‘RaidForums’ marketplace taken down

The U.S. Department of Justice (DOJ) has seized the website and user database for RaidForums, a cybercrime forum that sold access to more than 10 billion consumer records stolen in some of the world’s largest data breaches since 2015. The DOJ also charged the alleged administrator of RaidForums, 21-year-old Diogo Santos Coelho, of Portugal, with six criminal counts, including conspiracy, access device fraud and aggravated identity theft.  Two accomplices have also been arrested.

Launched in 2015, RaidForums was considered one of the world’s biggest hacking forums with a community of over half a million users.  This marketplace had made a name for itself by selling access to high-profile database leaks belonging to a number of US corporations across different industries. These contained information for millions of credit cards, bank account numbers and routing information, and the usernames and associated passwords needed to access online accounts.  These datasets were obtained from data breaches and other exploits carried out in recent years.

Europol’s European Cybercrime Centre coordinated Operation TOURNIQUET, a complex law enforcement effort to support independent investigations of the United States, United Kingdom, Sweden, Portugal, and Romania. The operation was the culmination of a year of meticulous planning between the law enforcement authorities involved in preparation for the action, which enabled the investigators to define the different roles the targets played within this marketplace, i.e.: the administrator, the money launderers, the users in charge of stealing/uploading the data, and the buyers.

The following authorities took part in the RaidForums investigation:

  • Sweden: Swedish Police Authority (Polisen)
  • Romania: National Police (Poliţia Română)
  • Portugal: Judicial Police (Polícia Judiciária)
  • Germany: Federal Criminal Police Office (Bundeskriminalamt)
  • United States: US Secret Service (USSS), Federal Bureau of Investigation (FBI), Internal Revenue Service Criminal Investigation (IRS-CI)
  • United Kingdom: National Crime Agency (NCA)
  • Europol: European Cybercrime Centre (EC3), Joint Cybercrime Action Taskforce (J-CAT)

National & Global Fraud Intelligence sharing – 6th Interim EAST Meeting

The sixth Interim Meeting of EAST National and Global Members took place on Wednesday 9th February 2022 as a virtual meeting. The meeting was chaired by Thomas Von der Gathen from Payment Services Austria (PSA).  The key focus was on the sharing of global, regional, and national, payment and terminal fraud intelligence.

Law enforcement overviews were provided by Europol, the Gulf Cooperation Council Police (GCCPOL), and the United States Secret Service (USSS).  An update was provided from Europol’s European Cybercrime Centre (EC3) on various fraud types and a presentation from Europol’s Organised Property Crime Unit covered recent Physical ATM attacks across Europe.  The GCCPOL presentation covered payment and fraud issues seen by their 6 member countries focussing on Technological Fraud (crimes committed using different forms/types of machines and technology) and Non-Technological Fraud (conducted directly against the victim). The USSS update covered card fraud and recent man-in-the-middle black box attacks.

Private sector fraud intelligence updates were received from 28 countries, either directly or via regional/global updates by Citi, HSBC and Worldline.  Regional Updates were also provided for ASP, MENA and LATAM. Each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).  The importance of raising consumer awareness to counter the rising threats related to social engineering remains a key issue, particularly for elderly people.

EAST Fraud Update 1-2022 will be produced early next month, based on the country updates provided at the Interim EAST Meeting.  EAST Fraud, Payment and Physical Attack Alerts are available on the EAST Intranet to EAST Members.

The next meeting of this group, scheduled for 16th June 2022, will hopefully be the 1st EAST Global Congress, which is planned as Hybrid Meeting.  This is dependant on the prevailing travel situation at that time, and the meeting will revert to a virtual Interim Meeting if required.

VPN used by Cybercriminals taken down

A joint action by Europol and 10 countries against the criminal misuse of VPN services, targeted the users and infrastructure of VPNLab.net.  This resulted in the take down of 15 servers.  The VPN service aimed to offer shielded communications and Internet access, and was being used in support of serious criminal acts such as ransomware deployment and other cybercrime activities.

VPNCoordinated disruptive actions took place on 17 January 2022 in Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States and the United Kingdom.  Law enforcement authorities have now seized or disrupted the 15 servers that hosted VPNLab.net’s service, rendering it no longer available. Led by the Central Criminal Office of the Hannover Police Department in Germany, the action took place under the EMPACT security framework objective Cybercrime – Attacks Against Information Systems.

VPNLab.net was established in 2008, offering services based on OpenVPN technology and 2048-bit encryption to provide online anonymity for as little as USD 60 per year.  The service also provided double VPN, with servers located in many different countries. This made VPNLab.net a popular choice for cybercriminals, who could use its services to carry on committing their crimes without fear of detection by authorities.

Law enforcement took interest in the provider after multiple investigations uncovered criminals using the VPNLab.net service to facilitate illicit activities such as malware distribution.  Other cases showed the service’s use in the setting up of infrastructure and communications behind ransomware campaigns, as well as the actual deployment of ransomware.  At the same time, investigators found the service advertised its services on the dark web.

As a result of the investigation, over one hundred businesses have been identified as at risk of cyberattacks.  Law enforcement is working directly with these potential victims to mitigate their exposure.

Europol’s European Cybercrime Centre (EC3)Money Mule Action provided support for the action day through its Analysis Project ‘CYBORG’, which organised more than 60 coordination meetings and 3 in-person workshops, as well as providing analytical and forensic support.

The following authorities took part in this operation:

  • Germany: Hanover Police Department (Polizeidirektion Hannover) – Central Criminal Office
  • Netherlands: The Dutch National Hi-Tech Crime Unit
  • Canada: Royal Canadian Mounted Police, Federal Policing
  • Czech Republic: Cyber Crime Section – NOCA (National Organized Crime Agency)
  • France: Sous-Direction de la Lutte Contre la Cybercriminalité à la Direction Centrale de la Police Judiciaire (SDLC-DCPJ)
  • Hungary: RSSPS National Bureau of Investigation Cybercrime Department
  • Latvia: State Police of Latvia (Valsts Policija) – Central Criminal Police Department
  • Ukraine: National Police of Ukraine (Національна поліція України) – Cyberpolice Department
  • United Kingdom: The National Crime Agency
  • United States: Federal Bureau of Investigation
  • Eurojust
  • Europol: European Cybercrime Centre (EC3)

INTERPOL-coordinated global operation HAECHI-II targets cyber-enabled financial crime

HAECHI-IIINTERPOL-coordinated Operation HAECHI-II, which ran from June to September 2021, targeted the global threat of cyber-enabled financial crime.  As a result police arrested over 1,000 individuals and intercepted a total of nearly USD 27 million of illicit funds.

The operation brought together specialised police units from 20 countries, as well as from Hong Kong and Macau, to target specific types of online fraud, such as romance scams, investment fraud and money laundering associated with illegal online gambling.

This resulted in the arrest of 1,003 individuals and allowed investigators to close 1,660 cases.  In addition 2,350 bank accounts linked to the illicit proceeds of online financial crime were blocked.  Over 50 INTERPOL notices were published based on information relating to Operation HAECHI-II and 10 new criminal modus operandi were identified.  The results  show that transnational organised crime groups have been using the Internet to extract millions from their victims, before funnelling the illicit cash to bank accounts across the globe.

HAECHI-II is the second operation in a 3-year project to tackle cyber-enabled financial crime supported by the Republic of Korea, and the first that is truly global in scope.  INTERPOL member countries on every continent participated.  Information gained during HAECHI-II enabled INTERPOL to publish multiple Purple Notices – international police alerts that seek or provide information on modus operandi, objects, devices and concealment methods used by criminals.  The notices are then shared with INTERPOL’s 194 member countries so that police can exchange on emerging criminal methods and establish connections between cases.

One Purple Notice requested by Colombia during the operation details a malware-laden mobile application using the name and branding of the Netflix show ‘Squid Game’.  Masquerading as a product affiliated with the popular television series, the app was in fact a Trojan horse virus that, once downloaded, was able to hack the user’s billing information and subscribe to paid ‘premium’ services without the user’s explicit approval.  While flagged in Colombia, the app has also targeted users in other countries.

The operation also saw INTERPOL officials pilot test a new global stop-payment mechanism – the Anti-Money Laundering Rapid Response Protocol (ARRP) – which proved critical to successfully intercepting illicit funds in several HAECHI-II cases.  INTERPOL will officially launch the ARRP next year, and their Financial Crime Unit is continuing to work with member countries to integrate the system into existing communications channels.

The following countries participated in Operation HAECHI-II: Angola, Brunei, Cambodia, Colombia, China, India, Indonesia, Ireland, Japan, Korea (Rep. of), Laos, Malaysia, Maldives, Philippines, Romania, Singapore, Slovenia, Spain, Thailand, and Vietnam.

The INTERPOL Financial Crime Unit participates in EAST Global Congress and Interim Meetings and in meetings of the EAST Expert Groups on Payment and Transaction Fraud (EAST EPTF) and All Terminal Fraud (EAST EGAF).

IOCTA 2021 Published by Europol

Europol has published its Internet Organised Crime Threat Assessment for 2021 (IOCTA 2021).  This highlights 5 Key Threats:

  • Ransomware affiliate programs enable a larger group of criminals to attack big corporations and public institutions by threatening them with multi-layered extortion methods such as DDoS attacks.
  • Mobile malware evolves with criminals trying to circumvent additional security measures such as two-factor authentication (2FA).
  • Online shopping has led to a steep increase in online fraud.
  • Explicit self-generated material is an increasing concern and is also distributed for profit.
  • Criminals continue to abuse legitimate services such as VPNs, encrypted communication services and cryptocurrencies.

IOCTA 2021 looks into the (r)evolutionary development of these trends, catalysed by the expanded digitalisation of recent years.

  • Criminals have been quick to abuse the current circumstances to increase profits, spreading their tentacles to various areas and exposing vulnerabilities, connected to systems, hospitals or individuals.
  • While ransomware groups have taken advantage of widespread teleworking, scammers have abused COVID-19 fears and the fruitless search for cures online to defraud victims or gain access to their bank accounts.
  • The increase of online shopping in general has attracted more fraudsters.
  • With children spending a lot more time online, especially during lockdowns, grooming and dissemination of self-produced explicit material have increased significantly.
  • Grey infrastructure, including services offering end-to-end encryption, VPNs and cryptocurrencies continue to be abused for the facilitation and proliferation of a large range of criminal activities.

This has resulted in significant challenges for the investigation of criminal activities and the protection of victims of crime.

“Cybercrime is a reality and law enforcement worldwide needs to catch up,” said Edvardas Šileris, Head of Europol’s European Cybercrime Centre (EC3), ”…….Only by working together can we create innovative ideas and practical approaches that can put a halt to cybercrime acceleration. It is essential to establish the environment and resources required to do so,” he added.

The EAST Expert Group on Payment and Transaction Fraud (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud, including social engineering and online transactions.  The 11th EAST EPTF meeting took place on 10 November 2021.

#SellSafe – Safety Awareness for Online Shopping

EuropolEFECC launched the #SellSafe awareness campaign on 3 November as part of their 2021 eCommerce Action.

Organised crime groups are continuously adapting online fraud methods to exploit both online shoppers and e-commerce companies.  Their opportunities are growing!  Since the start of the pandemic the number of businesses selling online has increased, and the average shopper is using online services several times each week.  New technologies such as Secure Customer Authentication (SCA) or Two-Factor Authentication (2FA) have made online purchasing more secure, but cybercriminals are still finding ways to steal cash from online shoppers.

Europol launched the #SellSafe awareness campaign along with the Merchant Risk Council and participating countries.  This follows a successful campaign last year which highlighted the top tactics for fighting online fraud. The aim of the new campaign is to make e-commerce more secure by promoting safe online purchasing methods and by helping new merchants to open their first online shop without the risk of cyberattacks.

From 1 to 31 October 2021 law enforcement authorities from participating countries, supported by Europol and the Merchant Risk Council, joined forces in a coordinated action against online fraud as part of the 2021 eCommerce Action.  This resulted in 46 arrests linked to fraudulent transactions.  The criminal modus operandi involved the use of certain mobile apps associated with banks in order to make transfers and purchases illegally.  In 2019 an operation by Europol’s European Cybercrime Centre (EC3) led to 60 arrests as part of their #BuySafePaySafe action.

The 2021 #SellSafe participating countries include: Albania, Austria, Belgium, Colombia, Croatia, Greece, Hungary, Ireland, Italy, Georgia, the Netherlands, North Macedonia, Poland, Portugal, Slovenia, Slovakia, Spain, Switzerland and the United States.

The participating countries will promote the campaign through their social media channels using the #SellSafe hashtag to help online shoppers understand the risks of e-commerce fraud.

The EAST Expert Group on Payment and Transaction Fraud (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud, including social engineering and online transactions.  The next EPTF meeting will take place on 10 November 2021.

STAY SAFE ONLINE

To protect online shoppers and merchants, Europol has provided a number of helpful tips to stay one step ahead of the scammers and to prevent financial loss.

Tips to protect your e-business:

  • Ensure all employees are aware of the fraud issues affecting online stores
  • Stay up to date on the types of payment fraud affecting businesses and have the tools in place to prevent them. Your national payments organisation will have details on payment fraud types
  • Get to know your customers in order to be able to verify their payments

Tips for online shoppers:

Never send your card number, PIN or any other card information to anyone by e-mail

  • Never send money to anyone you don’t know
  • Always save all documents related to your online purchases
  • If you are not buying anything, don’t submit your card details

Find more tips on how to protect yourself and your business from e-fraudsters here.

More general advice on how to shop safely online is available here.

National & Global Fraud Intelligence sharing – 5th Interim EAST Meeting

The fifth Interim Meeting of EAST National and Global Members took place on Wednesday 6th October 2021. Due to the Covid-19 situation, it was conducted as a virtual meeting. The meeting was chaired by Veronica Borgogna from AXEPTA BNP Paribas.  The key focus was on the sharing of global, regional, and national, payment and terminal fraud intelligence.

Law enforcement overviews were provided by Europol, the Gulf Cooperation Council Police (GCCPOL), the United States Secret Service (USSS) and INTERPOL.  Two presentations were made by Europol: one from the European Cybercrime Centre (EC3) covered recent successful cross-border operations; the other covered Physical ATM attacks across Europe.  The GCCPOL presentation covered payment and fraud issues seen by their 6 member countries focussing on Technological Fraud (crimes committed using different forms/types of machines and technology) and Non-Technological Fraud (conducted directly against the victim). The USSS presentation covered Covid-19 pandemic relief fraud and the INTERPOL presentation covered recent issues relating to financial crimes in the LATAM region.

Private sector fraud intelligence updates were received from 28 countries, either directly or via regional/global updates by Citi, HSBC and Worldline.  Regional Updates were also provided for ASP, MENA and LATAM. Each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).  The importance of raising consumer awareness to counter the rising threats related to social engineering remains a key issue.

EAST Fraud Update 3-2021 will be produced early next month, based on the country updates provided at the Interim EAST Meeting.  EAST Fraud, Payment and Physical Attack Updates are available on the EAST Intranet to EAST Members.

The next meeting of this group, scheduled for 9th February 2022, will hopefully be the 1st EAST Global Congress, which is planned as Hybrid Meeting.  This is dependant on the prevailing status of the Covid-19 pandemic and the meeting will revert to a virtual Interim Meeting if required.

Moroccan police arrest suspected cybercriminal after INTERPOL probe

An alleged prolific cybercriminal has been apprehended in Morocco following a joint two-year investigation by INTERPOL, the Moroccan police and Group-IB.  Acting under the signature name of ‘Dr Hex’, the suspect is believed to have targeted thousands of unsuspecting victims over several years through global phishing, fraud, and carding activities involving credit card fraud.  He is also accused of defacing numerous websites by modifying their appearance and content, and targeting French-speaking communications companies, multiple banks and multinational companies with malware campaigns, and is alleged to have helped develop carding and phishing kits, which were then sold to other individuals through online forums to allow them to facilitate similar malicious campaigns against victims.  These were then used to impersonate online banking facilities, allowing the suspect and others to steal sensitive information and defraud trusting individuals for financial gain – the losses of individuals and companies were then published online in order to advertise these malicious services.

Under Operation Lyrebird, INTERPOL’s Cybercrime Directorate worked closely with Group-IB and with Moroccan Police, via the INTERPOL National Central Bureau, in Rabat to eventually locate and apprehend the individual, who remains under investigation.  INTERPOL Executive Director of Police Services Stephen Kavanagh said: “This is a significant success against a suspect who is accused of targeting unsuspecting individuals and companies across multiple regions for years, and the case highlights the threat posed by cybercrime worldwide. The arrest of this suspect is down to outstanding international investigative work and new ways of collaboration both with Moroccan police and our vital private sector partners such as Group-IB.”

Group-IB determined that the suspect was involved in attacks on 134 websites from 2009-2018, leaving behind his signature name on web pages.  Its participation in the operation came under Project Gateway, an initiative which facilitates cooperation and information sharing between INTERPOL and private sector partners.

In May 2021 INTERPOL launched a new cyber operations desk to boost the capacity of 49 African countries to fight cybercrime. The Africa desk will help shape a regional strategy to drive intelligence-led coordinated actions against cybercriminals and support joint operations such as Lyrebird.

At a time of increasing cyber threats, members of the public, businesses and organisations are reminded to protect themselves from phishing attempts by following the advice showcased in INTERPOL’s #WashYourCyberHands and #OnlineCrimeIsRealCrime campaigns.

The EAST Payments Task Force (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud.

National & Global Fraud Intelligence sharing – 4th Interim EAST Meeting

A fourth Interim Meeting of EAST National and Global Members took place on Wednesday 9th June 2021. Due to the Covid-19 situation, it was conducted as a virtual meeting. The meeting was chaired by Graham Mott from the LINK Scheme.  The key focus was on the sharing of global, regional, and national, payment and terminal fraud intelligence.

Law enforcement overviews were provided by Europol, the Gulf Cooperation Council Police (GCCPOL), the United States Secret Service (USSS) and INTERPOL.  Two presentations were made by Europol: one from the European Cybercrime Centre (EC3) covered recent successful cross-border operations; the other covered Physical ATM attacks across Europe.  The GCCPOL presentation covered payment and fraud issues seen by their 6 member countries focussing on Technological Fraud (crimes committed using different forms/types of machines and technology) and Non-Technological Fraud (conducted directly against the victim. The USSS presentation covered US Fraud Trends (2020/2021), along with prevention/detection techniques, and the INTERPOL presentation covered recent issues relating to financial crimes, money laundering, and asset tracing.

Private sector fraud intelligence updates were received from 31 countries, either directly or via regional/global updates by Citi, HSBC and Worldline.  Each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).  A key issue, highlighted by most of the countries, continues to be the importance of raising consumer awareness to counter the rising threats related to social engineering.

EAST Fraud Update 2-2021 will be produced during July, based on the country updates provided at the Interim EAST Meeting.  EAST Fraud, Payment and Physical Attack Updates are available on the EAST Intranet to EAST Members.

The next meeting of this group, scheduled for 6th October 2021, will also be a virtual Interim meeting.  The 1st EAST Global Congress is now scheduled to be held in February 2022, dependant on the prevailing status of the Covid-19 pandemic.

3rd Interim EAST Meeting – National and Global Members

A third Interim Meeting of EAST National and Global Members took place on Wednesday 10th February 2021. Due to the Covid-19 situation, it was conducted as a virtual meeting. The meeting was chaired by Martine Hemmerijckx from Worldline.

Law enforcement overviews were provided by Europol and the Gulf Cooperation Council Police (GCCPOL).  Two presentations were made by Europol: one from the European Cybercrime Centre (EC3) covered recent successful cross-border operations; the other covered Physical ATM attacks across Europe.  The GCCPOL presentation covered payment and fraud issues seen by their 6 member countries – it focussed on Technological Fraud (crimes committed using different forms/types of machines and technology) and Non-Technological Fraud (conducted directly against the victim).

Updates were received from 26 countries, either directly or via a global update by Worldline.  Each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).  A key issue, highlighted by most of the countries, is the importance of raising consumer awareness to counter the rising threats related to social engineering.

EAST Fraud Update 1-2021 will be produced during March, based on the country updates provided at the Interim EAST Meeting.  EAST Fraud, Payment and Physical Attack Updates are available on the EAST Intranet to EAST Members.

The next meeting of this group, scheduled for 9th June 2021, will also be a virtual Interim meeting.  The 1st EAST Global Congress is now scheduled to be held in October 2021, dependant on the prevailing status of the Covid-19 pandemic.