EAST EGAF holds 26th Meeting in Amsterdam

The 26th Meeting of the EAST Expert Group on All Terminal Fraud (EGAF) took place on Wednesday 11th May 2022 at ING Bank in Amsterdam.  This was the first in-person EGAF meeting since January 2020.  The hybrid meeting was chaired by Otto de Jong from ING Bank.

It was attended by 26 key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts. 10 people were in the room and there were 16 virtual participants.

Experts from the following organisations contributed to the meeting: Atruvia AG, Bits A/S, BKA, BVK, Cartes Bancaires (CB), Cennox, Damage Control, Diebold Nixdorf, Europol, Gendarmerie Nationale (IRCGN), GMV, Group-IB, INTERPOL, LINK Scheme, Mastercard, NatWest Group, NCR, Polish Bank Association, PSA, Swedish National Anti-Fraud Centre, TietoEVRY, TMD Security, and Worldline.

EAST EGAF, which meets three times a year in advance of each of the meetings of EAST National and Global Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Data Compromise and other issues relating to terminal fraud.

Discussion at the meeting focussed on two recent EAST Fraud Alerts relating to Active Shimmer (Wedge) / Relay attacks.

EAST EGAF generates EAST Fraud Alerts for all EAST Members (National, Global and Associate). In total 270 Fraud Alerts have been issued as can be seen in the table below.

VPN used by Cybercriminals taken down

A joint action by Europol and 10 countries against the criminal misuse of VPN services, targeted the users and infrastructure of VPNLab.net.  This resulted in the take down of 15 servers.  The VPN service aimed to offer shielded communications and Internet access, and was being used in support of serious criminal acts such as ransomware deployment and other cybercrime activities.

VPNCoordinated disruptive actions took place on 17 January 2022 in Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States and the United Kingdom.  Law enforcement authorities have now seized or disrupted the 15 servers that hosted VPNLab.net’s service, rendering it no longer available. Led by the Central Criminal Office of the Hannover Police Department in Germany, the action took place under the EMPACT security framework objective Cybercrime – Attacks Against Information Systems.

VPNLab.net was established in 2008, offering services based on OpenVPN technology and 2048-bit encryption to provide online anonymity for as little as USD 60 per year.  The service also provided double VPN, with servers located in many different countries. This made VPNLab.net a popular choice for cybercriminals, who could use its services to carry on committing their crimes without fear of detection by authorities.

Law enforcement took interest in the provider after multiple investigations uncovered criminals using the VPNLab.net service to facilitate illicit activities such as malware distribution.  Other cases showed the service’s use in the setting up of infrastructure and communications behind ransomware campaigns, as well as the actual deployment of ransomware.  At the same time, investigators found the service advertised its services on the dark web.

As a result of the investigation, over one hundred businesses have been identified as at risk of cyberattacks.  Law enforcement is working directly with these potential victims to mitigate their exposure.

Europol’s European Cybercrime Centre (EC3)Money Mule Action provided support for the action day through its Analysis Project ‘CYBORG’, which organised more than 60 coordination meetings and 3 in-person workshops, as well as providing analytical and forensic support.

The following authorities took part in this operation:

  • Germany: Hanover Police Department (Polizeidirektion Hannover) – Central Criminal Office
  • Netherlands: The Dutch National Hi-Tech Crime Unit
  • Canada: Royal Canadian Mounted Police, Federal Policing
  • Czech Republic: Cyber Crime Section – NOCA (National Organized Crime Agency)
  • France: Sous-Direction de la Lutte Contre la Cybercriminalité à la Direction Centrale de la Police Judiciaire (SDLC-DCPJ)
  • Hungary: RSSPS National Bureau of Investigation Cybercrime Department
  • Latvia: State Police of Latvia (Valsts Policija) – Central Criminal Police Department
  • Ukraine: National Police of Ukraine (Національна поліція України) – Cyberpolice Department
  • United Kingdom: The National Crime Agency
  • United States: Federal Bureau of Investigation
  • Eurojust
  • Europol: European Cybercrime Centre (EC3)

Moroccan police arrest suspected cybercriminal after INTERPOL probe

An alleged prolific cybercriminal has been apprehended in Morocco following a joint two-year investigation by INTERPOL, the Moroccan police and Group-IB.  Acting under the signature name of ‘Dr Hex’, the suspect is believed to have targeted thousands of unsuspecting victims over several years through global phishing, fraud, and carding activities involving credit card fraud.  He is also accused of defacing numerous websites by modifying their appearance and content, and targeting French-speaking communications companies, multiple banks and multinational companies with malware campaigns, and is alleged to have helped develop carding and phishing kits, which were then sold to other individuals through online forums to allow them to facilitate similar malicious campaigns against victims.  These were then used to impersonate online banking facilities, allowing the suspect and others to steal sensitive information and defraud trusting individuals for financial gain – the losses of individuals and companies were then published online in order to advertise these malicious services.

Under Operation Lyrebird, INTERPOL’s Cybercrime Directorate worked closely with Group-IB and with Moroccan Police, via the INTERPOL National Central Bureau, in Rabat to eventually locate and apprehend the individual, who remains under investigation.  INTERPOL Executive Director of Police Services Stephen Kavanagh said: “This is a significant success against a suspect who is accused of targeting unsuspecting individuals and companies across multiple regions for years, and the case highlights the threat posed by cybercrime worldwide. The arrest of this suspect is down to outstanding international investigative work and new ways of collaboration both with Moroccan police and our vital private sector partners such as Group-IB.”

Group-IB determined that the suspect was involved in attacks on 134 websites from 2009-2018, leaving behind his signature name on web pages.  Its participation in the operation came under Project Gateway, an initiative which facilitates cooperation and information sharing between INTERPOL and private sector partners.

In May 2021 INTERPOL launched a new cyber operations desk to boost the capacity of 49 African countries to fight cybercrime. The Africa desk will help shape a regional strategy to drive intelligence-led coordinated actions against cybercriminals and support joint operations such as Lyrebird.

At a time of increasing cyber threats, members of the public, businesses and organisations are reminded to protect themselves from phishing attempts by following the advice showcased in INTERPOL’s #WashYourCyberHands and #OnlineCrimeIsRealCrime campaigns.

The EAST Payments Task Force (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud.

National & Global Fraud Intelligence sharing – 4th Interim EAST Meeting

A fourth Interim Meeting of EAST National and Global Members took place on Wednesday 9th June 2021. Due to the Covid-19 situation, it was conducted as a virtual meeting. The meeting was chaired by Graham Mott from the LINK Scheme.  The key focus was on the sharing of global, regional, and national, payment and terminal fraud intelligence.

Law enforcement overviews were provided by Europol, the Gulf Cooperation Council Police (GCCPOL), the United States Secret Service (USSS) and INTERPOL.  Two presentations were made by Europol: one from the European Cybercrime Centre (EC3) covered recent successful cross-border operations; the other covered Physical ATM attacks across Europe.  The GCCPOL presentation covered payment and fraud issues seen by their 6 member countries focussing on Technological Fraud (crimes committed using different forms/types of machines and technology) and Non-Technological Fraud (conducted directly against the victim. The USSS presentation covered US Fraud Trends (2020/2021), along with prevention/detection techniques, and the INTERPOL presentation covered recent issues relating to financial crimes, money laundering, and asset tracing.

Private sector fraud intelligence updates were received from 31 countries, either directly or via regional/global updates by Citi, HSBC and Worldline.  Each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).  A key issue, highlighted by most of the countries, continues to be the importance of raising consumer awareness to counter the rising threats related to social engineering.

EAST Fraud Update 2-2021 will be produced during July, based on the country updates provided at the Interim EAST Meeting.  EAST Fraud, Payment and Physical Attack Updates are available on the EAST Intranet to EAST Members.

The next meeting of this group, scheduled for 6th October 2021, will also be a virtual Interim meeting.  The 1st EAST Global Congress is now scheduled to be held in February 2022, dependant on the prevailing status of the Covid-19 pandemic.

3rd Interim EAST Meeting – National and Global Members

A third Interim Meeting of EAST National and Global Members took place on Wednesday 10th February 2021. Due to the Covid-19 situation, it was conducted as a virtual meeting. The meeting was chaired by Martine Hemmerijckx from Worldline.

Law enforcement overviews were provided by Europol and the Gulf Cooperation Council Police (GCCPOL).  Two presentations were made by Europol: one from the European Cybercrime Centre (EC3) covered recent successful cross-border operations; the other covered Physical ATM attacks across Europe.  The GCCPOL presentation covered payment and fraud issues seen by their 6 member countries – it focussed on Technological Fraud (crimes committed using different forms/types of machines and technology) and Non-Technological Fraud (conducted directly against the victim).

Updates were received from 26 countries, either directly or via a global update by Worldline.  Each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).  A key issue, highlighted by most of the countries, is the importance of raising consumer awareness to counter the rising threats related to social engineering.

EAST Fraud Update 1-2021 will be produced during March, based on the country updates provided at the Interim EAST Meeting.  EAST Fraud, Payment and Physical Attack Updates are available on the EAST Intranet to EAST Members.

The next meeting of this group, scheduled for 9th June 2021, will also be a virtual Interim meeting.  The 1st EAST Global Congress is now scheduled to be held in October 2021, dependant on the prevailing status of the Covid-19 pandemic.

International operation takes down EMOTET Malware

Law enforcement and judicial authorities have gained control of the EMOTET infrastructure and taken it down from the inside in an international coordinated action.  Authorities from the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine too part, with international activity coordinated by Europol and Eurojust. This operation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).

The EMOTET infrastructure involved several hundred servers across the world, all of which had different functionalities – this allowed the criminals to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts. An effective international operational strategy resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure.  This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.

ABOUT EMOTET

EMOTET has been one of the most professional and long lasting cybercrime services out there and is one of the most dangerous malware types. First discovered as a banking Trojan in 2014, the malware evolved into the go-to solution for cybercriminals over the years. The EMOTET infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorised access was established, these were sold to other top-level criminal groups to deploy further illicit activities such data theft and extortion through ransomware.

Through a fully automated process, EMOTET malware was delivered to the victims’ computers via infected e-mail attachments.  A variety of different lures were used to trick unsuspecting users into opening these malicious attachments. In the past, EMOTET email campaigns have also been presented as invoices, shipping notices and information about COVID-19.  All these emails contained malicious Word documents, either attached to the email itself or downloadable by clicking on a link within the email itself. Once a user opened one of these documents, they could be prompted to “enable macros” so that the malicious code hidden in the Word file could run and install EMOTET malware on a victim’s computer.

What made EMOTET so dangerous is that the malware was offered for hire to other cybercriminals to install other types of malware, such as banking Trojans or ransomwares, onto a victim’s computer. This type of attack is called a ‘loader’ operation, and EMOTET is said to be one of the biggest players in the cybercrime world as other malware operators like TrickBot and Ryuk have benefited from it.  Its unique way of infecting networks by spreading the threat laterally after gaining access to just a few devices in the network made it one of the most resilient malware in the wild.

OVERVIEW

EMOTET

For more information on the operation, and on how protect yourself against loaders, visit Europol’s website.

 

DarkMarket taken down in international police operation

DarkMarket, the world’s largest illegal marketplace on the dark web, has been taken offline in an international operation led by German police.  As well as Germany, law enforcement agencies from Australia, Denmark, Moldova, Ukraine, the United Kingdom (National Crime Agency), and the USA (DEA, FBI, and IRS) were involved. Europol supported the takedown with specialist operational analysis and coordinated the cross-border collaborative effort of the countries involved.

The Central Criminal Investigation Department in the German city of Oldenburg arrested an Australian citizen (the alleged operator of DarkMarket) near the German-Danish border over the weekend of 9/10 January 2020. The investigation, which was led by the cybercrime unit of the Koblenz Public Prosecutor’s Office, supported by the German Federal Criminal Police office (BKA), allowed officers to locate and close the marketplace, switch off the servers and seize the criminal infrastructure – more than 20 servers in Moldova and Ukraine. The stored data will give investigators new leads to further investigate moderators, sellers, and buyers.

The DarkMarket vendors mainly traded all kinds of drugs and sold counterfeit money, stolen or counterfeit credit card details, anonymous SIM cards and malware.

DARKMARKET IN FIGURES:

  • almost 500,000 users;
  • more than 2,400 sellers;
  • over 320,000 transactions;
  • more than 4,650 bitcoin and 12,800 monero transferred (at the current rate, this corresponds to a sum of more than €140 million).

PUBLIC-PRIVATE SECTOR COOPERATION

Europol’s European Cybercrime Centre (EC3) has established a dedicated Dark Web Team to work together with EU partners and law enforcement across the globe to reduce the size of this underground illegal economy.  This team focusses on:

  • sharing information;
  • providing operational support and expertise in different crime areas;
  • developing tools, tactics and techniques to conduct dark web investigations;
  • identifying threats and targets.

The EAST Payments Task Force and the EAST Expert Group on All Terminal Fraud work closely with Europol and other law enforcement agencies (national, regional and global).  EAST Global and National Members focus on the reporting of payment and terminal fraud (fraud types, fraud origins and due diligence), for the gathering, collation and dissemination of related information, trends and general statistics across all geographies.

Cybercriminals will leverage AI as an attack vector and an attack surface

A jointly developed new report by Europol, the United Nations Interregional Crime and Justice Research Institute (UNICRI) and Trend Micro looking into current and predicted criminal uses of artificial intelligence (AI) has been released.  It provides law enforcers, policymakers and other organisations with information on existing and potential attacks leveraging AI and recommendations on how to mitigate these risks.

The report concludes that cybercriminals will leverage AI both as an attack vector and an attack surface.  Deep fakes are currently the best-known use of AI as an attack vector.  However, the report warns that new screening technology will be needed in the future to mitigate the risk of disinformation campaigns and extortion, as well as threats that target AI data sets.

For example, AI could be used to support:

  • convincing social engineering attacks at scale;
  • document-scraping malware to make attacks more efficient;
  • evasion of image recognition and voice biometrics;
  • ransomware attacks, through intelligent targeting and evasion;
  • data pollution, by identifying blind spots in detection rules.

The paper also warns that AI systems are being developed to enhance the effectiveness of malware and to disrupt anti-malware and facial recognition systems.

The EAST Payments Task Force is focussed on payment issues related to social engineering, malware, ransomware and other cyber threats, and notes that this report is an important step forward in assessing the rapid evolution of cybercrime.

The three organisations make several recommendations to conclude the report:

  • harness the potential of AI technology as a crime-fighting tool to future-proof the cybersecurity industry and policing;
  • continue research to stimulate the development of defensive technology;
  • promote and develop secure AI design frameworks;
  • de-escalate politically loaded rhetoric on the use of AI for cybersecurity purposes;
  • leverage public-private partnerships and establish multidisciplinary expert groups.

For more information and to download the report visit Europol’s website

Corporate Network Attacks

Corporate Network AttacksIn August 2020 EAST published Central/Host Fraud definitions which cover corporate attacks against central infrastructure like banking host systems in order to perform different Modus Operandi not directly connected to a Terminal.  These definitions were produced by the EAST Expert Group on All Terminal Fraud (EGAF).

The compromise of a corporate network is the first step with these types of incidents.  This can be done by external attackers as well as by internal employees of the institution.  Attackers typically try to get access to this critical infrastructure, enabling the three different Corporate Networks Attacks shown below.

  • Card Processing
  • Fund Transfer
  • Remote Malware Distribution and Control

The third one relates to control of a financial institution’s network leading to illegitimate file distribution in order to install and execute ATM specific malware.  The different malware Modus Operandi actually used within the corporate network attack can be Jackpotting (also known as ATM Cash-out), Man-in-the-Middle (MITM) and SW-Skimming.  These are described in EAST’s Terminal Fraud Definitions.

In October 2020 The PCI Security Standards Council (PCI SSC) released a bulletin ‘The Threat Of ATM Cash-Outs Payment Security’.

EAST Executive Director Lachlan Gunn speaks to Jeremy King, the PCI SSC Regional Head for Europe and Otto de Jong, Chair of EAST EGAF and DBNL Anti-Fraud Officer for ING.

Lachlan Gunn:  Thank you both for agreeing to speak today on this key issue.

Why did EAST produce Central/Host Fraud Definitions?

Otto de Jong:  It is vital that the way that corporate network attacks are described is consistent to allow law enforcement and industry responders to accurately report what they are seeing in a way that allows for standardisation of reporting.  This optimises the ability of organisations to mitigate and defend against the evolving threats and helps law enforcement when conducting follow up investigations to such crimes.  The aim is for these fraud definitions to be adopted globally by the Industry and Law enforcement when describing or reporting payment terminal fraud.  The INTERPOL Financial Crimes Unit is recommending the usage of EAST definitions for Payment Card Fraud, and we hope that other law enforcement agencies will do the same.

Why did the PCI Security Standards Council issue an industry threat bulletin on ATM Cash-outs?

Jeremy King: We have heard from many of our stakeholders in the European payment community that ATM “cash-outs” are a growing concern across the globe. We felt, as a leader in payment security, now was the time to issue a bulletin with our friends and colleagues from the ATMIA who’s industry is well aware of these daily threats.

Otto de Jong:  This is indeed timely.  The most recent EAST Payment Terminal Crime Report shows that ‘cash-out’ through black box attacks is a growing threat.  ATM malware and logical attacks against ATMs were up 269% (from 35 to 129) and all the reported attacks were Black Box attacks.

What businesses are at risk of this devious attack?

Jeremy King: Financial institutions, and payment processors are most at financial risk and likely to be the target of these large-scale, coordinated attacks. These institutions stand to potentially lose millions of dollars in a very short time period and can have exposure in multiple countries throughout Europe and around the world as the result of this highly organised, well-orchestrated criminal attack.

Otto de Jong: In addition to financial institutions and payment processors, recent corporate network attacks have demonstrated that this is also a threat to key infrastructure companies like utility companies, universities, hospitals and so on.   This year the corporate network attack threat is evolving from targeting the payment system (cash out or swift transactions) to ransomware attacks (bitcoins).

What are some detection best practices to detect these threats before they can cause damage?

Jeremy King: Since ATM ‘cash-out’ attacks can happen quickly and drain millions of dollars in a short period of time, the ability to detect these threats before they can cause damage is critical. Some ways to detect this type of attack are:

  • Velocity monitoring of underlying accounts and volume
  • 24/7 monitoring capabilities including File Integrity Monitoring Systems (FIMs)
  • Reporting system that sounds the alarm immediately when suspicious activity is identified
  • Development and practice of an incident response management system
  • Check for unexpected traffic sources (e.g. IP addresses)
  • Look for unauthorized execution of network tools

Otto de Jong: Monitoring systems can also be compromised.  Checking of related monitoring mechanisms, such as globally operated by card schemes, can be helpful to identify this kind of attack.

What are some prevention best practices to stop this attack from happening in the first place?

Jeremy King: The best protection to mitigate against ATM ‘cash-outs’ is to adopt a layered defence that includes people, processes, and technology. Some recommendations to prevent ATM ‘cash-outs’ include:

  • Strong access controls to your systems and identification of third-party risks
  • Employee monitoring systems to guard against an “inside job”
  • Continuous phishing training for employees
  • Multi-factor authentication
  • Strong password management
  • Require layers of authentication/approval for remote changes to account balances and transaction limits
  • Implementation of required security patches in a timely manner (ASAP)
  • Regular penetration testing
  • Frequent reviews of access control mechanisms and access privileges
  • Strict separation of roles that have privileged access to ensure no one user ID can perform sensitive functions
  • Installation of file integrity monitoring software that can also serve as a detection mechanism
  • Strict adherence to the entire PCI DSS

Otto de Jong: In addition, every institution with an IT infrastructure should perform a threat risk assessment to spot weakness in their system.  This should be evaluated on an annual basis.  Performing penetration tests annually by independent assessors must be part of such an assessment.

Lachlan Gunn:  That concludes the Q&A session.  Many thanks again to you both.  Hopefully this will help to further raise awareness of the risks posed by corporate network attacks, what can be done to detect them, how to protect against them and also how to classify attacks to allow for accurate reporting and follow up by law enforcement and the industry.

IOCTA 2020 Published by Europol

IOCTA 2020Europol has published its Internet Organised Crime Threat Assessment for 2020 (IOCTA 2020).   This highlights the dynamic and evolving threats from cybercrime and provides a unique law enforcement focused assessment of emerging challenges and key developments in the space.  The data collection for the IOCTA 2020 took place during the lockdown implemented as a result of the COVID-19 pandemic.  Indeed, the pandemic prompted significant change and criminal innovation in the area of cybercrime.  Criminals devised both new modi operandi and adapted existing ones to exploit the situation, new attack vectors and new groups of victims.

So much has changed since Europol published last year’s IOCTA. The global  pandemic forced the reimagination of our societies and the reinvention of the way we work and live.  During the lockdown, people turned to the Internet for a sense of normality: shopping, working and learning online at a scale never seen before.  The IOCTA 2020 seeks to map the evolving cybercrime threat landscape and understand how law enforcement responds to it.  Although the COVID-19 crisis has shown how criminals actively take advantage of society at its most vulnerable, this opportunistic behaviour should not overshadow the overall threat landscape. In many cases, COVID-19 has enhanced existing problems, some of which are shown below:

CROSS-CUTTING CRIME

  • Social engineering and phishing remain an effective threat to enable other types of cybercrime.  Criminals use innovative methods to increase the volume and sophistication of their attacks, and inexperienced cybercriminals can carry out phishing campaigns more easily through crime as-a-service.  Criminals quickly exploited the pandemic to attack vulnerable people; phishing, online scams and the spread of fake news became an ideal strategy for cybercriminals seeking to sell items they claim will prevent or cure COVID-19.
  • Encryption continues to be a clear feature of an increasing number of services and tools.  One of the principal challenges for law enforcement is how to access and gather relevant data for criminal investigations.  The value of being able to access data of criminal communication on an encrypted network is perhaps the most effective illustration of how encrypted data can provide law enforcement with crucial leads beyond the area of cybercrime.

MALWARE REIGNS SUPREME

  • Ransomware attacks have become more sophisticated, targeting specific organisations in the public and private sector through victim reconnaissance.  While the COVID-19 pandemic has triggered an increase in cybercrime, ransomware attacks were targeting the healthcare industry long before the crisis. Moreover, criminals have included another layer to their ransomware attacks by threatening to auction off the comprised data, increasing the pressure on the victims to pay the ransom.  Advanced forms of malware are a top threat in the EU: criminals have transformed some traditional banking Trojans into modular malware to cover more PC digital fingerprints, which are later sold for different needs.

PAYMENT FRAUD: SIM SWAPPING A NEW TREND

  • SIM swapping, which allows perpetrators to take over accounts, is one of the new trends in IOCTA 2020.  As a type of account takeover, SIM swapping provides criminals access to sensitive user accounts.  Criminals fraudulently swap or port victims’ SIMs to one in the criminals’ possession in order to intercept the one-time password step of the authentication process.

CRIMINAL ABUSE OF THE DARK WEB

  • In 2019 and early 2020 there was a high level of volatility on the dark web. The lifecycle of dark web market places has shortened and there is no clear dominant market that has risen over the past year. Tor remains the preferred infrastructure, however criminals have started to use other privacy-focused, decentralised marketplace platforms to sell their illegal goods. Although this is not a new phenomenon, these sorts of platforms have started to increase over the last year. OpenBazaar is noteworthy, as certain threats have emerged on the platform over the past year such as COVID-19-related items during the pandemic.