EAST EGAP holds 15th Meeting

The 15th Meeting of the EAST Expert Group on ATM and ATS Physical Attacks (EGAP) took place on Wednesday 3rd March 2021.  Due to the Covid-19 situation, it was conducted as a virtual meeting and was chaired by Graham Mott of  the LINK Scheme.

The meeting was attended by 54 key representatives from Law Enforcement, Terminal Deployers, ATM Networks and Security Equipment Vendors.

  • Europol gave a central assessment of the ATM physical attack situation in Europe.
  • The ECB gave an update on the latest bank notes in circulation, cash usage statistics, and Intelligent Banknote Neutralisation Systems (IBNS) used in the Euro area.
  • National Threat Assessments were shared by representatives from 17 countries:
CountryUpdate(s) Given By
AustriaCriminal Intelligence Service
BrazilTecBan
FinlandAutomatia / National Bureau of Investigation
FranceGendarmerie - OCLDI
GermanyBKA
GreeceHellenic Police
HungaryNational Bureau of Investigation
IrelandAn Garda Siochana
ItalyMIB
LuxembourgService de Police Judiciare
NetherlandsNational Police
PolandNational Police HQ
PortugalPolicia Judiciare / Policia de Seguranca Publica
RomaniaRomanian Police - CID
SpainGuardia Civil / Autonomous Police of Catalonia
SwitzerlandFederal Office of Police (FEDPOL)
United KingdomSaferCash / West Midlands Police (ROCU)

Experts from the following organisations also particpated in the meeting:  ATM Safe, Barclays, Cennox, Diebold Nixdorf, Feerica S.A., Gunnebo, HSBC, Malta Police Force, NCR, Oberthur Cash Protection, Payment Services Austria (PSA), Petersen-Bach A/S, Professional Witnesses Group,  Spinnaker, Swedish Police, TMD Security.

EAST EGAP is a European specialist expert forum for discussion of ATM,  ATS and CIT related physical attack trends, attack methodologies and counter-measures, threat protection, and for the provision of regularly updated lists of manufacturers of ATM protective devices. The latest lists can be downloaded from the ‘Stained Banknotes’ page on this website (bottom of page).

The Group meets twice each year to enable in-depth and technical discussion to take place. The areas covered include:

  • The latest incidents and criminal MOs
  • The collection and distribution of best practice guidelines
  • The evolution of threats and counter-measures
  • Lessons from and on law enforcement

SIM swapping gang taken down by Police

Ten hackers who stole over $100 million in cryptocurrencies from celebrities and influencers in SIM swapping attacks have been apprehended in an international operation co-ordinated by Europol.

Eight criminals were arrested on 9 February as a result of an international investigation into the series of attacks targeting high-profile victims in the United States. These arrests followed earlier ones in Malta and Belgium of other members belonging to the same criminal network.

The attacks orchestrated by the gang targeted thousands of victims throughout 2020, including famous internet influencers, sport stars, musicians and their families.  The criminals are believed to have perpetrated the thefts after illegally gaining access to their phones.  The criminals worked together to access the victims’ phone numbers and take control of their apps or accounts by changing the passwords.  This enabled them to steal money, cryptocurrencies and personal information, including contacts synced with online accounts. They also hijacked social media accounts to post content and send messages masquerading as the victim.

SIM SWAPPING

SIM swapping fraud was identified as a rising trend in the latest Europol Internet Organised Crime Threat Assessment. Cybercriminals take over the use of a victim’s phone number by essentially deactivating their SIM and porting the allocated number over to a SIM belonging to a member of the criminal network.  This is typically achieved by the criminals exploiting phone service providers to do the swap on their behalf, either via a corrupt insider or using social engineering techniques.

SIM swapping

DON’T BE THE NEXT VICTIM

It’s not just celebrities who are under attack.  Anyone with a mobile phone can fall victim to SIM swapping. The above image gives some tips as to how to protect yourself against the threat, and information can also be found on Europol’s dedicated page.

For more advice on how to protect your financial information from such a scam, watch the clip below.

The EAST Payments Task Force (EPTF) focusses on the security of payments and transactions, and SIM swapping falls within its remit.

DarkMarket taken down in international police operation

DarkMarket, the world’s largest illegal marketplace on the dark web, has been taken offline in an international operation led by German police.  As well as Germany, law enforcement agencies from Australia, Denmark, Moldova, Ukraine, the United Kingdom (National Crime Agency), and the USA (DEA, FBI, and IRS) were involved. Europol supported the takedown with specialist operational analysis and coordinated the cross-border collaborative effort of the countries involved.

The Central Criminal Investigation Department in the German city of Oldenburg arrested an Australian citizen (the alleged operator of DarkMarket) near the German-Danish border over the weekend of 9/10 January 2020. The investigation, which was led by the cybercrime unit of the Koblenz Public Prosecutor’s Office, supported by the German Federal Criminal Police office (BKA), allowed officers to locate and close the marketplace, switch off the servers and seize the criminal infrastructure – more than 20 servers in Moldova and Ukraine. The stored data will give investigators new leads to further investigate moderators, sellers, and buyers.

The DarkMarket vendors mainly traded all kinds of drugs and sold counterfeit money, stolen or counterfeit credit card details, anonymous SIM cards and malware.

DARKMARKET IN FIGURES:

  • almost 500,000 users;
  • more than 2,400 sellers;
  • over 320,000 transactions;
  • more than 4,650 bitcoin and 12,800 monero transferred (at the current rate, this corresponds to a sum of more than €140 million).

PUBLIC-PRIVATE SECTOR COOPERATION

Europol’s European Cybercrime Centre (EC3) has established a dedicated Dark Web Team to work together with EU partners and law enforcement across the globe to reduce the size of this underground illegal economy.  This team focusses on:

  • sharing information;
  • providing operational support and expertise in different crime areas;
  • developing tools, tactics and techniques to conduct dark web investigations;
  • identifying threats and targets.

The EAST Payments Task Force and the EAST Expert Group on All Terminal Fraud work closely with Europol and other law enforcement agencies (national, regional and global).  EAST Global and National Members focus on the reporting of payment and terminal fraud (fraud types, fraud origins and due diligence), for the gathering, collation and dissemination of related information, trends and general statistics across all geographies.

Cybercriminals will leverage AI as an attack vector and an attack surface

A jointly developed new report by Europol, the United Nations Interregional Crime and Justice Research Institute (UNICRI) and Trend Micro looking into current and predicted criminal uses of artificial intelligence (AI) has been released.  It provides law enforcers, policymakers and other organisations with information on existing and potential attacks leveraging AI and recommendations on how to mitigate these risks.

The report concludes that cybercriminals will leverage AI both as an attack vector and an attack surface.  Deep fakes are currently the best-known use of AI as an attack vector.  However, the report warns that new screening technology will be needed in the future to mitigate the risk of disinformation campaigns and extortion, as well as threats that target AI data sets.

For example, AI could be used to support:

  • convincing social engineering attacks at scale;
  • document-scraping malware to make attacks more efficient;
  • evasion of image recognition and voice biometrics;
  • ransomware attacks, through intelligent targeting and evasion;
  • data pollution, by identifying blind spots in detection rules.

The paper also warns that AI systems are being developed to enhance the effectiveness of malware and to disrupt anti-malware and facial recognition systems.

The EAST Payments Task Force is focussed on payment issues related to social engineering, malware, ransomware and other cyber threats, and notes that this report is an important step forward in assessing the rapid evolution of cybercrime.

The three organisations make several recommendations to conclude the report:

  • harness the potential of AI technology as a crime-fighting tool to future-proof the cybersecurity industry and policing;
  • continue research to stimulate the development of defensive technology;
  • promote and develop secure AI design frameworks;
  • de-escalate politically loaded rhetoric on the use of AI for cybersecurity purposes;
  • leverage public-private partnerships and establish multidisciplinary expert groups.

For more information and to download the report visit Europol’s website

IOCTA 2020 Published by Europol

IOCTA 2020Europol has published its Internet Organised Crime Threat Assessment for 2020 (IOCTA 2020).   This highlights the dynamic and evolving threats from cybercrime and provides a unique law enforcement focused assessment of emerging challenges and key developments in the space.  The data collection for the IOCTA 2020 took place during the lockdown implemented as a result of the COVID-19 pandemic.  Indeed, the pandemic prompted significant change and criminal innovation in the area of cybercrime.  Criminals devised both new modi operandi and adapted existing ones to exploit the situation, new attack vectors and new groups of victims.

So much has changed since Europol published last year’s IOCTA. The global  pandemic forced the reimagination of our societies and the reinvention of the way we work and live.  During the lockdown, people turned to the Internet for a sense of normality: shopping, working and learning online at a scale never seen before.  The IOCTA 2020 seeks to map the evolving cybercrime threat landscape and understand how law enforcement responds to it.  Although the COVID-19 crisis has shown how criminals actively take advantage of society at its most vulnerable, this opportunistic behaviour should not overshadow the overall threat landscape. In many cases, COVID-19 has enhanced existing problems, some of which are shown below:

CROSS-CUTTING CRIME

  • Social engineering and phishing remain an effective threat to enable other types of cybercrime.  Criminals use innovative methods to increase the volume and sophistication of their attacks, and inexperienced cybercriminals can carry out phishing campaigns more easily through crime as-a-service.  Criminals quickly exploited the pandemic to attack vulnerable people; phishing, online scams and the spread of fake news became an ideal strategy for cybercriminals seeking to sell items they claim will prevent or cure COVID-19.
  • Encryption continues to be a clear feature of an increasing number of services and tools.  One of the principal challenges for law enforcement is how to access and gather relevant data for criminal investigations.  The value of being able to access data of criminal communication on an encrypted network is perhaps the most effective illustration of how encrypted data can provide law enforcement with crucial leads beyond the area of cybercrime.

MALWARE REIGNS SUPREME

  • Ransomware attacks have become more sophisticated, targeting specific organisations in the public and private sector through victim reconnaissance.  While the COVID-19 pandemic has triggered an increase in cybercrime, ransomware attacks were targeting the healthcare industry long before the crisis. Moreover, criminals have included another layer to their ransomware attacks by threatening to auction off the comprised data, increasing the pressure on the victims to pay the ransom.  Advanced forms of malware are a top threat in the EU: criminals have transformed some traditional banking Trojans into modular malware to cover more PC digital fingerprints, which are later sold for different needs.

PAYMENT FRAUD: SIM SWAPPING A NEW TREND

  • SIM swapping, which allows perpetrators to take over accounts, is one of the new trends in IOCTA 2020.  As a type of account takeover, SIM swapping provides criminals access to sensitive user accounts.  Criminals fraudulently swap or port victims’ SIMs to one in the criminals’ possession in order to intercept the one-time password step of the authentication process.

CRIMINAL ABUSE OF THE DARK WEB

  • In 2019 and early 2020 there was a high level of volatility on the dark web. The lifecycle of dark web market places has shortened and there is no clear dominant market that has risen over the past year. Tor remains the preferred infrastructure, however criminals have started to use other privacy-focused, decentralised marketplace platforms to sell their illegal goods. Although this is not a new phenomenon, these sorts of platforms have started to increase over the last year. OpenBazaar is noteworthy, as certain threats have emerged on the platform over the past year such as COVID-19-related items during the pandemic.

EAST EGAP holds 14th Meeting

The 14th Meeting of the EAST Expert Group on ATM and ATS Physical Attacks (EGAP) took place on Wednesday 2nd September 2020.  Due to the Covid-19 situation, it was conducted as a virtual meeting and was chaired by Graham Mott of  the LINK Scheme.

The meeting was attended by 40 key representatives from Law Enforcement, Terminal Deployers, ATM Networks and Security Equipment Vendors.

  • Europol gave a central assessment of the ATM physical attack situation in Europe.
  • The ECB gave an update on the latest developments of its Intelligent Banknote Neutralisation (IBNS) Policy.
  • National Threat Assessments were shared by representatives from 15 countries:
CountryUpdate(s) Given By
AustriaPayment Services Austria (PSA)
CroatiaMUP - Ministry of the Interior
DenmarkPetersen-Bach
FinlandAutomatia
FranceGendarmerie - OCLDI
GermanyBKA
IrelandAn Garda Siochana
ItalyMIB
LuxembourgService de Police Judiciare
NetherlandsNational Police, ING Bank
PortugalPolicia Judiciare, Policia de Seguranca Publica
South AfricaSABRIC
SpainSpanish National Police, Guardia Civil, Autonomous Police of Catalonia
SwitzerlandFederal Office of Police (FEDPOL)
United KingdomSaferCash/West Midlands Police (ROCU)

Experts from the following organisations also contributed to the meeting:  ATM Safe, Barclays, Cennox, Diebold Nixdorf, Feerica S.A., HSBC, NCR, Oberthur Cash Protection, Professional Witnesses Group, Scotia Security Group, Spinnaker, TMD Security.

EAST EGAP is a European specialist expert forum for discussion of ATM and ATS related physical attack trends, attack methodologies and counter-measures, threat protection, and for the provision of regularly updated lists of manufacturers of ATM protective devices. The latest lists can be downloaded from the ‘Stained Banknotes’ page on this website (bottom of page).

The Group meets twice each year to enable in-depth and technical discussion to take place. The areas covered include:

  • The latest incidents and criminal MOs
  • The collection and distribution of best practice guidelines
  • The evolution of threats and counter-measures
  • Lessons from and on law enforcement

Countering the ransomware threat

The risks of becoming a victim of a ransomware attack continue to increase as criminals exploit organisational vulnerabilities and typically use spear-phishing emails to target potential victims.  According to Europol cases have been rising alarmingly in the past few months and have brought critical activities such as hospitals and governments to a standstill.

Garmin was a recent victim of a cyber attack that encrypted some of their systems. The alleged ransomware attack is thought to be the work of ‘Evil Corp’, a group of Russian hackers that allegedly mainly targets US corporations.  Garmin services started to go offline on Thursday 23 July 2020 and many of the most popular services, including Garmin Connect and most of the Strava integrations, were unavailable to users over the weekend period.  According to Garmin ‘Affected systems are being restored and we expect to return to normal operation over the next few days.’

To counter ransomware a free scheme called No More Ransom is helping victims fight back without paying the hackers. Since its launch four years ago the No More Ransom decryption tool repository has registered over 4.2 million visitors from 188 countries and has stopped an estimated $632 million in ransom demands from ending up in criminals’ pockets.

Powered by the contributions of its 163 partners, the portal has added 28 tools in the past year and can now decrypt 140 different types of ransomware infections. The portal is available in 36 languages.  All the key figures can be seen in Europol’s dedicated infographic.

How No More Ransom works

No More Ransom is the first public-private partnership of its kind helping victims of ransomware recover their encrypted data without having to pay the ransom amount to cybercriminals.

To do this, simply go to the website nomoreransom.org and follow the Crypto Sheriff steps to help identify the ransomware strain affecting the device. If a solution is available, a link will be provided to download for free the decryption tool.

Prevention remains the best cure

No More Ransom goes a long way to help people impacted by ransomware, but there are still many types of ransomware out there without a fix. Fortunately, there are some preventative steps you can take to protect yourself from ransomware:

  • Always keep a copy of your most important files somewhere else: in the cloud, on another drive offline, on a memory stick, or on another computer.
  • Use reliable and up-to-date anti-virus software.
  • Do not download programs from suspicious sources.
  • Do not open attachments in e-mails from unknown senders, even if they look important and credible.
  • And if you are a victim, do not pay the ransom!

Do you have an innovative solution for ransomware families not covered yet in the portal to help victims recover their files without giving into the demands of the criminals? If so then Europol would like to hear from you.

What is Ransomware?

The EAST Payments Task Force (EPTF) defines ransomware as ‘A type of malicious software designed to block access to a computer system until a sum of money is paid.’  It is a form of data compromise.  An overview of all EAST Fraud Definitions can be seen here.

Tips and Advice From Europol

 

EFECC launched by Europol

Today Europol launched the new European Financial and Economic Crime Centre (EFECC). The Centre will enhance the operational support provided to the EU Member States and EU bodies in the fields of financial and economic crime and promote the systematic use of financial investigations. The new EFECC has been set up within the current organisational structure of Europol that is already playing an important part in the European response to financial and economic crime and will be staffed with 65 international experts and analysts.

Economic and financial crimes are a highly complex and a significant threat affecting millions of individual EU citizens and thousands of companies in the EU every year. In addition: money laundering and criminal finances are the engines of organised crime, without them criminals would not be able to make use of the illicit profits they generate with the various serious and organised crime activities carried out in the EU. According to previous reports by Europol, 98.9% of estimated criminal profits are not confiscated and remain at the disposal of criminals.

Furthermore, the COVID-19 pandemic in Europe has provided ample evidence that criminals are quick to adapt their criminal schemes to changing conditions to exploit fears and vulnerabilities. Economic stimuli such as those proposed in the wake of the COVID-19 pandemic will be targeted by criminals seeking to defraud public funding. To effectively disrupt and deter criminals involved in serious and organised crime, law enforcement authorities need to follow the money trail as a regular part of their criminal investigations with the objective of seizing criminal profits.

The exponential increase of financial and economic crime and the involvement of organised crime on a large scale, together with the number of requests for operational support from EU Member States, called for an adequate and coordinated European response.

A strategic report published today provides an overview of the most threatening phenomena in the area of economic and financial crime including various types of fraud, the production and distribution of counterfeit goods, money laundering and others.

Europol launched the European Financial and Economic Crime Centre at a press conference at its headquarters, modelled along the lines of similar initiatives such as the European Cybercrime Centre (EC3) the European Counter Terrorism Centre (ECTC), the European Migrant Smuggling Centre (EMSC) and the European Serious Organised Crime Centre (ESOCC) hosted at Europol.

EAST and Europol have worked together in partnership since 2004

Hacker Group ‘InfinityBlack’ taken down

Polish and Swiss law enforcement authorities, supported by Europol and Eurojust, have taken down ‘InfinityBlack’, a hacker group involved in distributing stolen user credentials, creating and distributing malware and hacking tools, and fraud. The hackers created online platforms to sell user login credentials known as ‘combos’. The group was organised into three teams:

  • Developers created tools to test the quality of the stolen databases
  • Testers analysed the suitability of authorisation data.
  • Project managers then distributed subscriptions against cryptocurrency payments.

The hacker group’s main source of revenue came from stealing loyalty scheme login credentials and then selling them on to other, less technical, criminal gangs. These gangs would then exchange the loyalty points for expensive electronic devices.

The hackers created a sophisticated script to gain access to a large number of Swiss customer accounts. Although the losses are estimated at €50,000, the hackers had access to accounts with potential losses of more than €610,000. Fraudsters were spotted when using the stolen data in shops in Switzerland.

Effective Cross-Border Cooperation resulted in arrests

hacker group equipmentOn 29th April 2020, the Polish National Police searched six locations in five Polish regions and arrested five individuals believed to be members of the hacker group. Police seized electronic equipment, external hard drives and hardware cryptocurrency wallets, all worth around €100,000.  Two platforms with databases containing over 170 million entries were closed down by the police.

Between 30th April and 2nd May 2019, five arrests were made in the Swiss canton of Vaud.  This was as a result of investigative measures taken by specialists from the Cyber Investigation Division (DEC) of the Vaud Cantonal Police.  Once the criminal gang cashing out the loyalty points was identified in Switzerland, police exchanged criminal intelligence and uncovered links to members of the separate hacking group in Poland.

Europol enabled close cooperation between cyber units in Poland and Switzerland through the dedicated network of cyber liaison officers (J-CAT) hosted at Europol’s headquarters. Europol also supported the operation by facilitating information exchange and providing technical and analytical support. Eurojust facilitated the transmission of information between the Public Prosecutor’s Offices in Switzerland and Poland.

How COVID-19 will impact Organised Crime in the EU

COVID-19Europol has just published a new report which assesses the impact of the COVID-19 pandemic on serious and organised crime across three phases:

  1. The Current Situation
  2. The Mid-Term Outlook
  3. The Long Term Impact

For more on the current situation see Europol’s previous reports published in March and April 2020.

During the medium term easing of lockdown measures will see criminal activity return to previous levels featuring the same type of activities as before the pandemic. However, the COVID-19 pandemic is likely to have created new opportunities for criminal activities that will be exploited beyond the end of the current crisis. It is expected that the economic impact of the pandemic and the activities of those seeking to exploit it will only start to become apparent in the mid-term phase and will likely not fully manifest until the longer term. Some of the relevant crime areas are:

  • Anti-money laundering: the pandemic and its economic fallout will exert significant pressure on the financial system and the banking sector. Anti-money laundering regulators must be vigilant and should expect attempts by organised crime groups to exploit a volatile economic situation to launder money using the on-shore financial system.
  • Shell companies: criminals will likely intensify their use of shell companies and companies based in off-shore jurisdictions with weak anti-money laundering policies at the placement stage to receive cash deposits that are later transferred to other jurisdictions.
  • The real estate and construction sectors will become even more attractive for money laundering both in terms of investment and as a justification for the movement of funds.
  • Migrant smuggling: While the economic impact of the COVID-19 crisis in Europe is not yet clear, it is expected that the impact on economies in the developing world is likely to be even more profound. Prolonged economic instability and the sustained lack of opportunities in some African economies may trigger another wave of irregular migration towards the EU in the mid-term.

Looking longer term some predictions are:

  • Organised crime is highly adaptable and has demonstrated the ability to extract long-term gains from crises, such as the end of the cold war or the global economic of 2007 and 2008.
  • Communities, especially vulnerable groups, tend to become more accessible to organised crime during times of crisis. Economic hardship makes communities more receptive to certain offers, such as cheaper counterfeit goods or recruitment to engage in criminal activity.
  • Mafia-type organised crime groups are likely to take advantage of a crisis and persistent economic hardship by recruiting vulnerable young people, engaging in loan-sharking, extortion and racketeering.
  • Organised crime does not occur in isolation and the state of the wider economy plays a key role. A crisis often results in changes in consumer demand for types of goods and services. This will lead to shifts in criminal markets.

Key factors with an impact on crime during and after the COVID-19 pandemic

Several factors have a significant impact on serious and organised crime during the COVID-19 pandemic. These factors shape criminal behaviour and create vulnerabilities. Based on experience gained during prior crises, it is essential to monitor these factors to anticipate developments and pick up on warning signals.

  • Online activities: more people are spending more time online throughout the day for work and leisure during the pandemic, which has increased the attack vectors and surface to launch various types of cyber-attacks, fraud schemes and other activities targeting regular users.
  • Demand for and scarcity of certain goods, especially of healthcare products and equipment, is driving a significant portion of criminals’ activities in counterfeit and substandard goods and fraud.
  • Payment methods: the pandemic is likely to have an impact on payment preferences beyond the duration of the pandemic. With a shift of economic activity to online platforms, cashless transactions are increasing in number, volume and frequency.
  • Economic downturn: A potential economic downturn will fundamentally shape the serious and organised crime landscape. Economic disparity across Europe is making organised crime more socially acceptable as these groups will increasingly infiltrate economically weakened communities to portray themselves as providers of work and services.
  • Rising unemployment and reductions in legitimate investment may present greater opportunities for criminal groups, as individuals and organisations in the private and public sectors are rendered more vulnerable to compromise. Increased social tolerance for counterfeit goods and labour exploitation has the potential to result in unfair competition, higher levels of organised crime infiltration and, ultimately, illicit activity accounting for a larger share of GDP.

To download a full copy of the report visit Europol’s website.

An earlier post on this website covers advice on Cybersecurity awareness during the COVID-19 pandemic