information, including contacts synced with online accounts. They also hijacked social media accounts to post content and send messages masquerading as the victim.

SIM SWAPPING

SIM swapping fraud was identified as a rising trend in the latest Europol Internet Organised Crime Threat Assessment. Cybercriminals take over the use of a victim’s phone number by essentially deactivating their SIM and porting the allocated number over to a SIM belonging to a member of the criminal network.  This is typically achieved by the criminals exploiting phone service providers to do the swap on their behalf, either via a corrupt insider or using social engineering techniques.

SIM swapping

DON’T BE THE NEXT VICTIM

It’s not just celebrities who are under attack.  Anyone with a mobile phone can fall victim to SIM swapping. The above image gives some tips as to how to protect yourself against the threat, and information can also be found on Europol’s dedicated page.

For more advice on how to protect your financial information from such a scam, watch the clip below.

The EAST Payments Task Force (EPTF) focusses on the security of payments and transactions, and SIM swapping falls within its remit.

3rd Interim EAST Meeting – National and Global Members

A third Interim Meeting of EAST National and Global Members took place on Wednesday 10th February 2021. Due to the Covid-19 situation, it was conducted as a virtual meeting. The meeting was chaired by Martine Hemmerijckx from Worldline.

Law enforcement overviews were provided by Europol and the Gulf Cooperation Council Police (GCCPOL).  Two presentations were made by Europol: one from the European Cybercrime Centre (EC3) covered recent successful cross-border operations; the other covered Physical ATM attacks across Europe.  The GCCPOL presentation covered payment and fraud issues seen by their 6 member countries – it focussed on Technological Fraud (crimes committed using different forms/types of machines and technology) and Non-Technological Fraud (conducted directly against the victim).

Updates were received from 26 countries, either directly or via a global update by Worldline.  Each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).  A key issue, highlighted by most of the countries, is the importance of raising consumer awareness to counter the rising threats related to social engineering.

EAST Fraud Update 1-2021 will be produced during March, based on the country updates provided at the Interim EAST Meeting.  EAST Fraud, Payment and Physical Attack Updates are available on the EAST Intranet to EAST Members.

The next meeting of this group, scheduled for 9th June 2021, will also be a virtual Interim meeting.  The 1st EAST Global Congress is now scheduled to be held in October 2021, dependant on the prevailing status of the Covid-19 pandemic.

International operation takes down EMOTET Malware

Law enforcement and judicial authorities have gained control of the EMOTET infrastructure and taken it down from the inside in an international coordinated action.  Authorities from the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine too part, with international activity coordinated by Europol and Eurojust. This operation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).

The EMOTET infrastructure involved several hundred servers across the world, all of which had different functionalities – this allowed the criminals to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts. An effective international operational strategy resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure.  This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.

ABOUT EMOTET

EMOTET has been one of the most professional and long lasting cybercrime services out there and is one of the most dangerous malware types. First discovered as a banking Trojan in 2014, the malware evolved into the go-to solution for cybercriminals over the years. The EMOTET infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorised access was established, these were sold to other top-level criminal groups to deploy further illicit activities such data theft and extortion through ransomware.

Through a fully automated process, EMOTET malware was delivered to the victims’ computers via infected e-mail attachments.  A variety of different lures were used to trick unsuspecting users into opening these malicious attachments. In the past, EMOTET email campaigns have also been presented as invoices, shipping notices and information about COVID-19.  All these emails contained malicious Word documents, either attached to the email itself or downloadable by clicking on a link within the email itself. Once a user opened one of these documents, they could be prompted to “enable macros” so that the malicious code hidden in the Word file could run and install EMOTET malware on a victim’s computer.

What made EMOTET so dangerous is that the malware was offered for hire to other cybercriminals to install other types of malware, such as banking Trojans or ransomwares, onto a victim’s computer. This type of attack is called a ‘loader’ operation, and EMOTET is said to be one of the biggest players in the cybercrime world as other malware operators like TrickBot and Ryuk have benefited from it.  Its unique way of infecting networks by spreading the threat laterally after gaining access to just a few devices in the network made it one of the most resilient malware in the wild.

OVERVIEW

EMOTET

For more information on the operation, and on how protect yourself against loaders, visit Europol’s website.

 

EAST EGAF holds 22nd Meeting

The 22nd Meeting of the EAST Expert Group on All Terminal Fraud (EGAF) took place on Wednesday 20th January 2021.  Due to the Covid-19 situation, it was conducted as a virtual meeting and was chaired by Otto de Jong of ING Bank.

The meeting was attended by 29 key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts.

EAST EGAF, which meets three times a year in advance of each of the meetings of EAST National and Global Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Data Compromise and other issues relating to terminal fraud.

Presentations were made by EuropolINTERPOL, BKA, Diebold Nixdorf, Fiducia & GAD, and the MCMA.

Experts from the following organisations also contributed to the meeting:  AXEPTA – BNP Paribas, Bits A/S, BVK, Cardtronics, Cennox,  Damage Control, Dutch Payments Association, Group-IB, GMV, Mastercard, NatWest Group, NCR, PSA, KAL, TietoEVRY, TMD Security, and TrendMicro.

In addition EAST EGAF generates EAST Fraud Alerts for all EAST Members (National, Global and Associate). In total 256 EAST Fraud Alerts have been issued as can be seen in the table below.

DarkMarket taken down in international police operation

DarkMarket, the world’s largest illegal marketplace on the dark web, has been taken offline in an international operation led by German police.  As well as Germany, law enforcement agencies from Australia, Denmark, Moldova, Ukraine, the United Kingdom (National Crime Agency), and the USA (DEA, FBI, and IRS) were involved. Europol supported the takedown with specialist operational analysis and coordinated the cross-border collaborative effort of the countries involved.

The Central Criminal Investigation Department in the German city of Oldenburg arrested an Australian citizen (the alleged operator of DarkMarket) near the German-Danish border over the weekend of 9/10 January 2020. The investigation, which was led by the cybercrime unit of the Koblenz Public Prosecutor’s Office, supported by the German Federal Criminal Police office (BKA), allowed officers to locate and close the marketplace, switch off the servers and seize the criminal infrastructure – more than 20 servers in Moldova and Ukraine. The stored data will give investigators new leads to further investigate moderators, sellers, and buyers.

The DarkMarket vendors mainly traded all kinds of drugs and sold counterfeit money, stolen or counterfeit credit card details, anonymous SIM cards and malware.

DARKMARKET IN FIGURES:

  • almost 500,000 users;
  • more than 2,400 sellers;
  • over 320,000 transactions;
  • more than 4,650 bitcoin and 12,800 monero transferred (at the current rate, this corresponds to a sum of more than €140 million).

PUBLIC-PRIVATE SECTOR COOPERATION

Europol’s European Cybercrime Centre (EC3) has established a dedicated Dark Web Team to work together with EU partners and law enforcement across the globe to reduce the size of this underground illegal economy.  This team focusses on:

  • sharing information;
  • providing operational support and expertise in different crime areas;
  • developing tools, tactics and techniques to conduct dark web investigations;
  • identifying threats and targets.

The EAST Payments Task Force and the EAST Expert Group on All Terminal Fraud work closely with Europol and other law enforcement agencies (national, regional and global).  EAST Global and National Members focus on the reporting of payment and terminal fraud (fraud types, fraud origins and due diligence), for the gathering, collation and dissemination of related information, trends and general statistics across all geographies.

EAST and FS-ISAC Join Forces to Help Combat Fraud with Cyber Threat Intelligence

Expanded partnership to protect and defend European payments infrastructure

EAST, and FS-ISAC have signed a Memorandum of Understanding (MOU) strengthening their sharing of secure payment-related intelligence to battle fraud.

In 2020, average monthly fraud cases reported by FS-ISAC members have increased by 82%.  The latest EAST European Payment Terminal Crime Report, covering the first six months of 2020, reported a 269% increase in ATM malware and logical attacks.  As fraud attempts have skyrocketed during the pandemic and digitization of financial services reaches a point of no return, it is critical for anti-fraud efforts and cybersecurity teams to work together more closely moving forward.

Specifically, the partnership strengthens:

  • operational intelligence sharing
  • anti-fraud and cybercrime prevention initiatives
  • malware analysis
  • strategic partnerships

“The current pandemic has accelerated changes taking place in the financial landscape,” said Lachlan Gunn, EAST Executive Director.  “Financially motivated cybercriminals targeting banks and other financial institutions have reacted accordingly and increasing our collaboration with FS-ISAC is an important step forward in the sharing of intelligence for the industry in Europe and beyond.”

“Accelerated global digitalisation combined with the growing sophistication of cybercriminals demands more sharing and collaboration in the financial sector, both regionally and globally,” said Lucie Usher, Intelligence Officer for EMEA at FS-ISAC.  “This strengthened collaboration between FS-ISAC and EAST will further enable intelligence sharing to better safeguard the European global financial system.”

The partnership was formalised in November during the 3rd EU Financial Cybercrime Coalition (EUFCC) meeting hosted by Europol and FS-ISAC.

ABOUT EAST

The European Association for Secure Transactions (EAST) was formed in 2004 and its remit covers both Terminal Security and Payment Security.  EAST has set up an international network to help improve public/private sector cross-border cooperation in the fight against organised cross-border crime.  Connect with EAST on LinkedIn, follow EAST on Facebook, or talk to EAST on Twitter.

ABOUT FS-ISAC

The Financial Services Information Sharing and Analysis Center (FS-ISAC) is the only global cyber intelligence sharing community solely focused on financial services.  Serving financial institutions and in turn their customers, the organisation leverages its intelligence platform, resiliency resources, and a trusted peer-to-peer network of experts to anticipate, mitigate and respond to cyber threats.  Headquartered in United States, the organisation has offices in the United Kingdom and Singapore, and members in more than 70 countries.  To learn more, visit www.fsisac.com. To get clarity and perspective on the future of finance, data and cybersecurity from top C-level executives around the world, visit FS-ISAC Insights.

 

Carding Action by Police prevents €40 million in losses

EFECCCarding Action 2020, an operation led by law enforcement agencies from Italy and Hungary and supported by the UK and Europol, targeted fraudsters selling and purchasing compromised card details on websites selling stolen credit card data, known as ‘card shops’, and ‘dark web marketplaces’.

The operation sought to mitigate and prevent losses for financial institutions and cardholders. Group-IB and card schemes worked in close cooperation with police authorities from the countries involved. During the three-month operation, 90,000 pieces of card data were analysed and prevented approximately €40 million in losses.

Europol facilitated the coordination and the information exchange between law enforcement authorities and partners from the private sector. Europol’s experts provided operational analysis on large volumes of data and supported with expertise in the field of payment card fraud.

“Cybercrime can affect all aspects of our daily life, from paying in the supermarket, transferring money to our friends to using online communication tools or Internet of Things devices at home. Cybercriminals can attack us in different ways and this requires a robust response not only from law enforcement, but also from the private sector,” said Edvardas Sileris, Head of Europol’s European Cybercrime Centre (EC3). “With more than €40 million in losses prevented, Carding Action 2020 is a great example of how sharing information between private industries and law enforcement authorities is a key in combating the rising trend of e-skimming and preventing criminals from profiting on the back of EU citizens…..” he added.

The expansion of e-skimming attacks targeting merchant point of sale systems and e-commerce merchants also influenced the significant increase of prevented losses. As reported in Europol’s iOCTA 2020, card-not-present (CNP) fraud is a criminal threat in constant evolution, generating millions of euros of losses and affecting thousands of victims from across the EU.

The EAST Payments Task Force (EPTF) is a public-private sector platform that focusses on tackling the issues of e-skimming and payment fraud.

Cybercriminals will leverage AI as an attack vector and an attack surface

A jointly developed new report by Europol, the United Nations Interregional Crime and Justice Research Institute (UNICRI) and Trend Micro looking into current and predicted criminal uses of artificial intelligence (AI) has been released.  It provides law enforcers, policymakers and other organisations with information on existing and potential attacks leveraging AI and recommendations on how to mitigate these risks.

The report concludes that cybercriminals will leverage AI both as an attack vector and an attack surface.  Deep fakes are currently the best-known use of AI as an attack vector.  However, the report warns that new screening technology will be needed in the future to mitigate the risk of disinformation campaigns and extortion, as well as threats that target AI data sets.

For example, AI could be used to support:

  • convincing social engineering attacks at scale;
  • document-scraping malware to make attacks more efficient;
  • evasion of image recognition and voice biometrics;
  • ransomware attacks, through intelligent targeting and evasion;
  • data pollution, by identifying blind spots in detection rules.

The paper also warns that AI systems are being developed to enhance the effectiveness of malware and to disrupt anti-malware and facial recognition systems.

The EAST Payments Task Force is focussed on payment issues related to social engineering, malware, ransomware and other cyber threats, and notes that this report is an important step forward in assessing the rapid evolution of cybercrime.

The three organisations make several recommendations to conclude the report:

  • harness the potential of AI technology as a crime-fighting tool to future-proof the cybersecurity industry and policing;
  • continue research to stimulate the development of defensive technology;
  • promote and develop secure AI design frameworks;
  • de-escalate politically loaded rhetoric on the use of AI for cybersecurity purposes;
  • leverage public-private partnerships and establish multidisciplinary expert groups.

For more information and to download the report visit Europol’s website

EPTF holds Eighth Meeting

The Eighth Meeting of the EAST Payments Task Force (EPTF) took place on Wednesday 11th November 2020.  Due to the Covid-19 situation it was conducted as a virtual meeting and 19 EPTF members participated.

The EPTF is a specialist task force that discusses security issues affecting the payments industry and that gathers, collates and disseminates related information, trends and general statistics.

The meeting was chaired by Mr Rui Carvalho, EAST Development Director, and key representatives from Card Issuers, International Banks, Law Enforcement, Payment Processors and Solution Providers took part.

There was a detailed discussion on the impact of Covid-19 on fraud, on e-skimming, and on Instant Payments.  INTERPOL, Europol and the DCPCU provided the law enforcement perspective, and short presentations were also made by Diebold Nixdorf, Fiducia & GAD, ING Bank, MasterCard Members’ Association, PAN-Nordic Card Association, PSA, PLUSCARD, STMP, tietoEVRY and Trend Micro.

The Group, which meets twice a year, adds value to the payments industry by using the unique and extensive EAST National Member platform and Associate Member network to provide information and outputs that are not currently available elsewhere.  EAST National Members represent 35 countries and outputs from the group are presented to National Member Meetings.  There are 209 EAST Associate Member Organisations from 53 countries and territories.