2nd Interim EAST Meeting – National and Global Members

A second Interim Meeting of EAST National and Global Members took place on Wednesday 7th October 2020. Due to the Covid-19 situation, it was conducted as a virtual meeting. The meeting was chaired by Rui Carvalho, EAST Development Director.  The 1st EAST Global Congress is now scheduled to be held in February 2021, dependant on the prevailing status of the pandemic.

Law enforcement overviews were provided by EuropolINTERPOL and the Gulf Cooperation Council Police (GCCPOL).  Two presentations were made by Europol: one from the European Cybercrime Centre (EC3) covered the recent publication of their Internet Organised Crime Threat Assessment (IOCTA 2020), focussed on criminal trends relating to Covid-19, and prevention and awareness; the other covered Physical ATM attacks across Europe.  The INTERPOL presentation covered the impact of Covid-19 on Financial crimes from the global perspective and the GCCPOL presentation covered payment and fraud issues seen by their 6 member countries.

Updates were received from 28 countries, either directly or via a global update by HSBC. As with the previous meeting, the key focus remained on the impact of the coronavirus crisis and each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).

EAST Fraud Update 3-2020 will be produced during October, based on the country updates provided at the Interim EAST Meeting. EAST Fraud, Payment and Physical Attack Updates are available on the EAST Intranet to EAST Members.

IOCTA 2020 Published by Europol

IOCTA 2020Europol has published its Internet Organised Crime Threat Assessment for 2020 (IOCTA 2020).   This highlights the dynamic and evolving threats from cybercrime and provides a unique law enforcement focused assessment of emerging challenges and key developments in the space.  The data collection for the IOCTA 2020 took place during the lockdown implemented as a result of the COVID-19 pandemic.  Indeed, the pandemic prompted significant change and criminal innovation in the area of cybercrime.  Criminals devised both new modi operandi and adapted existing ones to exploit the situation, new attack vectors and new groups of victims.

So much has changed since Europol published last year’s IOCTA. The global  pandemic forced the reimagination of our societies and the reinvention of the way we work and live.  During the lockdown, people turned to the Internet for a sense of normality: shopping, working and learning online at a scale never seen before.  The IOCTA 2020 seeks to map the evolving cybercrime threat landscape and understand how law enforcement responds to it.  Although the COVID-19 crisis has shown how criminals actively take advantage of society at its most vulnerable, this opportunistic behaviour should not overshadow the overall threat landscape. In many cases, COVID-19 has enhanced existing problems, some of which are shown below:

CROSS-CUTTING CRIME

  • Social engineering and phishing remain an effective threat to enable other types of cybercrime.  Criminals use innovative methods to increase the volume and sophistication of their attacks, and inexperienced cybercriminals can carry out phishing campaigns more easily through crime as-a-service.  Criminals quickly exploited the pandemic to attack vulnerable people; phishing, online scams and the spread of fake news became an ideal strategy for cybercriminals seeking to sell items they claim will prevent or cure COVID-19.
  • Encryption continues to be a clear feature of an increasing number of services and tools.  One of the principal challenges for law enforcement is how to access and gather relevant data for criminal investigations.  The value of being able to access data of criminal communication on an encrypted network is perhaps the most effective illustration of how encrypted data can provide law enforcement with crucial leads beyond the area of cybercrime.

MALWARE REIGNS SUPREME

  • Ransomware attacks have become more sophisticated, targeting specific organisations in the public and private sector through victim reconnaissance.  While the COVID-19 pandemic has triggered an increase in cybercrime, ransomware attacks were targeting the healthcare industry long before the crisis. Moreover, criminals have included another layer to their ransomware attacks by threatening to auction off the comprised data, increasing the pressure on the victims to pay the ransom.  Advanced forms of malware are a top threat in the EU: criminals have transformed some traditional banking Trojans into modular malware to cover more PC digital fingerprints, which are later sold for different needs.

PAYMENT FRAUD: SIM SWAPPING A NEW TREND

  • SIM swapping, which allows perpetrators to take over accounts, is one of the new trends in IOCTA 2020.  As a type of account takeover, SIM swapping provides criminals access to sensitive user accounts.  Criminals fraudulently swap or port victims’ SIMs to one in the criminals’ possession in order to intercept the one-time password step of the authentication process.

CRIMINAL ABUSE OF THE DARK WEB

  • In 2019 and early 2020 there was a high level of volatility on the dark web. The lifecycle of dark web market places has shortened and there is no clear dominant market that has risen over the past year. Tor remains the preferred infrastructure, however criminals have started to use other privacy-focused, decentralised marketplace platforms to sell their illegal goods. Although this is not a new phenomenon, these sorts of platforms have started to increase over the last year. OpenBazaar is noteworthy, as certain threats have emerged on the platform over the past year such as COVID-19-related items during the pandemic.

Countering the ransomware threat

The risks of becoming a victim of a ransomware attack continue to increase as criminals exploit organisational vulnerabilities and typically use spear-phishing emails to target potential victims.  According to Europol cases have been rising alarmingly in the past few months and have brought critical activities such as hospitals and governments to a standstill.

Garmin was a recent victim of a cyber attack that encrypted some of their systems. The alleged ransomware attack is thought to be the work of ‘Evil Corp’, a group of Russian hackers that allegedly mainly targets US corporations.  Garmin services started to go offline on Thursday 23 July 2020 and many of the most popular services, including Garmin Connect and most of the Strava integrations, were unavailable to users over the weekend period.  According to Garmin ‘Affected systems are being restored and we expect to return to normal operation over the next few days.’

To counter ransomware a free scheme called No More Ransom is helping victims fight back without paying the hackers. Since its launch four years ago the No More Ransom decryption tool repository has registered over 4.2 million visitors from 188 countries and has stopped an estimated $632 million in ransom demands from ending up in criminals’ pockets.

Powered by the contributions of its 163 partners, the portal has added 28 tools in the past year and can now decrypt 140 different types of ransomware infections. The portal is available in 36 languages.  All the key figures can be seen in Europol’s dedicated infographic.

How No More Ransom works

No More Ransom is the first public-private partnership of its kind helping victims of ransomware recover their encrypted data without having to pay the ransom amount to cybercriminals.

To do this, simply go to the website nomoreransom.org and follow the Crypto Sheriff steps to help identify the ransomware strain affecting the device. If a solution is available, a link will be provided to download for free the decryption tool.

Prevention remains the best cure

No More Ransom goes a long way to help people impacted by ransomware, but there are still many types of ransomware out there without a fix. Fortunately, there are some preventative steps you can take to protect yourself from ransomware:

  • Always keep a copy of your most important files somewhere else: in the cloud, on another drive offline, on a memory stick, or on another computer.
  • Use reliable and up-to-date anti-virus software.
  • Do not download programs from suspicious sources.
  • Do not open attachments in e-mails from unknown senders, even if they look important and credible.
  • And if you are a victim, do not pay the ransom!

Do you have an innovative solution for ransomware families not covered yet in the portal to help victims recover their files without giving into the demands of the criminals? If so then Europol would like to hear from you.

What is Ransomware?

The EAST Payments Task Force (EPTF) defines ransomware as ‘A type of malicious software designed to block access to a computer system until a sum of money is paid.’  It is a form of data compromise.  An overview of all EAST Fraud Definitions can be seen here.

Tips and Advice From Europol

 

Cyber Attack Threat Mitigation

Cyber AttackThe European Cybercrime Centre, EC3, at Europol is working closely with affected countries cybercrime units and key industry partners to mitigate the threat of cyber attack and assist victims. The recent Wannacry ransomware attack is at an unprecedented level and will require a complex international investigation to identify the culprits. The Joint Cybercrime Action Taskforce (JCAT), at EC3 is a group of specialist international cyber investigators and is specially designed to assist in such investigations and will play an important role in supporting the investigation.

For further information on Ransomware, how to protect your data, devices, what to do when infected with ransomware and access to unlocking tools please visit https://www.nomoreransom.org/, a free online resource developed by Europol, Dutch Police and industry partners.

At the EAST Financial Crime & Security Forum (EAST FCS 2017) that will be held in The Hague next month, Group-IB, an organisation that specialises in preventing and investigating high-tech crimes and online fraud, will present on global developments in ATM related theft – tactics, techniques and procedures – alongside new trends in attacks on card processing and payment systems.