DarkMarket taken down in international police operation

DarkMarket, the world’s largest illegal marketplace on the dark web, has been taken offline in an international operation led by German police.  As well as Germany, law enforcement agencies from Australia, Denmark, Moldova, Ukraine, the United Kingdom (National Crime Agency), and the USA (DEA, FBI, and IRS) were involved. Europol supported the takedown with specialist operational analysis and coordinated the cross-border collaborative effort of the countries involved.

The Central Criminal Investigation Department in the German city of Oldenburg arrested an Australian citizen (the alleged operator of DarkMarket) near the German-Danish border over the weekend of 9/10 January 2020. The investigation, which was led by the cybercrime unit of the Koblenz Public Prosecutor’s Office, supported by the German Federal Criminal Police office (BKA), allowed officers to locate and close the marketplace, switch off the servers and seize the criminal infrastructure – more than 20 servers in Moldova and Ukraine. The stored data will give investigators new leads to further investigate moderators, sellers, and buyers.

The DarkMarket vendors mainly traded all kinds of drugs and sold counterfeit money, stolen or counterfeit credit card details, anonymous SIM cards and malware.

DARKMARKET IN FIGURES:

  • almost 500,000 users;
  • more than 2,400 sellers;
  • over 320,000 transactions;
  • more than 4,650 bitcoin and 12,800 monero transferred (at the current rate, this corresponds to a sum of more than €140 million).

PUBLIC-PRIVATE SECTOR COOPERATION

Europol’s European Cybercrime Centre (EC3) has established a dedicated Dark Web Team to work together with EU partners and law enforcement across the globe to reduce the size of this underground illegal economy.  This team focusses on:

  • sharing information;
  • providing operational support and expertise in different crime areas;
  • developing tools, tactics and techniques to conduct dark web investigations;
  • identifying threats and targets.

The EAST Payments Task Force and the EAST Expert Group on All Terminal Fraud work closely with Europol and other law enforcement agencies (national, regional and global).  EAST Global and National Members focus on the reporting of payment and terminal fraud (fraud types, fraud origins and due diligence), for the gathering, collation and dissemination of related information, trends and general statistics across all geographies.

EAST Poll indicates consumer confidence in NFC payment transactions

Respondents to an online poll run by EAST from September to December 2020 indicated that they were either ‘completely satisfied’ (67%) or ‘satisfied’ (33%) that their payment details are safe when making an NFC payment transaction using a smartphone.

The current number of smartphone users in the world today is 3.5 billion, which means 44.81% of the world’s population owns a smartphone.

Banks and retailers are using the facility to reach their customers and see smartphones as an opportunity to make the consumer payment experience a convenient and seamless one.

Consumers can use Near-Field-Communication (NFC) technology on their smartphone to make contactless payments in stores and to pay for goods and services using in-app payment tools. During the Covid-19 pandemic the limit for a contactless transaction has been lifted in many countries and now averages €50 across the European area.

In making payments easier to manage and more accessible for consumers, there is an underlying risk that access to that information is also made easier for the criminal element, aiming to capture the payment data used by unsuspecting consumers.

While the industry continues to build solutions and barriers to this criminal activity the EAST Payment Task Force (PTF) is examining consumer behaviour and focussing on the security of smartphones used to make NFC payments for goods and services.  On 5th January 2021 an EAST Payment Alert was issued – it covers social engineering used to get financial institution clients to install software that is infected with the Anubis malware on their smartphone.  EAST Alerts and Reports are available to EAST Members.

Message From The Executive Director

What a year it has been!  The major impact of the Covid-19 pandemic for EAST has been that our platforms have had to meet virtually since March.  On behalf of the EAST Board, I would like to thank all those who have worked so hard to provide information, time, and resources to help us to meet our targets and objectives during the year.  Otto de Jong, EAST Founder Member and EGAF Chair, and Martine Hemmerijckx, EAST Co-Founder and Director, were presented with awards in recognition of their ongoing commitment and dedication to the development of EAST, and to their significant contribution to security in the payments industry.

We held our 50th National Member meeting in Vienna in February (hosted by PSA), and then the plan was to hold our first Global Congress in The Hague in June.  Instead we held a virtual meeting for our National and Global Members (our 1st Interim Meeting), which was followed by a second virtual meeting in October (our 2nd Interim Meeting).  On current plans our 3rd Interim Meeting will be held in February 2021, and we hope to be able to hold our 1st Global Congress in The Hague in June 2021.

The EAST Expert Group on All Terminal Fraud (EGAF), chaired by Otto de Jong of ING Bank, held three meetings in January, May and September, the first hosted by ING in Amsterdam and the other two as virtual meetings.

The EAST Expert Group on ATM and ATS Physical Attacks (EGAP), chaired by Graham Mott of the LINK Scheme, held two meetings in March and September, the first in The Hague, hosted by the LINK Scheme, and the second as a virtual meeting.

The EAST Payments Task Force (EPTF), chaired by EAST Development Director Rui Carvalho, held two meetings in April and November, both of which were virtual meetings.

Some other key activities during 2020 were:

EAST continues to keep abreast of the latest fraud trends and crime information, publishing our European Payment Terminal Crime Reports and Fraud Updates.  This year we introduced a new reporting template for our National and Global Members covering: Fraud Type; Fraud Origin; Due Diligence; and Physical Attacks.  This enabled us to reformat our Fraud Update and the first one with the new look was published in July 2020.  Our thanks again go out to all the people and organisations that have shared information for the above, and for EAST Fraud Alerts (31 sent out this year to date), EAST Physical Attack Alerts (7 sent out this year to date) and EAST Payment Alerts (5 sent out this year to date).  EAST EGAF also published a general Security Alert relating to Transaction Reversal Fraud (TRF).

This year we launched our new Global Membership category to enhance our intelligence capabilities and to reflect the fact that organised criminal groups are increasingly global in operation.  Global Members attend and receive outputs from EAST Interim Meetings and EAST Global Congress Meetings.

We now have 209 Associate Member organisations from 53 countries and territories. This membership category is open for worldwide application to all Banks, Law Enforcement (free membership available), and other approved ATM Stakeholder organisations.

Here’s hoping that the new year allows us to return to holding in-person meetings and events.  We are planning to commence ‘Hybrid Meetings’ from April next year, but this is of course dependant on many factors outwith our control.

Every best wish to all readers for a wonderful festive break and a very happy New Year.  And of course, Stay Safe!

Kind regards

Lachlan

Viewpoint: Covid-19, Cash, and the future of payments

Covid-19 (coronavirus) has had a huge impact on our lives and what was perceived to be normal before the pandemic, may now no longer be so as we come to terms with the long-term implications. One factor is how we treat cash.  Before the pandemic started cash usage was declining in many countries, but the demise of cash was still predicted to be many years away – people still liked to use it because cash transactions are generally invisible and also because it is a familiar and trusted payment mechanism. Older people, who often do not have the same digital footprint as younger generations, also prefer it.

During the Covid-19 pandemic cash usage has plummeted in many countries, partly because of fears of that Covid-19 can be transmitted by cash, and partly because people have been locked-down at home and only going out to shop for essential items. Scientific evidence suggests that the probability of viral transmission via banknotes is low when compared with other frequently touched objects, such as credit card terminals or PIN pads. There may also be a perceived risk of contagion when using cash or non-contactless payment mechanisms due to proximity to another person.

However this pandemic could speed up the shift towards digital payments, which could open a divide in access to payments instruments, and that could have a negative impact on the unbanked and older consumers. Some central banks are urging continued acceptance.

From May to August 2020 EAST ran a poll on this topic, for which the results can be seen in the chart below:

  • The majority of the respondents (50%) would use contactless payments whenever possible
  • 25% are using a mix of payment mechanisms but prefer not to use cash unless they have to
  • 9% are still mainly using cash
  • 8% are using a mix of payment mechanisms but are happy to use cash whenever they need to
  • 8% have not used cash and don’t plan to

EAST and FS-ISAC Join Forces to Help Combat Fraud with Cyber Threat Intelligence

Expanded partnership to protect and defend European payments infrastructure

EAST, and FS-ISAC have signed a Memorandum of Understanding (MOU) strengthening their sharing of secure payment-related intelligence to battle fraud.

In 2020, average monthly fraud cases reported by FS-ISAC members have increased by 82%.  The latest EAST European Payment Terminal Crime Report, covering the first six months of 2020, reported a 269% increase in ATM malware and logical attacks.  As fraud attempts have skyrocketed during the pandemic and digitization of financial services reaches a point of no return, it is critical for anti-fraud efforts and cybersecurity teams to work together more closely moving forward.

Specifically, the partnership strengthens:

  • operational intelligence sharing
  • anti-fraud and cybercrime prevention initiatives
  • malware analysis
  • strategic partnerships

“The current pandemic has accelerated changes taking place in the financial landscape,” said Lachlan Gunn, EAST Executive Director.  “Financially motivated cybercriminals targeting banks and other financial institutions have reacted accordingly and increasing our collaboration with FS-ISAC is an important step forward in the sharing of intelligence for the industry in Europe and beyond.”

“Accelerated global digitalisation combined with the growing sophistication of cybercriminals demands more sharing and collaboration in the financial sector, both regionally and globally,” said Lucie Usher, Intelligence Officer for EMEA at FS-ISAC.  “This strengthened collaboration between FS-ISAC and EAST will further enable intelligence sharing to better safeguard the European global financial system.”

The partnership was formalised in November during the 3rd EU Financial Cybercrime Coalition (EUFCC) meeting hosted by Europol and FS-ISAC.

ABOUT EAST

The European Association for Secure Transactions (EAST) was formed in 2004 and its remit covers both Terminal Security and Payment Security.  EAST has set up an international network to help improve public/private sector cross-border cooperation in the fight against organised cross-border crime.  Connect with EAST on LinkedIn, follow EAST on Facebook, or talk to EAST on Twitter.

ABOUT FS-ISAC

The Financial Services Information Sharing and Analysis Center (FS-ISAC) is the only global cyber intelligence sharing community solely focused on financial services.  Serving financial institutions and in turn their customers, the organisation leverages its intelligence platform, resiliency resources, and a trusted peer-to-peer network of experts to anticipate, mitigate and respond to cyber threats.  Headquartered in United States, the organisation has offices in the United Kingdom and Singapore, and members in more than 70 countries.  To learn more, visit www.fsisac.com. To get clarity and perspective on the future of finance, data and cybersecurity from top C-level executives around the world, visit FS-ISAC Insights.

 

Carding Action by Police prevents €40 million in losses

EFECCCarding Action 2020, an operation led by law enforcement agencies from Italy and Hungary and supported by the UK and Europol, targeted fraudsters selling and purchasing compromised card details on websites selling stolen credit card data, known as ‘card shops’, and ‘dark web marketplaces’.

The operation sought to mitigate and prevent losses for financial institutions and cardholders. Group-IB and card schemes worked in close cooperation with police authorities from the countries involved. During the three-month operation, 90,000 pieces of card data were analysed and prevented approximately €40 million in losses.

Europol facilitated the coordination and the information exchange between law enforcement authorities and partners from the private sector. Europol’s experts provided operational analysis on large volumes of data and supported with expertise in the field of payment card fraud.

“Cybercrime can affect all aspects of our daily life, from paying in the supermarket, transferring money to our friends to using online communication tools or Internet of Things devices at home. Cybercriminals can attack us in different ways and this requires a robust response not only from law enforcement, but also from the private sector,” said Edvardas Sileris, Head of Europol’s European Cybercrime Centre (EC3). “With more than €40 million in losses prevented, Carding Action 2020 is a great example of how sharing information between private industries and law enforcement authorities is a key in combating the rising trend of e-skimming and preventing criminals from profiting on the back of EU citizens…..” he added.

The expansion of e-skimming attacks targeting merchant point of sale systems and e-commerce merchants also influenced the significant increase of prevented losses. As reported in Europol’s iOCTA 2020, card-not-present (CNP) fraud is a criminal threat in constant evolution, generating millions of euros of losses and affecting thousands of victims from across the EU.

The EAST Payments Task Force (EPTF) is a public-private sector platform that focusses on tackling the issues of e-skimming and payment fraud.

Cybercriminals will leverage AI as an attack vector and an attack surface

A jointly developed new report by Europol, the United Nations Interregional Crime and Justice Research Institute (UNICRI) and Trend Micro looking into current and predicted criminal uses of artificial intelligence (AI) has been released.  It provides law enforcers, policymakers and other organisations with information on existing and potential attacks leveraging AI and recommendations on how to mitigate these risks.

The report concludes that cybercriminals will leverage AI both as an attack vector and an attack surface.  Deep fakes are currently the best-known use of AI as an attack vector.  However, the report warns that new screening technology will be needed in the future to mitigate the risk of disinformation campaigns and extortion, as well as threats that target AI data sets.

For example, AI could be used to support:

  • convincing social engineering attacks at scale;
  • document-scraping malware to make attacks more efficient;
  • evasion of image recognition and voice biometrics;
  • ransomware attacks, through intelligent targeting and evasion;
  • data pollution, by identifying blind spots in detection rules.

The paper also warns that AI systems are being developed to enhance the effectiveness of malware and to disrupt anti-malware and facial recognition systems.

The EAST Payments Task Force is focussed on payment issues related to social engineering, malware, ransomware and other cyber threats, and notes that this report is an important step forward in assessing the rapid evolution of cybercrime.

The three organisations make several recommendations to conclude the report:

  • harness the potential of AI technology as a crime-fighting tool to future-proof the cybersecurity industry and policing;
  • continue research to stimulate the development of defensive technology;
  • promote and develop secure AI design frameworks;
  • de-escalate politically loaded rhetoric on the use of AI for cybersecurity purposes;
  • leverage public-private partnerships and establish multidisciplinary expert groups.

For more information and to download the report visit Europol’s website

EPTF holds Eighth Meeting

The Eighth Meeting of the EAST Payments Task Force (EPTF) took place on Wednesday 11th November 2020.  Due to the Covid-19 situation it was conducted as a virtual meeting and 19 EPTF members participated.

The EPTF is a specialist task force that discusses security issues affecting the payments industry and that gathers, collates and disseminates related information, trends and general statistics.

The meeting was chaired by Mr Rui Carvalho, EAST Development Director, and key representatives from Card Issuers, International Banks, Law Enforcement, Payment Processors and Solution Providers took part.

There was a detailed discussion on the impact of Covid-19 on fraud, on e-skimming, and on Instant Payments.  INTERPOL, Europol and the DCPCU provided the law enforcement perspective, and short presentations were also made by Diebold Nixdorf, Fiducia & GAD, ING Bank, MasterCard Members’ Association, PAN-Nordic Card Association, PSA, PLUSCARD, STMP, tietoEVRY and Trend Micro.

The Group, which meets twice a year, adds value to the payments industry by using the unique and extensive EAST National Member platform and Associate Member network to provide information and outputs that are not currently available elsewhere.  EAST National Members represent 35 countries and outputs from the group are presented to National Member Meetings.  There are 209 EAST Associate Member Organisations from 53 countries and territories.

Corporate Network Attacks

Corporate Network AttacksIn August 2020 EAST published Central/Host Fraud definitions which cover corporate attacks against central infrastructure like banking host systems in order to perform different Modus Operandi not directly connected to a Terminal.  These definitions were produced by the EAST Expert Group on All Terminal Fraud (EGAF).

The compromise of a corporate network is the first step with these types of incidents.  This can be done by external attackers as well as by internal employees of the institution.  Attackers typically try to get access to this critical infrastructure, enabling the three different Corporate Networks Attacks shown below.

  • Card Processing
  • Fund Transfer
  • Remote Malware Distribution and Control

The third one relates to control of a financial institution’s network leading to illegitimate file distribution in order to install and execute ATM specific malware.  The different malware Modus Operandi actually used within the corporate network attack can be Jackpotting (also known as ATM Cash-out), Man-in-the-Middle (MITM) and SW-Skimming.  These are described in EAST’s Terminal Fraud Definitions.

In October 2020 The PCI Security Standards Council (PCI SSC) released a bulletin ‘The Threat Of ATM Cash-Outs Payment Security’.

EAST Executive Director Lachlan Gunn speaks to Jeremy King, the PCI SSC Regional Head for Europe and Otto de Jong, Chair of EAST EGAF and DBNL Anti-Fraud Officer for ING.

Lachlan Gunn:  Thank you both for agreeing to speak today on this key issue.

Why did EAST produce Central/Host Fraud Definitions?

Otto de Jong:  It is vital that the way that corporate network attacks are described is consistent to allow law enforcement and industry responders to accurately report what they are seeing in a way that allows for standardisation of reporting.  This optimises the ability of organisations to mitigate and defend against the evolving threats and helps law enforcement when conducting follow up investigations to such crimes.  The aim is for these fraud definitions to be adopted globally by the Industry and Law enforcement when describing or reporting payment terminal fraud.  The INTERPOL Financial Crimes Unit is recommending the usage of EAST definitions for Payment Card Fraud, and we hope that other law enforcement agencies will do the same.

Why did the PCI Security Standards Council issue an industry threat bulletin on ATM Cash-outs?

Jeremy King: We have heard from many of our stakeholders in the European payment community that ATM “cash-outs” are a growing concern across the globe. We felt, as a leader in payment security, now was the time to issue a bulletin with our friends and colleagues from the ATMIA who’s industry is well aware of these daily threats.

Otto de Jong:  This is indeed timely.  The most recent EAST Payment Terminal Crime Report shows that ‘cash-out’ through black box attacks is a growing threat.  ATM malware and logical attacks against ATMs were up 269% (from 35 to 129) and all the reported attacks were Black Box attacks.

What businesses are at risk of this devious attack?

Jeremy King: Financial institutions, and payment processors are most at financial risk and likely to be the target of these large-scale, coordinated attacks. These institutions stand to potentially lose millions of dollars in a very short time period and can have exposure in multiple countries throughout Europe and around the world as the result of this highly organised, well-orchestrated criminal attack.

Otto de Jong: In addition to financial institutions and payment processors, recent corporate network attacks have demonstrated that this is also a threat to key infrastructure companies like utility companies, universities, hospitals and so on.   This year the corporate network attack threat is evolving from targeting the payment system (cash out or swift transactions) to ransomware attacks (bitcoins).

What are some detection best practices to detect these threats before they can cause damage?

Jeremy King: Since ATM ‘cash-out’ attacks can happen quickly and drain millions of dollars in a short period of time, the ability to detect these threats before they can cause damage is critical. Some ways to detect this type of attack are:

  • Velocity monitoring of underlying accounts and volume
  • 24/7 monitoring capabilities including File Integrity Monitoring Systems (FIMs)
  • Reporting system that sounds the alarm immediately when suspicious activity is identified
  • Development and practice of an incident response management system
  • Check for unexpected traffic sources (e.g. IP addresses)
  • Look for unauthorized execution of network tools

Otto de Jong: Monitoring systems can also be compromised.  Checking of related monitoring mechanisms, such as globally operated by card schemes, can be helpful to identify this kind of attack.

What are some prevention best practices to stop this attack from happening in the first place?

Jeremy King: The best protection to mitigate against ATM ‘cash-outs’ is to adopt a layered defence that includes people, processes, and technology. Some recommendations to prevent ATM ‘cash-outs’ include:

  • Strong access controls to your systems and identification of third-party risks
  • Employee monitoring systems to guard against an “inside job”
  • Continuous phishing training for employees
  • Multi-factor authentication
  • Strong password management
  • Require layers of authentication/approval for remote changes to account balances and transaction limits
  • Implementation of required security patches in a timely manner (ASAP)
  • Regular penetration testing
  • Frequent reviews of access control mechanisms and access privileges
  • Strict separation of roles that have privileged access to ensure no one user ID can perform sensitive functions
  • Installation of file integrity monitoring software that can also serve as a detection mechanism
  • Strict adherence to the entire PCI DSS

Otto de Jong: In addition, every institution with an IT infrastructure should perform a threat risk assessment to spot weakness in their system.  This should be evaluated on an annual basis.  Performing penetration tests annually by independent assessors must be part of such an assessment.

Lachlan Gunn:  That concludes the Q&A session.  Many thanks again to you both.  Hopefully this will help to further raise awareness of the risks posed by corporate network attacks, what can be done to detect them, how to protect against them and also how to classify attacks to allow for accurate reporting and follow up by law enforcement and the industry.

EAST presents on ATM Attacks at EUFCC

EUFCC

On 3rd November 2020, Europol and the FS-ISAC hosted the 3rd EU Financial Cybercrime Coalition (EUFCC) meeting. The virtual event brought together EU law enforcement and the financial sector to discuss financially motivated cybercrime in three dedicated workshops. Subject matter experts from both the private sector and law enforcement discussed the latest threats and trends in relation to ransomware, ATM attacks, and cyber-enabled fraud and business email compromise.

In the ATM Attacks session, Europol gave the law enforcement perspective and EAST Executive Director Lachlan Gunn gave a presentation from the viewpoint of the industry. The main issue covered was black box attacks which, as highlighted by the latest crime statistics published by EAST, are a rising threat in Europe.

The EAST presentation highlighted how its public/private sector platforms operate, and the latest ATM Attack trends.  The key topics covered by EAST were:

EAST also touched on e-skimming, and EAST Development Director Rui Carvalho, who also chairs the EAST Payments Task Force (EPTF), commented that, while skimming attacks on terminals are at the lowest level ever reported by EAST, e-skimming is a rising threat.  This is on the Agenda for discussion at the 8th EPTF Meeting, which will be held on 11th November 2020.