IOCTA 2020 Published by Europol

IOCTA 2020Europol has published its Internet Organised Crime Threat Assessment for 2020 (IOCTA 2020).   This highlights the dynamic and evolving threats from cybercrime and provides a unique law enforcement focused assessment of emerging challenges and key developments in the space.  The data collection for the IOCTA 2020 took place during the lockdown implemented as a result of the COVID-19 pandemic.  Indeed, the pandemic prompted significant change and criminal innovation in the area of cybercrime.  Criminals devised both new modi operandi and adapted existing ones to exploit the situation, new attack vectors and new groups of victims.

So much has changed since Europol published last year’s IOCTA. The global  pandemic forced the reimagination of our societies and the reinvention of the way we work and live.  During the lockdown, people turned to the Internet for a sense of normality: shopping, working and learning online at a scale never seen before.  The IOCTA 2020 seeks to map the evolving cybercrime threat landscape and understand how law enforcement responds to it.  Although the COVID-19 crisis has shown how criminals actively take advantage of society at its most vulnerable, this opportunistic behaviour should not overshadow the overall threat landscape. In many cases, COVID-19 has enhanced existing problems, some of which are shown below:

CROSS-CUTTING CRIME

  • Social engineering and phishing remain an effective threat to enable other types of cybercrime.  Criminals use innovative methods to increase the volume and sophistication of their attacks, and inexperienced cybercriminals can carry out phishing campaigns more easily through crime as-a-service.  Criminals quickly exploited the pandemic to attack vulnerable people; phishing, online scams and the spread of fake news became an ideal strategy for cybercriminals seeking to sell items they claim will prevent or cure COVID-19.
  • Encryption continues to be a clear feature of an increasing number of services and tools.  One of the principal challenges for law enforcement is how to access and gather relevant data for criminal investigations.  The value of being able to access data of criminal communication on an encrypted network is perhaps the most effective illustration of how encrypted data can provide law enforcement with crucial leads beyond the area of cybercrime.

MALWARE REIGNS SUPREME

  • Ransomware attacks have become more sophisticated, targeting specific organisations in the public and private sector through victim reconnaissance.  While the COVID-19 pandemic has triggered an increase in cybercrime, ransomware attacks were targeting the healthcare industry long before the crisis. Moreover, criminals have included another layer to their ransomware attacks by threatening to auction off the comprised data, increasing the pressure on the victims to pay the ransom.  Advanced forms of malware are a top threat in the EU: criminals have transformed some traditional banking Trojans into modular malware to cover more PC digital fingerprints, which are later sold for different needs.

PAYMENT FRAUD: SIM SWAPPING A NEW TREND

  • SIM swapping, which allows perpetrators to take over accounts, is one of the new trends in IOCTA 2020.  As a type of account takeover, SIM swapping provides criminals access to sensitive user accounts.  Criminals fraudulently swap or port victims’ SIMs to one in the criminals’ possession in order to intercept the one-time password step of the authentication process.

CRIMINAL ABUSE OF THE DARK WEB

  • In 2019 and early 2020 there was a high level of volatility on the dark web. The lifecycle of dark web market places has shortened and there is no clear dominant market that has risen over the past year. Tor remains the preferred infrastructure, however criminals have started to use other privacy-focused, decentralised marketplace platforms to sell their illegal goods. Although this is not a new phenomenon, these sorts of platforms have started to increase over the last year. OpenBazaar is noteworthy, as certain threats have emerged on the platform over the past year such as COVID-19-related items during the pandemic.

EAST EGAP holds 14th Meeting

The 14th Meeting of the EAST Expert Group on ATM and ATS Physical Attacks (EGAP) took place on Wednesday 2nd September 2020.  Due to the Covid-19 situation, it was conducted as a virtual meeting and was chaired by Graham Mott of  the LINK Scheme.

The meeting was attended by 40 key representatives from Law Enforcement, Terminal Deployers, ATM Networks and Security Equipment Vendors.

  • Europol gave a central assessment of the ATM physical attack situation in Europe.
  • The ECB gave an update on the latest developments of its Intelligent Banknote Neutralisation (IBNS) Policy.
  • National Threat Assessments were shared by representatives from 15 countries:
CountryUpdate(s) Given By
AustriaPayment Services Austria (PSA)
CroatiaMUP - Ministry of the Interior
DenmarkPetersen-Bach
FinlandAutomatia
FranceGendarmerie - OCLDI
GermanyBKA
IrelandAn Garda Siochana
ItalyMIB
LuxembourgService de Police Judiciare
NetherlandsNational Police, ING Bank
PortugalPolicia Judiciare, Policia de Seguranca Publica
South AfricaSABRIC
SpainSpanish National Police, Guardia Civil, Autonomous Police of Catalonia
SwitzerlandFederal Office of Police (FEDPOL)
United KingdomSaferCash/West Midlands Police (ROCU)

Experts from the following organisations also contributed to the meeting:  ATM Safe, Barclays, Cennox, Diebold Nixdorf, Feerica S.A., HSBC, NCR, Oberthur Cash Protection, Professional Witnesses Group, Scotia Security Group, Spinnaker, TMD Security.

EAST EGAP is a European specialist expert forum for discussion of ATM and ATS related physical attack trends, attack methodologies and counter-measures, threat protection, and for the provision of regularly updated lists of manufacturers of ATM protective devices. The latest lists can be downloaded from the ‘Stained Banknotes’ page on this website (bottom of page).

The Group meets twice each year to enable in-depth and technical discussion to take place. The areas covered include:

  • The latest incidents and criminal MOs
  • The collection and distribution of best practice guidelines
  • The evolution of threats and counter-measures
  • Lessons from and on law enforcement

Countering the ransomware threat

The risks of becoming a victim of a ransomware attack continue to increase as criminals exploit organisational vulnerabilities and typically use spear-phishing emails to target potential victims.  According to Europol cases have been rising alarmingly in the past few months and have brought critical activities such as hospitals and governments to a standstill.

Garmin was a recent victim of a cyber attack that encrypted some of their systems. The alleged ransomware attack is thought to be the work of ‘Evil Corp’, a group of Russian hackers that allegedly mainly targets US corporations.  Garmin services started to go offline on Thursday 23 July 2020 and many of the most popular services, including Garmin Connect and most of the Strava integrations, were unavailable to users over the weekend period.  According to Garmin ‘Affected systems are being restored and we expect to return to normal operation over the next few days.’

To counter ransomware a free scheme called No More Ransom is helping victims fight back without paying the hackers. Since its launch four years ago the No More Ransom decryption tool repository has registered over 4.2 million visitors from 188 countries and has stopped an estimated $632 million in ransom demands from ending up in criminals’ pockets.

Powered by the contributions of its 163 partners, the portal has added 28 tools in the past year and can now decrypt 140 different types of ransomware infections. The portal is available in 36 languages.  All the key figures can be seen in Europol’s dedicated infographic.

How No More Ransom works

No More Ransom is the first public-private partnership of its kind helping victims of ransomware recover their encrypted data without having to pay the ransom amount to cybercriminals.

To do this, simply go to the website nomoreransom.org and follow the Crypto Sheriff steps to help identify the ransomware strain affecting the device. If a solution is available, a link will be provided to download for free the decryption tool.

Prevention remains the best cure

No More Ransom goes a long way to help people impacted by ransomware, but there are still many types of ransomware out there without a fix. Fortunately, there are some preventative steps you can take to protect yourself from ransomware:

  • Always keep a copy of your most important files somewhere else: in the cloud, on another drive offline, on a memory stick, or on another computer.
  • Use reliable and up-to-date anti-virus software.
  • Do not download programs from suspicious sources.
  • Do not open attachments in e-mails from unknown senders, even if they look important and credible.
  • And if you are a victim, do not pay the ransom!

Do you have an innovative solution for ransomware families not covered yet in the portal to help victims recover their files without giving into the demands of the criminals? If so then Europol would like to hear from you.

What is Ransomware?

The EAST Payments Task Force (EPTF) defines ransomware as ‘A type of malicious software designed to block access to a computer system until a sum of money is paid.’  It is a form of data compromise.  An overview of all EAST Fraud Definitions can be seen here.

Tips and Advice From Europol

 

EFECC launched by Europol

Today Europol launched the new European Financial and Economic Crime Centre (EFECC). The Centre will enhance the operational support provided to the EU Member States and EU bodies in the fields of financial and economic crime and promote the systematic use of financial investigations. The new EFECC has been set up within the current organisational structure of Europol that is already playing an important part in the European response to financial and economic crime and will be staffed with 65 international experts and analysts.

Economic and financial crimes are a highly complex and a significant threat affecting millions of individual EU citizens and thousands of companies in the EU every year. In addition: money laundering and criminal finances are the engines of organised crime, without them criminals would not be able to make use of the illicit profits they generate with the various serious and organised crime activities carried out in the EU. According to previous reports by Europol, 98.9% of estimated criminal profits are not confiscated and remain at the disposal of criminals.

Furthermore, the COVID-19 pandemic in Europe has provided ample evidence that criminals are quick to adapt their criminal schemes to changing conditions to exploit fears and vulnerabilities. Economic stimuli such as those proposed in the wake of the COVID-19 pandemic will be targeted by criminals seeking to defraud public funding. To effectively disrupt and deter criminals involved in serious and organised crime, law enforcement authorities need to follow the money trail as a regular part of their criminal investigations with the objective of seizing criminal profits.

The exponential increase of financial and economic crime and the involvement of organised crime on a large scale, together with the number of requests for operational support from EU Member States, called for an adequate and coordinated European response.

A strategic report published today provides an overview of the most threatening phenomena in the area of economic and financial crime including various types of fraud, the production and distribution of counterfeit goods, money laundering and others.

Europol launched the European Financial and Economic Crime Centre at a press conference at its headquarters, modelled along the lines of similar initiatives such as the European Cybercrime Centre (EC3) the European Counter Terrorism Centre (ECTC), the European Migrant Smuggling Centre (EMSC) and the European Serious Organised Crime Centre (ESOCC) hosted at Europol.

EAST and Europol have worked together in partnership since 2004

Hacker Group ‘InfinityBlack’ taken down

Polish and Swiss law enforcement authorities, supported by Europol and Eurojust, have taken down ‘InfinityBlack’, a hacker group involved in distributing stolen user credentials, creating and distributing malware and hacking tools, and fraud. The hackers created online platforms to sell user login credentials known as ‘combos’. The group was organised into three teams:

  • Developers created tools to test the quality of the stolen databases
  • Testers analysed the suitability of authorisation data.
  • Project managers then distributed subscriptions against cryptocurrency payments.

The hacker group’s main source of revenue came from stealing loyalty scheme login credentials and then selling them on to other, less technical, criminal gangs. These gangs would then exchange the loyalty points for expensive electronic devices.

The hackers created a sophisticated script to gain access to a large number of Swiss customer accounts. Although the losses are estimated at €50,000, the hackers had access to accounts with potential losses of more than €610,000. Fraudsters were spotted when using the stolen data in shops in Switzerland.

Effective Cross-Border Cooperation resulted in arrests

hacker group equipmentOn 29th April 2020, the Polish National Police searched six locations in five Polish regions and arrested five individuals believed to be members of the hacker group. Police seized electronic equipment, external hard drives and hardware cryptocurrency wallets, all worth around €100,000.  Two platforms with databases containing over 170 million entries were closed down by the police.

Between 30th April and 2nd May 2019, five arrests were made in the Swiss canton of Vaud.  This was as a result of investigative measures taken by specialists from the Cyber Investigation Division (DEC) of the Vaud Cantonal Police.  Once the criminal gang cashing out the loyalty points was identified in Switzerland, police exchanged criminal intelligence and uncovered links to members of the separate hacking group in Poland.

Europol enabled close cooperation between cyber units in Poland and Switzerland through the dedicated network of cyber liaison officers (J-CAT) hosted at Europol’s headquarters. Europol also supported the operation by facilitating information exchange and providing technical and analytical support. Eurojust facilitated the transmission of information between the Public Prosecutor’s Offices in Switzerland and Poland.

How COVID-19 will impact Organised Crime in the EU

COVID-19Europol has just published a new report which assesses the impact of the COVID-19 pandemic on serious and organised crime across three phases:

  1. The Current Situation
  2. The Mid-Term Outlook
  3. The Long Term Impact

For more on the current situation see Europol’s previous reports published in March and April 2020.

During the medium term easing of lockdown measures will see criminal activity return to previous levels featuring the same type of activities as before the pandemic. However, the COVID-19 pandemic is likely to have created new opportunities for criminal activities that will be exploited beyond the end of the current crisis. It is expected that the economic impact of the pandemic and the activities of those seeking to exploit it will only start to become apparent in the mid-term phase and will likely not fully manifest until the longer term. Some of the relevant crime areas are:

  • Anti-money laundering: the pandemic and its economic fallout will exert significant pressure on the financial system and the banking sector. Anti-money laundering regulators must be vigilant and should expect attempts by organised crime groups to exploit a volatile economic situation to launder money using the on-shore financial system.
  • Shell companies: criminals will likely intensify their use of shell companies and companies based in off-shore jurisdictions with weak anti-money laundering policies at the placement stage to receive cash deposits that are later transferred to other jurisdictions.
  • The real estate and construction sectors will become even more attractive for money laundering both in terms of investment and as a justification for the movement of funds.
  • Migrant smuggling: While the economic impact of the COVID-19 crisis in Europe is not yet clear, it is expected that the impact on economies in the developing world is likely to be even more profound. Prolonged economic instability and the sustained lack of opportunities in some African economies may trigger another wave of irregular migration towards the EU in the mid-term.

Looking longer term some predictions are:

  • Organised crime is highly adaptable and has demonstrated the ability to extract long-term gains from crises, such as the end of the cold war or the global economic of 2007 and 2008.
  • Communities, especially vulnerable groups, tend to become more accessible to organised crime during times of crisis. Economic hardship makes communities more receptive to certain offers, such as cheaper counterfeit goods or recruitment to engage in criminal activity.
  • Mafia-type organised crime groups are likely to take advantage of a crisis and persistent economic hardship by recruiting vulnerable young people, engaging in loan-sharking, extortion and racketeering.
  • Organised crime does not occur in isolation and the state of the wider economy plays a key role. A crisis often results in changes in consumer demand for types of goods and services. This will lead to shifts in criminal markets.

Key factors with an impact on crime during and after the COVID-19 pandemic

Several factors have a significant impact on serious and organised crime during the COVID-19 pandemic. These factors shape criminal behaviour and create vulnerabilities. Based on experience gained during prior crises, it is essential to monitor these factors to anticipate developments and pick up on warning signals.

  • Online activities: more people are spending more time online throughout the day for work and leisure during the pandemic, which has increased the attack vectors and surface to launch various types of cyber-attacks, fraud schemes and other activities targeting regular users.
  • Demand for and scarcity of certain goods, especially of healthcare products and equipment, is driving a significant portion of criminals’ activities in counterfeit and substandard goods and fraud.
  • Payment methods: the pandemic is likely to have an impact on payment preferences beyond the duration of the pandemic. With a shift of economic activity to online platforms, cashless transactions are increasing in number, volume and frequency.
  • Economic downturn: A potential economic downturn will fundamentally shape the serious and organised crime landscape. Economic disparity across Europe is making organised crime more socially acceptable as these groups will increasingly infiltrate economically weakened communities to portray themselves as providers of work and services.
  • Rising unemployment and reductions in legitimate investment may present greater opportunities for criminal groups, as individuals and organisations in the private and public sectors are rendered more vulnerable to compromise. Increased social tolerance for counterfeit goods and labour exploitation has the potential to result in unfair competition, higher levels of organised crime infiltration and, ultimately, illicit activity accounting for a larger share of GDP.

To download a full copy of the report visit Europol’s website.

An earlier post on this website covers advice on Cybersecurity awareness during the COVID-19 pandemic

EPTF holds Seventh Meeting

EPTFThe Seventh Meeting of the EAST Payments Task Force (EPTF) took place on Wednesday 15th April 2020.  Due to the Covid-19 situation it was conducted as a virtual meeting and 16 EPTF members participated.

The EPTF is a specialist task force that discusses security issues affecting the payments industry and that gathers, collates and disseminates related information, trends and general statistics.

The meeting was chaired by Mr Rui Carvalho, EAST Development Director, and key representatives from Card Issuers, International Banks, Law Enforcement, Payment Processors and Solution Providers took part.

There was a detailed discussion on the impact of Covid-19 on fraud and updates were provided from Austria, France, Germany, the Netherlands, Norway, Portugal, Spain and the United Kingdom  Updates were also given by Europol, Group-IB and Trend Micro.

The Group, which meets twice a year, adds value to the payments industry by using the unique and extensive EAST National Member platform and Associate Member network to provide information and outputs that are not currently available elsewhere.  EAST National Members represent 35 countries and outputs from the group are presented to National Member Meetings.  There are 213 EAST Associate Member Organisations from 53 countries and territories.

Investment fraud gang taken down in Bulgaria and Serbia

Investment fraudA large criminal network involved in investment fraud, money laundering and social engineering was taken down in an international investigation, launched one year ago. The action day, which took place in Belgrade and Sofia, went ahead on 2 April despite the current lockdown.

Estimated total losses were €80 million and the fraud affected over 1,000 victims in Germany and Austria, as well as people in other countries.  In Austria  it is estimated that 850 victims lost around €2.2 million, while in Germany hundreds of victims suffered estimated losses of about €10 million.

The suspects, believed to be members of a large criminal network, offered bogus investments in trading products such as binary options and contract for differences (CFDs) on online trading platforms.  The investments started at around €250 and Agents from call centres in Bulgaria and Serbia then manipulated the victims to make much higher investments in non-existent trading products including CFDs and forex (foreign exchange currency market).

During the action day Law enforcement authorities from Bulgaria and Serbia carried out 11 house searches and arrested 9 individuals (5 in Serbia and 4 in Bulgaria). Two of the leaders of the criminal network were arrested in Sofia. The seizures include five properties in Serbia, €2.5 million from a bank account in Germany, electronic equipment and other evidential material. 30 other bank accounts were put under surveillance.  

Advisory Group on Financial ServicesEuropol and Eurojust supported the investment fraud investigation, which involved law enforcement and judicial authorities from Austria, Bulgaria, Germany and Serbia.  

Europol facilitated information exchange and provided analytical support, cross-checking operational information in real-time against its databases to provide leads to investigators in the field, and a Joint Investigation Team between Austria and Germany was set up by Eurojust to coordinate judicial matters.

EAST and Europol have worked together since 2004 and EAST provides secure platforms for public/private sector cooperation in the fight against organised criminal groups engaged in financial crime.  Click here for more information on EAST’s law enforcement relationships.

The EAST Payments Task Force (EPTF) has a specific focus on tackling social enginnering  This Group, which meets twice a year, adds value to the payments industry by using the unique and extensive EAST National Member platform and Associate Member network to provide information and outputs that are not currently available elsewhere.

COVID-19 – Cybersecurity Awareness

CybersecurityThe coronavirus outbreak is still a rising issue for many countries and related lock-downs have forced many people into teleworking – working at home, while communicating with their office by phone or email, or using the Internet.  This raises cybersecurity concerns.

Malign actors are actively exploiting these new challenging circumstances to target remote workers, businesses and individuals alike.  It is vitally important for everyone to be fully aware of the threats and to ensure that anything transacted over the Internet is done safely and securely.

To help with this awareness Europol has provided ‘Safe Teleworking Tips and Advice’ for both employees and employers, as well as tips on  ‘How To Make Your Home a Cyber Safe Stronghold’ (available for download in 13 languages).

EAST and Europol have worked together since 2004 and EAST provides secure platforms for public/private sector cooperation in the fight against organised criminal groups engaged in financial crime.  Click here for more information on EAST’s law enforcement relationships.

The EAST Payments Task Force (EPTF) has a specific focus on cybersecurity.  This Group, which meets twice a year, adds value to the payments industry by using the unique and extensive EAST National Member platform and Associate Member network to provide information and outputs that are not currently available elsewhere.

EAST EGAP holds 13th Meeting in The Hague

The 13th meeting of the EAST Expert Group on ATM and ATS Physical Attacks (EGAP) took place on Tuesday 3rd March 2020 in The Hague.

EAST EGAP is a European specialist expert forum for discussion of ATM and ATS related physical attack trends, attack methodologies and counter-measures, threat protection, and for the provision of regularly updated lists of manufacturers of ATM protective devices. The latest lists can be downloaded from the ‘Stained Banknotes’ page on this website (bottom of page).

The meeting was chaired by Mr Graham Mott of the LINK Scheme and was attended by key representatives from Law Enforcement, Terminal Deployers, ATM Networks and Security Equipment Vendors.  Europol gave a central assessment of the ATM physical attack situation in Europe and National Threat Assessments were shared by representatives from fifteen countries.

A presentation was given by ESTA, the Cash Management Companies Association and an update from the European Central Bank (ECB) was shared.

EAST EGAP, which meets twice each year, enables in-depth and technical discussion to take place. The areas covered include:

  • The latest incidents and criminal MOs
  • The collection and distribution of best practice guidelines
  • The evolution of threats and counter-measures
  • Lessons from and on law enforcement