How Cybercriminals Continue to InnovateEuropol Report: Ransomware, DDoS, Business Email Compromises Are Persistent Threats
Online attack threats continue to intensify, with criminals preferring ransomware, DDoS attacks and business email compromises, warns Europol, the EU's law enforcement intelligence agency. After numerous successful disruptions by police, criminals have responded by launching increasingly complex attacks.
Europol sizes up the threat landscape and how it's likely to evolve in its latest Internet Organized Crime Threat Assessment. The annual report describes how so many types of cybercrime have become more complex (see: Darknet Disruption: 'Wall Street Market' Closed for Business).
The widespread failure to patch software vulnerabilities continues to provide opportunities for criminals, complicating law enforcement efforts, Europol warns (see: NSA Is Latest Intelligence Agency to Sound VPN Patch Alarm).
Of the report's many findings - and predictions - "some of it is no great surprise, in that ransomware is still one of the biggest threats ... and crime as a service is still a growing trend," says Alan Woodward, a visiting professor at the University of Surrey who contributed to the IOCTA report.
Unfortunately, criminals appear to be adapting quickly to attempts to disrupt their efforts. "One of the interesting trends that's starting to happen, and you'll see it talked about in the IOCTA report, is that criminals are aware, and to say they're running scared is wrong, but they adapt very quickly," Woodward tells Information Security Media Group. "They don't innovate unless they have to."
Darknet Markets Disrupted
One case in point is so-called dark markets, referring to "dot-onion" sites reachable only via the anonymizing Tor browser that only accept payment in pseudonymizing cryptocurrency. Despite the protection that might seem to afford, this year, police have managed to shutter a number of darknet marketplaces, including Wall Street Market and Silkkitie - aka Valhalla Marketplace - as well as arrest suspected site administrators.
Europol now has a dedicated "dark web team" with a mission to eradicate darknet marketplaces. Success stories include an operation codenamed "Bayonet" - in collaboration with the FBI and U.S. Drug Enforcement Agency - that in 2017 successfully took down AlphaBay. Many users defected to rival markets, including Hansa. Unbeknownst to them, however, Dutch police had already infiltrated the market were collecting intelligence on the site's many buyers and sellers, then sharing this information with international police forces (see: One Simple Error Led to AlphaBay Admin's Downfall).
Cybercrime Remains a Business
Stephen Wilson, head of European Cybercrime Center, or EC3, said at a conference in March that cybercrime is a business; attackers want to monetize their efforts and cash out. Not surprisingly, attempts by law enforcement agencies to disrupt cybercrime profits lead to criminals refining their tactics (see: Cybercrime as a Service: Tools + Knowledge = Profit).
"As they've seen various dark markets go down, particularly things like Hansa, where the Dutch police ran it for a month and was able to collect quite a lot of intelligence by running the market, then what's happened is that they've started to adapt," Woodward says. "So they're moving more to encrypted, distributed marketplaces, like you'd see in Telegram, WhatsApp."
Disrupting evolving cybercrime efforts is challenging because of the new tools attackers now use. "What we see is an increasing abuse of encryption, and increasing criminal abuse of anonymity services and cryptocurrencies," said Philipp Amann, head of strategy at EC3, at a Wednesday press conference. "And, of course, the problem there for law enforcement is ... how do we balance that? We want to have strong encryption. We support privacy. But at the same time, we want to be able to investigate criminal activity online that is abusing those services. And why is that the case? Because a lot of comm platforms, social media platforms now have end-to-end encryption … now activated by default."
Top 10 Cybercrime Trends
In the 2019 IOCTA report, Europol identifies 10 top cybercrime trends.
Ransomware: "Ransomware remains the top cybercrime threat in 2019," Europol says, noting that the same will likely hold true for 2020. "Even though law enforcement has witnessed a decline in the overall volume of ransomware attacks, those that do take place are more targeted, more profitable and cause greater economic damage. As long as ransomware provides relatively easy income for cybercriminals and continues to cause significant damage and financial losses, it is likely to remain the top cybercrime threat." On the upside, however, Europol and its public and private partners have thwarted at least some of these attacks by distributing free decryptors via the No More Ransom portal (see: No More Ransom Thwarts $108 Million in Ill-Gotten Profits).
DDoS attacks: Distributed denial-of-service attacks also continue to dominate, Europol says. These are one of the top types of attacks that get reported to European law enforcement agencies because they're aided by the the easy availability of stresser/booter services. "Many banks report that DDoS attacks remain a significant problem, resulting in the interruption of online bank services, creating more of a public impact rather than direct financial damage," the report says. But police have successfully disrupted many major DDoS services (see: Stress Test: Police Visit Webstresser Stresser/Booter Users).
Child sexual exploitation material: The sheer amount of data online today continues to strain law enforcement resources across all types of investigations, including attempts to fight online child sexual exploitation material. "One development that could be of concern for online child sexual exploitation is the ongoing improvements of 'deepfakes,'" Europol notes. "Deepfake technology is an AI-based technique that places images or videos over another video" (see: Senators Press Social Media Firms to Fight 'Deepfake' Videos).
Self-generated explicit material: Childrens' access to smartphone cameras poses widescale challenges for law enforcement agencies. "Self-generated explicit material is more and more common, driven by a growing number of minors with access to high-quality smartphones," Europol says. "A lack of awareness about the risks on the side of minors exacerbates the problem."
Government targets: Local municipalities continue to get hit hard by attackers. "The most visible ransomware attacks in 2019 were those against local governments, specifically in the United States," Europol notes. Whether this trend gets repeated against European targets remains to be seen, but it's cause for concern (see: Texas Ransomware Responders Urge Remote Access Lockdown).
Critical infrastructure: Whether criminals actually intend to hit organizations in the so-called critical infrastructure sectors - such as hospital, water supply systems, police and power generation - they're increasingly doing so. Such attacks are noisy, inviting greater scrutiny and resources from law enforcement and intelligence agencies, which makes them risky for criminals. But they can also be lucrative.
Darknet markets: Security experts say that in the recent past, criminals might advertise their goods and services exclusively on one darknet forum or use the same handle across forums to create better "brand awareness." Today, however, compartmentalization appears to be the name of the game, with criminals creating single-vendor shops or a presence on smaller, Tor-based markets. "Some organized crime groups are also fragmenting their business over a range of online monikers and marketplaces, therefore presenting further challenges for law enforcement," Europol says.
Cryptocurrency: Criminal entrepreneurs who run cybercrime marketplaces face a difficult challenge: They must promote anonymous buying and selling while reducing the risk that they'll conduct an "exit scam" and take off with millions of dollars' worth of cryptocurrency. One such market is Black Dog, Europol notes. "It claims to be the ‘first-ever truly decentralized crypto market’ and depends on the ethereum blockchain to facilitate transactions."
Business email compromises: "While this crime is not new, it is evolving," Europol says. "This scam exploits the way corporations do business, taking advantage of segregated corporate structures and internal gaps in payment verification processes." As with many types of cybercrime, defending against these types of attacks takes not just technology but also better business practices.
Coordinated response: One upside for fighting cybercrime is that EU member states are getting better at doing so in a coordinated manner. "The development of the EU law enforcement emergency response protocol has significantly improved the cyber preparedness by shifting away from incongruent, incident-driven and reactive response measures and acting as critical enablers for rapid response capabilities that support cyber resilience," Europol says.
Combating Child Sexual Abuse
One ongoing challenge, as noted above, is combating child sexual abuse.
"I am glad to see that Europe’s efforts to tackle large-scale cyberattacks across borders are bringing results," Dimitris Avramopoulos, the European Commissioner for Migration, Home Affairs and Citizenship, says in a statement. "But I am distraught by the fact that child sexual abuse material continues to thrive online. We all need to step up our efforts at all levels, because cybersecurity isn’t just the task of national law enforcement. It is a responsibility for all of us towards our citizens."
In an effort to crack down, Europol has launched its "Trace an Object" program, which involves distributing parts of pictures that have been obtained via child abuse investigations and asking people if they can trace the origin. Such information can enable police to identify specific locations, such as houses or hotels, down to rooms, helping investigators track down perpetrators. Amann of EC3 says that the program has helped save at least seven children.
Woodward encourages everyone to sign up for the program. "One of the things that Europol has been quite influential in, in some ways, and has shown it works, is this whole information sharing, and in a very careful way getting the mass public to be investigators," he says. "It's quite encouraging to see the web being used for good in that way, if you like."