National & Global Fraud Intelligence sharing – 2nd EAST Global Congress

The 2nd EAST Global Congress took place on Wednesday 5th October 2022 in London as a hybrid meeting, with some delegates participating online. The event was hosted by the LINK Scheme.

The meeting was chaired by Veronica Borgogna from Worldline and the key focus was on the sharing of payment and terminal fraud intelligence (global, regional, national).

Law enforcement overviews were provided by Europol’s European Cybercrime Centre (EC3) on various fraud types, and the Gulf Cooperation Council Police (GCCPOL) on technological and non-technological fraud trends.

Private sector fraud intelligence updates were received from 25 countries, either directly or via regional/global updates by HSBC and Worldline.  Regional Updates were also provided for ASP, LATAM, and MENA.  Each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).  The importance of raising consumer awareness to counter the rising threats related to social engineering remains the key issue, and discussions also took place on a new fraud modus operandi now affecting four countries.

Updates were also given by the Chairs of the three EAST Expert Groups:

EAST Fraud Update 3-2022 will be produced early next month, based on the country updates provided at the EAST Global Congress.  EAST Fraud, Payment, and Physical Attack Alerts are available on the EAST Intranet to EAST Members.

The 3rd EAST Global Congress, scheduled for 8th February 2023, will also be held as a Hybrid Meeting.

Phishing gang busted by cross-border Police operation

A cross-border operation, supported by Europol and involving the Belgian Police (Federale Politie) and the Dutch Police (Politie), resulted in the dismantling today of an organised crime group (OCG) involved in phishing, fraud, scams, and money laundering.

  • The OCG used email, text messages and mobile messaging applications to contact their victims.
  • These messages contained a phishing link leading to a bogus banking website.
  • Thinking they were viewing their own bank accounts through this website, the victims were duped into providing their banking credentials to the suspects. The investigative leads suggest that the criminal network managed to steal several million euros from their victims with this fraudulent activity.
  • The OCG used money mules to transfer these funds from the victim’s accounts and to cash out the fraudulently obtained money.
  • Members of the OCG have also been connected with cases of drugs trafficking and possible firearms trafficking.

Police Action

On 21 June 2022 the coordinated Police action led to:

  • 9 arrests in the Netherlands
  • 24 house searches in the Netherlands
  • Seizures including firearms, ammunition, jewellery, electronic devices, cash and cryptocurrency

Europol facilitated the information exchange, the operational coordination and provided analytical support for investigation. During the operation, Europol deployed three experts to the Netherlands to provide real-time analytical support to investigators on the ground, forensics and technical expertise.

The EAST Expert Group on Payment and Transaction Fraud (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud, including phishing. The 12th EAST EPTF meeting took place on 13 April 2022.

National & Global Fraud Intelligence sharing – 1st EAST Global Congress

The 1st EAST Global Congress took place on Thursday 16th June 2022 at Europol’s HQ in the Hague as a hybrid meeting, with some delegates participating online. This was the first in-person meeting of EAST Global and National Members since February 2020.  Six virtual interim meetings were held between that meeting and the Global Congress.

The meeting was chaired by Graham Mott from the LINK Scheme and the key focus was on the sharing of payment and terminal fraud intelligence (global, regional, national).  A special welcome was given to Olesya Danylchenko from the Ukrainian Interbank Payment Systems Member Association (EMA).

Law enforcement overviews were provided by Europol, the Gulf Cooperation Council Police (GCCPOL), and the United States Secret Service (USSS).  An update was provided from Europol’s European Cybercrime Centre (EC3) on various fraud types and an updated version of the document Guidance and Recommendations Regarding Logical Attacks Against ATMs‘  was officially launched.  A presentation from Europol’s Organised Property Crime Unit covered recent Physical ATM attacks across Europe. The USSS update covered recent reports from the FBI’s Internet Crime Complaint Centre (IC3), as well the latest fraud trends seen.

Private sector fraud intelligence updates were received from 25 countries, either directly or via regional/global updates by HSBC and Worldline.  Regional Updates were also provided for ASP, and MENA.  Each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).  The importance of raising consumer awareness to counter the rising threats related to social engineering remains a key issue.

Updates were also given by the Chairs of the three EAST Expert Groups:

EAST Fraud Update 2-2022 will be produced early next month, based on the country updates provided at the EAST Global Congress.  EAST Fraud, Payment, and Physical Attack Alerts are available on the EAST Intranet to EAST Members.

The 2nd EAST Global Congress, scheduled for 5th October 2022, will also be held as a Hybrid Meeting.

Police takedown SMS-based FluBot spyware affecting Android phones

The FluBot malware has been stopped by a successful Police operation.  FluBot had been spreading aggressively through SMS, stealing passwords, online banking details and other sensitive information from infected Android smartphones across the world.  It has been one of the fastest spreading mobile malware seen to date.

The takedown was the result of an international law enforcement operation involving 11 countries and coordinated by Europol’s European Cybercrime Centre (EC3).  This resulted in the Dutch police successfully disrupting the FluBot infrastructure and taking over its control during May 2022.  The investigation is ongoing to identify the individuals behind this global malware campaign.

How Flubot Worked

First spotted in December 2020, FluBot gained traction in 2021, compromising a huge number of devices worldwide, including significant incidents in Spain and Finland.  Cases were seen across Europe and in Australia.

The malware was installed via text messages, which asked Android users to click a link and install an application to track a package delivery or to listen to a fake voice mail message. Once installed, the malicious application would ask for accessibility permissions. The hackers would then use this access to steal banking app credentials, or cryptocurrency account details, and to disable built-in security mechanisms.

FluBot was able to quickly spread due its ability to access an infected smartphone’s contacts.  Messages containing links to the malware were then sent to these numbers, helping to spread the malware.

What to do if your Device has been infected?

FluBot malware is disguised as an application, so it can be difficult to spot. There are two ways to tell whether an app may be malware:

  • If you tap an app, and it doesn’t open
  • If you try to uninstall an app, and are instead shown an error message

If you think an app may be malware, reset the phone to factory settings.

Find out more on how to protect yourself from mobile malware.

FluBot

International Cooperation

This case highlights the importance of cross-border cooperation in taking down organised criminal groups.  EC3 brought together the national investigators in the affected countries to establish a joint strategy, provided digital forensic support and facilitated the exchange of operational information needed to prepare for the final phase of the action. The J-CAT, hosted at Europol, also supported the investigation.  A virtual command post was set up by Europol on the day of the takedown to ensure seamless coordination between all the authorities involved. The following authorities took part in the investigation:

  • Australia: Australian Federal Police
  • Belgium: Federal Police (Federale Politie / Police Fédérale)
  • Finland: National Bureau of Investigation (Poliisi)
  • Hungary : National Bureau of Investigation (Nemzeti Nyomozó Iroda)
  • Ireland: An Garda Síochána
  • Romania: Romanian Police (Poliția Română)
  • Sweden: Swedish Police Authority (Polisen)
  • Switzerland: Federal Office of Police (fedpol)
  • Spain: National Police (Policia Nacional) 
  • Netherlands: National Police (Politie)
  • United States: United States Secret Service

The EAST Expert Group on Payment and Transaction Fraud (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud, including mobile malware. The 12th EAST EPTF meeting took place on 13 April 2022.

‘RaidForums’ marketplace taken down

The U.S. Department of Justice (DOJ) has seized the website and user database for RaidForums, a cybercrime forum that sold access to more than 10 billion consumer records stolen in some of the world’s largest data breaches since 2015. The DOJ also charged the alleged administrator of RaidForums, 21-year-old Diogo Santos Coelho, of Portugal, with six criminal counts, including conspiracy, access device fraud and aggravated identity theft.  Two accomplices have also been arrested.

Launched in 2015, RaidForums was considered one of the world’s biggest hacking forums with a community of over half a million users.  This marketplace had made a name for itself by selling access to high-profile database leaks belonging to a number of US corporations across different industries. These contained information for millions of credit cards, bank account numbers and routing information, and the usernames and associated passwords needed to access online accounts.  These datasets were obtained from data breaches and other exploits carried out in recent years.

Europol’s European Cybercrime Centre coordinated Operation TOURNIQUET, a complex law enforcement effort to support independent investigations of the United States, United Kingdom, Sweden, Portugal, and Romania. The operation was the culmination of a year of meticulous planning between the law enforcement authorities involved in preparation for the action, which enabled the investigators to define the different roles the targets played within this marketplace, i.e.: the administrator, the money launderers, the users in charge of stealing/uploading the data, and the buyers.

The following authorities took part in the RaidForums investigation:

  • Sweden: Swedish Police Authority (Polisen)
  • Romania: National Police (Poliţia Română)
  • Portugal: Judicial Police (Polícia Judiciária)
  • Germany: Federal Criminal Police Office (Bundeskriminalamt)
  • United States: US Secret Service (USSS), Federal Bureau of Investigation (FBI), Internal Revenue Service Criminal Investigation (IRS-CI)
  • United Kingdom: National Crime Agency (NCA)
  • Europol: European Cybercrime Centre (EC3), Joint Cybercrime Action Taskforce (J-CAT)

National & Global Fraud Intelligence sharing – 6th Interim EAST Meeting

The sixth Interim Meeting of EAST National and Global Members took place on Wednesday 9th February 2022 as a virtual meeting. The meeting was chaired by Thomas Von der Gathen from Payment Services Austria (PSA).  The key focus was on the sharing of global, regional, and national, payment and terminal fraud intelligence.

Law enforcement overviews were provided by Europol, the Gulf Cooperation Council Police (GCCPOL), and the United States Secret Service (USSS).  An update was provided from Europol’s European Cybercrime Centre (EC3) on various fraud types and a presentation from Europol’s Organised Property Crime Unit covered recent Physical ATM attacks across Europe.  The GCCPOL presentation covered payment and fraud issues seen by their 6 member countries focussing on Technological Fraud (crimes committed using different forms/types of machines and technology) and Non-Technological Fraud (conducted directly against the victim). The USSS update covered card fraud and recent man-in-the-middle black box attacks.

Private sector fraud intelligence updates were received from 28 countries, either directly or via regional/global updates by Citi, HSBC and Worldline.  Regional Updates were also provided for ASP, MENA and LATAM. Each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).  The importance of raising consumer awareness to counter the rising threats related to social engineering remains a key issue, particularly for elderly people.

EAST Fraud Update 1-2022 will be produced early next month, based on the country updates provided at the Interim EAST Meeting.  EAST Fraud, Payment and Physical Attack Alerts are available on the EAST Intranet to EAST Members.

The next meeting of this group, scheduled for 16th June 2022, will hopefully be the 1st EAST Global Congress, which is planned as Hybrid Meeting.  This is dependant on the prevailing travel situation at that time, and the meeting will revert to a virtual Interim Meeting if required.

VPN used by Cybercriminals taken down

A joint action by Europol and 10 countries against the criminal misuse of VPN services, targeted the users and infrastructure of VPNLab.net.  This resulted in the take down of 15 servers.  The VPN service aimed to offer shielded communications and Internet access, and was being used in support of serious criminal acts such as ransomware deployment and other cybercrime activities.

VPNCoordinated disruptive actions took place on 17 January 2022 in Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States and the United Kingdom.  Law enforcement authorities have now seized or disrupted the 15 servers that hosted VPNLab.net’s service, rendering it no longer available. Led by the Central Criminal Office of the Hannover Police Department in Germany, the action took place under the EMPACT security framework objective Cybercrime – Attacks Against Information Systems.

VPNLab.net was established in 2008, offering services based on OpenVPN technology and 2048-bit encryption to provide online anonymity for as little as USD 60 per year.  The service also provided double VPN, with servers located in many different countries. This made VPNLab.net a popular choice for cybercriminals, who could use its services to carry on committing their crimes without fear of detection by authorities.

Law enforcement took interest in the provider after multiple investigations uncovered criminals using the VPNLab.net service to facilitate illicit activities such as malware distribution.  Other cases showed the service’s use in the setting up of infrastructure and communications behind ransomware campaigns, as well as the actual deployment of ransomware.  At the same time, investigators found the service advertised its services on the dark web.

As a result of the investigation, over one hundred businesses have been identified as at risk of cyberattacks.  Law enforcement is working directly with these potential victims to mitigate their exposure.

Europol’s European Cybercrime Centre (EC3)Money Mule Action provided support for the action day through its Analysis Project ‘CYBORG’, which organised more than 60 coordination meetings and 3 in-person workshops, as well as providing analytical and forensic support.

The following authorities took part in this operation:

  • Germany: Hanover Police Department (Polizeidirektion Hannover) – Central Criminal Office
  • Netherlands: The Dutch National Hi-Tech Crime Unit
  • Canada: Royal Canadian Mounted Police, Federal Policing
  • Czech Republic: Cyber Crime Section – NOCA (National Organized Crime Agency)
  • France: Sous-Direction de la Lutte Contre la Cybercriminalité à la Direction Centrale de la Police Judiciaire (SDLC-DCPJ)
  • Hungary: RSSPS National Bureau of Investigation Cybercrime Department
  • Latvia: State Police of Latvia (Valsts Policija) – Central Criminal Police Department
  • Ukraine: National Police of Ukraine (Національна поліція України) – Cyberpolice Department
  • United Kingdom: The National Crime Agency
  • United States: Federal Bureau of Investigation
  • Eurojust
  • Europol: European Cybercrime Centre (EC3)

INTERPOL-coordinated global operation HAECHI-II targets cyber-enabled financial crime

HAECHI-IIINTERPOL-coordinated Operation HAECHI-II, which ran from June to September 2021, targeted the global threat of cyber-enabled financial crime.  As a result police arrested over 1,000 individuals and intercepted a total of nearly USD 27 million of illicit funds.

The operation brought together specialised police units from 20 countries, as well as from Hong Kong and Macau, to target specific types of online fraud, such as romance scams, investment fraud and money laundering associated with illegal online gambling.

This resulted in the arrest of 1,003 individuals and allowed investigators to close 1,660 cases.  In addition 2,350 bank accounts linked to the illicit proceeds of online financial crime were blocked.  Over 50 INTERPOL notices were published based on information relating to Operation HAECHI-II and 10 new criminal modus operandi were identified.  The results  show that transnational organised crime groups have been using the Internet to extract millions from their victims, before funnelling the illicit cash to bank accounts across the globe.

HAECHI-II is the second operation in a 3-year project to tackle cyber-enabled financial crime supported by the Republic of Korea, and the first that is truly global in scope.  INTERPOL member countries on every continent participated.  Information gained during HAECHI-II enabled INTERPOL to publish multiple Purple Notices – international police alerts that seek or provide information on modus operandi, objects, devices and concealment methods used by criminals.  The notices are then shared with INTERPOL’s 194 member countries so that police can exchange on emerging criminal methods and establish connections between cases.

One Purple Notice requested by Colombia during the operation details a malware-laden mobile application using the name and branding of the Netflix show ‘Squid Game’.  Masquerading as a product affiliated with the popular television series, the app was in fact a Trojan horse virus that, once downloaded, was able to hack the user’s billing information and subscribe to paid ‘premium’ services without the user’s explicit approval.  While flagged in Colombia, the app has also targeted users in other countries.

The operation also saw INTERPOL officials pilot test a new global stop-payment mechanism – the Anti-Money Laundering Rapid Response Protocol (ARRP) – which proved critical to successfully intercepting illicit funds in several HAECHI-II cases.  INTERPOL will officially launch the ARRP next year, and their Financial Crime Unit is continuing to work with member countries to integrate the system into existing communications channels.

The following countries participated in Operation HAECHI-II: Angola, Brunei, Cambodia, Colombia, China, India, Indonesia, Ireland, Japan, Korea (Rep. of), Laos, Malaysia, Maldives, Philippines, Romania, Singapore, Slovenia, Spain, Thailand, and Vietnam.

The INTERPOL Financial Crime Unit participates in EAST Global Congress and Interim Meetings and in meetings of the EAST Expert Groups on Payment and Transaction Fraud (EAST EPTF) and All Terminal Fraud (EAST EGAF).

IOCTA 2021 Published by Europol

Europol has published its Internet Organised Crime Threat Assessment for 2021 (IOCTA 2021).  This highlights 5 Key Threats:

  • Ransomware affiliate programs enable a larger group of criminals to attack big corporations and public institutions by threatening them with multi-layered extortion methods such as DDoS attacks.
  • Mobile malware evolves with criminals trying to circumvent additional security measures such as two-factor authentication (2FA).
  • Online shopping has led to a steep increase in online fraud.
  • Explicit self-generated material is an increasing concern and is also distributed for profit.
  • Criminals continue to abuse legitimate services such as VPNs, encrypted communication services and cryptocurrencies.

IOCTA 2021 looks into the (r)evolutionary development of these trends, catalysed by the expanded digitalisation of recent years.

  • Criminals have been quick to abuse the current circumstances to increase profits, spreading their tentacles to various areas and exposing vulnerabilities, connected to systems, hospitals or individuals.
  • While ransomware groups have taken advantage of widespread teleworking, scammers have abused COVID-19 fears and the fruitless search for cures online to defraud victims or gain access to their bank accounts.
  • The increase of online shopping in general has attracted more fraudsters.
  • With children spending a lot more time online, especially during lockdowns, grooming and dissemination of self-produced explicit material have increased significantly.
  • Grey infrastructure, including services offering end-to-end encryption, VPNs and cryptocurrencies continue to be abused for the facilitation and proliferation of a large range of criminal activities.

This has resulted in significant challenges for the investigation of criminal activities and the protection of victims of crime.

“Cybercrime is a reality and law enforcement worldwide needs to catch up,” said Edvardas Šileris, Head of Europol’s European Cybercrime Centre (EC3), ”…….Only by working together can we create innovative ideas and practical approaches that can put a halt to cybercrime acceleration. It is essential to establish the environment and resources required to do so,” he added.

The EAST Expert Group on Payment and Transaction Fraud (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud, including social engineering and online transactions.  The 11th EAST EPTF meeting took place on 10 November 2021.

#SellSafe – Safety Awareness for Online Shopping

EuropolEFECC launched the #SellSafe awareness campaign on 3 November as part of their 2021 eCommerce Action.

Organised crime groups are continuously adapting online fraud methods to exploit both online shoppers and e-commerce companies.  Their opportunities are growing!  Since the start of the pandemic the number of businesses selling online has increased, and the average shopper is using online services several times each week.  New technologies such as Secure Customer Authentication (SCA) or Two-Factor Authentication (2FA) have made online purchasing more secure, but cybercriminals are still finding ways to steal cash from online shoppers.

Europol launched the #SellSafe awareness campaign along with the Merchant Risk Council and participating countries.  This follows a successful campaign last year which highlighted the top tactics for fighting online fraud. The aim of the new campaign is to make e-commerce more secure by promoting safe online purchasing methods and by helping new merchants to open their first online shop without the risk of cyberattacks.

From 1 to 31 October 2021 law enforcement authorities from participating countries, supported by Europol and the Merchant Risk Council, joined forces in a coordinated action against online fraud as part of the 2021 eCommerce Action.  This resulted in 46 arrests linked to fraudulent transactions.  The criminal modus operandi involved the use of certain mobile apps associated with banks in order to make transfers and purchases illegally.  In 2019 an operation by Europol’s European Cybercrime Centre (EC3) led to 60 arrests as part of their #BuySafePaySafe action.

The 2021 #SellSafe participating countries include: Albania, Austria, Belgium, Colombia, Croatia, Greece, Hungary, Ireland, Italy, Georgia, the Netherlands, North Macedonia, Poland, Portugal, Slovenia, Slovakia, Spain, Switzerland and the United States.

The participating countries will promote the campaign through their social media channels using the #SellSafe hashtag to help online shoppers understand the risks of e-commerce fraud.

The EAST Expert Group on Payment and Transaction Fraud (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud, including social engineering and online transactions.  The next EPTF meeting will take place on 10 November 2021.

STAY SAFE ONLINE

To protect online shoppers and merchants, Europol has provided a number of helpful tips to stay one step ahead of the scammers and to prevent financial loss.

Tips to protect your e-business:

  • Ensure all employees are aware of the fraud issues affecting online stores
  • Stay up to date on the types of payment fraud affecting businesses and have the tools in place to prevent them. Your national payments organisation will have details on payment fraud types
  • Get to know your customers in order to be able to verify their payments

Tips for online shoppers:

Never send your card number, PIN or any other card information to anyone by e-mail

  • Never send money to anyone you don’t know
  • Always save all documents related to your online purchases
  • If you are not buying anything, don’t submit your card details

Find more tips on how to protect yourself and your business from e-fraudsters here.

More general advice on how to shop safely online is available here.