Europol publishes report on malware-based cyber attacks

Europol has published a spotlight report “Cyber Attacks: The Apex of Crime-as-a-Service”, which sheds light on malware and DDoS attacks and unveils ransomware groups’ business structures as observed by Europol’s operational analysts.  The report, that follows Europol’s Internet Organised Crime Assessment (IOCTA) 2023, also outlines the types of criminal structures that are behind cyber-attacks, and how these increasingly professionalised groups are exploiting changes in geopolitics as part of their modi operandi.

This report is the first in a series of Spotlight Reports released by Europol as part of the IOCTA 2023.  Each takes a closer look at emerging trends in a specific area of cybercrime.  Other modules within the IOCTA 2023 look at online fraud and child sexual exploitation.

Key findings of the Report

  • Malware-based cyber attacks remain the most prominent threat to industry;
  • Ransomware affiliate programs have become established as the main form of business organisation for ransomware groups;
  • Phishing emails containing malware, Remote Desktop Protocol (RDP) brute forcing and Virtual Private Network (VPN) vulnerability exploitation are the most common intrusion tactics;
  • The Russian war of aggression against Ukraine led to a significant boost in Distributed Denial of Service (DDoS) attacks against EU targets;
  • Initial Access Brokers (IABs), droppers-as-a-service and crypter developers are key enablers utilised in the execution of cyber-attacks;
  • The war of aggression against Ukraine and Russia’s internal politics have uprooted cybercriminals, pushing them to move to other jurisdictions.

Europol’s response to Cybercrime

Europol provides dedicated support for cybercrime investigations in the EU and thus helps protect European citizens, businesses and governments from online crime.  Europol offers operational, strategic, analytical and forensic support to Member States’ investigations, including malware analysis, cryptocurrency-tracing training for investigators, and tool development projects.  Based in Europol’s European Cybercrime Centre (EC3), the Analysis Project Cyborg focuses on the threat of cyber-attacks and supports international investigations and operations into cyber criminality affecting critical computer and network infrastructures in the EU.

EAST response to Cybercrime

EAST focusses on tackling cybercrime through two of its Expert Groups – the EAST Expert Group on Payment and Transaction Fraud (EPTF) and the EAST Expert Group on All Terminal Fraud (EGAF).

Police take down Qakbot malware infrastructure

The Qakbot malware infrastructure has been taken down by an international Police operation, supported by Europol.  The operation led to the seizure of nearly €8 million in cryptocurrencies and the investigation was also supported by Eurojust and judicial and law enforcement authorities from France, Germany, Latvia, the Netherlands, Romania, the United Kingdom, and the United States. Over 700,000 computers were infected worldwide and law enforcement detected servers infected with Qakbot in almost 30 countries in Europe, South and North America, Asia and Africa.

Qakbot, operated by a group of organised cybercriminals, targeted critical infrastructure and businesses across multiple countries, stealing financial data and login credentials. Cybercriminals used this persistent malware to commit ransomware, fraud, and other cyber-enabled crimes.  The below image shows how the criminals worked.

Background

Qakbot has been active since 2007 (also known as QBot or Pinkslipbot).  The malware has evolved over time using different techniques to infect users and compromise systems.  Victims’ computers were infiltrated through spam emails containing malicious attachments or hyperlinks.  Once installed on the targeted computer, the malware allowed for infections with next-stage payloads such as ransomware.   Additionally, the infected computer became part of a botnet (a network of compromised computers) simultaneously controlled by the cybercriminals, usually without the knowledge of the victims.

However, Qakbot’s primary focus was on stealing financial data and login credentials from web browsers.  A number of ransomware groups used Qakbot to carry out a large number of ransomware attacks on critical infrastructure and businesses.  The administrators of the botnet provided these groups with access to the infected networks for a fee.  The investigation suggests that between October 2021 and April 2023, the administrators received ransom fees from victims of nearly €54 million.

International Police Liaison and Coordination

Over the course of the investigation, Europol facilitated the information exchange between participating agencies, supported the coordination of operational activities, and funded operational meetings. Europol also provided analytical support linking available data to various criminal cases within and outside the EU.  The Joint Cybercrime Action Taskforce (J-CAT) at Europol also supported the operation.  This standing operational team consists of cybercrime liaison officers from different countries who work on high-profile cybercrime investigations.

Eurojust actively facilitated the cross-border judicial cooperation between the national authorities involved.  The Agency hosted a coordination meeting in July 2023 to facilitate evidence sharing and to prepare for this joint operation.

EAST response to Cybercrime

EAST focusses on tackling cybercrime through two of its Expert Groups – the EAST Expert Group on Payment and Transaction Fraud (EPTF) and the EAST Expert Group on All Terminal Fraud (EGAF).

National & Global Fraud Intelligence sharing – 2nd EAST Global Congress

The 2nd EAST Global Congress took place on Wednesday 5th October 2022 in London as a hybrid meeting, with some delegates participating online. The event was hosted by the LINK Scheme.

The meeting was chaired by Veronica Borgogna from Worldline and the key focus was on the sharing of payment and terminal fraud intelligence (global, regional, national).

Law enforcement overviews were provided by Europol’s European Cybercrime Centre (EC3) on various fraud types, and the Gulf Cooperation Council Police (GCCPOL) on technological and non-technological fraud trends.

Private sector fraud intelligence updates were received from 25 countries, either directly or via regional/global updates by HSBC and Worldline.  Regional Updates were also provided for ASP, LATAM, and MENA.  Each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).  The importance of raising consumer awareness to counter the rising threats related to social engineering remains the key issue, and discussions also took place on a new fraud modus operandi now affecting four countries.

Updates were also given by the Chairs of the three EAST Expert Groups:

EAST Fraud Update 3-2022 will be produced early next month, based on the country updates provided at the EAST Global Congress.  EAST Fraud, Payment, and Physical Attack Alerts are available on the EAST Intranet to EAST Members.

The 3rd EAST Global Congress, scheduled for 8th February 2023, will also be held as a Hybrid Meeting.

EAST EGAF holds 27th Meeting in Amsterdam

 

The 27th Meeting of the EAST Expert Group on All Terminal Fraud (EGAF) took place on Wednesday 14th September 2022 at ING Bank in Amsterdam.  The hybrid meeting was chaired by Otto de Jong from ING Bank.

It was attended by 23 key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts. 9 people were in the room and there were 14 virtual participants.

Experts from the following organisations contributed to the meeting: Atruvia AG, Bits A/S, BKA, BVK, Cennox, Damage Control, Diebold Nixdorf, Europol, Group-IB, ING Bank, KAL, Mastercard, NatWest Group, NCR, PSA, TietoEVRY, and TMD Security.

EAST EGAF, which meets three times a year in advance of each of the meetings of EAST National and Global Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Data Compromise and other issues relating to terminal fraud.

Discussion at the meeting focussed on follow up to two EAST Fraud Alerts relating to Active Shimmer (Wedge) / Relay attacks and presentations were also made in relation to ATM black box attacks, to PCIDSS 4.0 (new requirements relating to e-commerce) and to Transaction Reversal Fraud.

EAST EGAF generates EAST Fraud Alerts for all EAST Members (National, Global and Associate). In total 272 Fraud Alerts have been issued as can be seen in the table below.

EAST EGAF holds 26th Meeting in Amsterdam

The 26th Meeting of the EAST Expert Group on All Terminal Fraud (EGAF) took place on Wednesday 11th May 2022 at ING Bank in Amsterdam.  This was the first in-person EGAF meeting since January 2020.  The hybrid meeting was chaired by Otto de Jong from ING Bank.

It was attended by 26 key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts. 10 people were in the room and there were 16 virtual participants.

Experts from the following organisations contributed to the meeting: Atruvia AG, Bits A/S, BKA, BVK, Cartes Bancaires (CB), Cennox, Damage Control, Diebold Nixdorf, Europol, Gendarmerie Nationale (IRCGN), GMV, Group-IB, INTERPOL, LINK Scheme, Mastercard, NatWest Group, NCR, Polish Bank Association, PSA, Swedish National Anti-Fraud Centre, TietoEVRY, TMD Security, and Worldline.

EAST EGAF, which meets three times a year in advance of each of the meetings of EAST National and Global Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Data Compromise and other issues relating to terminal fraud.

Discussion at the meeting focussed on two recent EAST Fraud Alerts relating to Active Shimmer (Wedge) / Relay attacks.

EAST EGAF generates EAST Fraud Alerts for all EAST Members (National, Global and Associate). In total 270 Fraud Alerts have been issued as can be seen in the table below.

VPN used by Cybercriminals taken down

A joint action by Europol and 10 countries against the criminal misuse of VPN services, targeted the users and infrastructure of VPNLab.net.  This resulted in the take down of 15 servers.  The VPN service aimed to offer shielded communications and Internet access, and was being used in support of serious criminal acts such as ransomware deployment and other cybercrime activities.

VPNCoordinated disruptive actions took place on 17 January 2022 in Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States and the United Kingdom.  Law enforcement authorities have now seized or disrupted the 15 servers that hosted VPNLab.net’s service, rendering it no longer available. Led by the Central Criminal Office of the Hannover Police Department in Germany, the action took place under the EMPACT security framework objective Cybercrime – Attacks Against Information Systems.

VPNLab.net was established in 2008, offering services based on OpenVPN technology and 2048-bit encryption to provide online anonymity for as little as USD 60 per year.  The service also provided double VPN, with servers located in many different countries. This made VPNLab.net a popular choice for cybercriminals, who could use its services to carry on committing their crimes without fear of detection by authorities.

Law enforcement took interest in the provider after multiple investigations uncovered criminals using the VPNLab.net service to facilitate illicit activities such as malware distribution.  Other cases showed the service’s use in the setting up of infrastructure and communications behind ransomware campaigns, as well as the actual deployment of ransomware.  At the same time, investigators found the service advertised its services on the dark web.

As a result of the investigation, over one hundred businesses have been identified as at risk of cyberattacks.  Law enforcement is working directly with these potential victims to mitigate their exposure.

Europol’s European Cybercrime Centre (EC3)Money Mule Action provided support for the action day through its Analysis Project ‘CYBORG’, which organised more than 60 coordination meetings and 3 in-person workshops, as well as providing analytical and forensic support.

The following authorities took part in this operation:

  • Germany: Hanover Police Department (Polizeidirektion Hannover) – Central Criminal Office
  • Netherlands: The Dutch National Hi-Tech Crime Unit
  • Canada: Royal Canadian Mounted Police, Federal Policing
  • Czech Republic: Cyber Crime Section – NOCA (National Organized Crime Agency)
  • France: Sous-Direction de la Lutte Contre la Cybercriminalité à la Direction Centrale de la Police Judiciaire (SDLC-DCPJ)
  • Hungary: RSSPS National Bureau of Investigation Cybercrime Department
  • Latvia: State Police of Latvia (Valsts Policija) – Central Criminal Police Department
  • Ukraine: National Police of Ukraine (Національна поліція України) – Cyberpolice Department
  • United Kingdom: The National Crime Agency
  • United States: Federal Bureau of Investigation
  • Eurojust
  • Europol: European Cybercrime Centre (EC3)

Moroccan police arrest suspected cybercriminal after INTERPOL probe

An alleged prolific cybercriminal has been apprehended in Morocco following a joint two-year investigation by INTERPOL, the Moroccan police and Group-IB.  Acting under the signature name of ‘Dr Hex’, the suspect is believed to have targeted thousands of unsuspecting victims over several years through global phishing, fraud, and carding activities involving credit card fraud.  He is also accused of defacing numerous websites by modifying their appearance and content, and targeting French-speaking communications companies, multiple banks and multinational companies with malware campaigns, and is alleged to have helped develop carding and phishing kits, which were then sold to other individuals through online forums to allow them to facilitate similar malicious campaigns against victims.  These were then used to impersonate online banking facilities, allowing the suspect and others to steal sensitive information and defraud trusting individuals for financial gain – the losses of individuals and companies were then published online in order to advertise these malicious services.

Under Operation Lyrebird, INTERPOL’s Cybercrime Directorate worked closely with Group-IB and with Moroccan Police, via the INTERPOL National Central Bureau, in Rabat to eventually locate and apprehend the individual, who remains under investigation.  INTERPOL Executive Director of Police Services Stephen Kavanagh said: “This is a significant success against a suspect who is accused of targeting unsuspecting individuals and companies across multiple regions for years, and the case highlights the threat posed by cybercrime worldwide. The arrest of this suspect is down to outstanding international investigative work and new ways of collaboration both with Moroccan police and our vital private sector partners such as Group-IB.”

Group-IB determined that the suspect was involved in attacks on 134 websites from 2009-2018, leaving behind his signature name on web pages.  Its participation in the operation came under Project Gateway, an initiative which facilitates cooperation and information sharing between INTERPOL and private sector partners.

In May 2021 INTERPOL launched a new cyber operations desk to boost the capacity of 49 African countries to fight cybercrime. The Africa desk will help shape a regional strategy to drive intelligence-led coordinated actions against cybercriminals and support joint operations such as Lyrebird.

At a time of increasing cyber threats, members of the public, businesses and organisations are reminded to protect themselves from phishing attempts by following the advice showcased in INTERPOL’s #WashYourCyberHands and #OnlineCrimeIsRealCrime campaigns.

The EAST Payments Task Force (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud.

National & Global Fraud Intelligence sharing – 4th Interim EAST Meeting

A fourth Interim Meeting of EAST National and Global Members took place on Wednesday 9th June 2021. Due to the Covid-19 situation, it was conducted as a virtual meeting. The meeting was chaired by Graham Mott from the LINK Scheme.  The key focus was on the sharing of global, regional, and national, payment and terminal fraud intelligence.

Law enforcement overviews were provided by Europol, the Gulf Cooperation Council Police (GCCPOL), the United States Secret Service (USSS) and INTERPOL.  Two presentations were made by Europol: one from the European Cybercrime Centre (EC3) covered recent successful cross-border operations; the other covered Physical ATM attacks across Europe.  The GCCPOL presentation covered payment and fraud issues seen by their 6 member countries focussing on Technological Fraud (crimes committed using different forms/types of machines and technology) and Non-Technological Fraud (conducted directly against the victim. The USSS presentation covered US Fraud Trends (2020/2021), along with prevention/detection techniques, and the INTERPOL presentation covered recent issues relating to financial crimes, money laundering, and asset tracing.

Private sector fraud intelligence updates were received from 31 countries, either directly or via regional/global updates by Citi, HSBC and Worldline.  Each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).  A key issue, highlighted by most of the countries, continues to be the importance of raising consumer awareness to counter the rising threats related to social engineering.

EAST Fraud Update 2-2021 will be produced during July, based on the country updates provided at the Interim EAST Meeting.  EAST Fraud, Payment and Physical Attack Updates are available on the EAST Intranet to EAST Members.

The next meeting of this group, scheduled for 6th October 2021, will also be a virtual Interim meeting.  The 1st EAST Global Congress is now scheduled to be held in February 2022, dependant on the prevailing status of the Covid-19 pandemic.

3rd Interim EAST Meeting – National and Global Members

A third Interim Meeting of EAST National and Global Members took place on Wednesday 10th February 2021. Due to the Covid-19 situation, it was conducted as a virtual meeting. The meeting was chaired by Martine Hemmerijckx from Worldline.

Law enforcement overviews were provided by Europol and the Gulf Cooperation Council Police (GCCPOL).  Two presentations were made by Europol: one from the European Cybercrime Centre (EC3) covered recent successful cross-border operations; the other covered Physical ATM attacks across Europe.  The GCCPOL presentation covered payment and fraud issues seen by their 6 member countries – it focussed on Technological Fraud (crimes committed using different forms/types of machines and technology) and Non-Technological Fraud (conducted directly against the victim).

Updates were received from 26 countries, either directly or via a global update by Worldline.  Each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).  A key issue, highlighted by most of the countries, is the importance of raising consumer awareness to counter the rising threats related to social engineering.

EAST Fraud Update 1-2021 will be produced during March, based on the country updates provided at the Interim EAST Meeting.  EAST Fraud, Payment and Physical Attack Updates are available on the EAST Intranet to EAST Members.

The next meeting of this group, scheduled for 9th June 2021, will also be a virtual Interim meeting.  The 1st EAST Global Congress is now scheduled to be held in October 2021, dependant on the prevailing status of the Covid-19 pandemic.

International operation takes down EMOTET Malware

Law enforcement and judicial authorities have gained control of the EMOTET infrastructure and taken it down from the inside in an international coordinated action.  Authorities from the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine too part, with international activity coordinated by Europol and Eurojust. This operation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).

The EMOTET infrastructure involved several hundred servers across the world, all of which had different functionalities – this allowed the criminals to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts. An effective international operational strategy resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure.  This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.

ABOUT EMOTET

EMOTET has been one of the most professional and long lasting cybercrime services out there and is one of the most dangerous malware types. First discovered as a banking Trojan in 2014, the malware evolved into the go-to solution for cybercriminals over the years. The EMOTET infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorised access was established, these were sold to other top-level criminal groups to deploy further illicit activities such data theft and extortion through ransomware.

Through a fully automated process, EMOTET malware was delivered to the victims’ computers via infected e-mail attachments.  A variety of different lures were used to trick unsuspecting users into opening these malicious attachments. In the past, EMOTET email campaigns have also been presented as invoices, shipping notices and information about COVID-19.  All these emails contained malicious Word documents, either attached to the email itself or downloadable by clicking on a link within the email itself. Once a user opened one of these documents, they could be prompted to “enable macros” so that the malicious code hidden in the Word file could run and install EMOTET malware on a victim’s computer.

What made EMOTET so dangerous is that the malware was offered for hire to other cybercriminals to install other types of malware, such as banking Trojans or ransomwares, onto a victim’s computer. This type of attack is called a ‘loader’ operation, and EMOTET is said to be one of the biggest players in the cybercrime world as other malware operators like TrickBot and Ryuk have benefited from it.  Its unique way of infecting networks by spreading the threat laterally after gaining access to just a few devices in the network made it one of the most resilient malware in the wild.

OVERVIEW

EMOTET

For more information on the operation, and on how protect yourself against loaders, visit Europol’s website.