3rd Party Risk Management , Application Security , COVID-19

Pace of Cybercrime Evolution Is Accelerating, Europol Warns

Ransomware Affiliate Programs, Supply Chain Hits and Online Fraud Among Top Threats
Pace of Cybercrime Evolution Is Accelerating, Europol Warns
Europol's Internet Organized Crime Threat Assessment details top threats seen over the past 12 months.

The top cybercrime threats facing organizations in Europe and beyond include ransomware affiliate programs, more sophisticated mobile malware and many different types of online fraud, among other types of crime.

See Also: Rapid Digitization and Risk: A Roundtable Preview

So says Europol, the EU's law enforcement agency, in its latest Internet Organized Crime Threat Assessment. Issued annually, the report details the top cybercrime tactics and trends seen over the past 12 months.

This year's IOCTA is based on observations gathered from a survey of all 27 EU member states; Iceland, Norway, Switzerland and the United Kingdom, which are associate members of the EU Cybercrime Task Force; Europol advisory groups; and internal Europol experts.

One primary takeaway from last year's IOCTA report was that "cybercrime is an evolution, not a revolution," Philipp Amann, the head of strategy at Europol's European Cybercrime Center, told Information Security Media Group upon the publication of last year's report.

This year, one overriding takeaway is that extreme events can help drive an even more rapid evolution in cybercrime, as the ongoing COVID-19 pandemic has done, says Catherine De Bolle, executive director of Europol.

Growth in Ransomware Affiliate Model

For example, the past year has seen rapid growth in the ransomware-as-a-service ecosystem, which involve developers providing crypto-locking malware to affiliates who use the malware to infect victims in exchange for an agreed cut of every ransom payment (see: Ransomware Evolves: Affiliates Set to Wield Greater Power).

"Ransomware affiliate programs enable a larger group of criminals to attack big corporations and public institutions by threatening them with multilayered extortion methods," De Bolle says. Those extortion methods, she notes, can include not just threats to name and shame victims, but also disrupting them with distributed-denial-of-service attacks.

Child Sexual Exploitation Worsens

Another accelerating trend has been the growth in child sexual exploitation, including for profit, she says.

"Children spending more time online has made them more susceptible to grooming, leading to an increase of self-produced exploitation material," De Bolle says, adding that "this material is displaying increasingly younger children."

In addition, "there has been a steep increase in online grooming activities on social media and online gaming platforms," Europol says, often by adults posing as peers of the minors they target for abuse.

Criminals often trade exploitation material via dark web sites - reachable only via the anonymizing Tor browser - which can make them difficult to identify or track, police say.

Supply Chain Attacks and Mobile Malware

For nation-state attackers as well as criminals seeking illicit profits, supply chains remain a top target for criminals. And over the past 12 months, the SolarWinds and Microsoft Exchange attacks and the ransomware attack on IT managed service tool developer Kaseya's software have demonstrated that the scale and severity of such attacks has been increasing, Europol says.

Another long-present threat that has been growing more sophisticated and damaging is mobile malware and especially banking Trojans that run on Android devices and are designed to steal users' credentials, Europol says.

"A number of mobile banking malware families have implemented new on-device capabilities to commit fraud by manipulating the banking apps on the user's device using the Automated Transfer System modules powered by the Android Accessibility Service," it says. "Banking Trojans like Cerberus and TeaBot are also capable of intercepting text messages containing one-time passcodes sent by financial institutions and two-factor authentication applications such as Google Authenticator."

Another banking Trojan called FluBot is extremely prolific, especially in the United States and Europe, and spreads itself via phishing text messages from an infected device to everyone on its contact list, Europol says. "A key part of the malware's functionality is its ability to install display overlays for Google Play verification and various banking apps, which enables the theft of victims' credentials - banking, credit card and crypto wallet," it says.

Fraud in Many Different Forms

While ransomware often ends up in the cybercrime spotlight - not least because of the massive disruption it can cause - police say that fraud continues to be a major threat. Delivery fraud - such as text messages purporting that there was a "missed delivery" - have sharply increased during the pandemic, officials say, and typically try to trick a victim into sending funds directly to an attacker.

Leading types of fraud include business email compromise - and CEO fraud - attacks in which criminals attempt to trick victims into wiring them money.

But above all, "investment fraud has emerged as the most dominant type of fraud in the last 12 months," Europol says, with victims often targeted with an opportunity to invest in cryptocurrency, with supposedly guaranteed high rates of return.

"Authentic-looking advertising campaigns, the illicit use of celebrities and even personal recommendations through online dating schemes all help bring unsuspecting victims to these fake platforms," Europol says. "In addition, criminals are becoming more professional, running local call centers to target different languages, creating more legitimate-looking websites, using remote access software to take over victims' accounts and operating complex money mule networks."

Criminals Market Services to Criminals

Unfortunately, the cybercrime-as-a-service ecosystem makes a number of malicious services and tools available for easy access - including the ability to access call centers, as not just cryptocurrency scammers but also ransomware operations continue to do to attack or contact victims.

Budding criminals, who may not have deep technical knowledge, can also purchase ready-to-use strains of ransomware and other malware, tap bulletproof hosting sites or rent botnets to aid their attacks, and seek guidance via cybercrime forums.

To combat this, Europol notes that law enforcement agencies continue to target so-called "gray infrastructure," referring to services that are marketed by criminals to other criminals. "Gray infrastructure services include bulletproof hosters, rogue cryptocurrency exchanges and VPNs that provide safe havens for criminals," Europol says (see: Wait, Watch, Disrupt: How Police Keep Targeting Cybercrime).

While such services cannot always be disrupted, police have continued to do so on numerous occasions. Over the past year, for example, Europol helped coordinate the takedown of the DoubleVPN and Safe-Inet VPN services and associated bulletproof hosting providers, as well as arrest criminal users of cryptophone services.

Criminals are increasingly relying on virtual currency to receive ransoms and launder their ill-gotten gains and adopting more privacy-preserving digital coins, such as monero, Europol notes. Here too, however, disruption is possible, albeit oftentimes beyond law enforcement, at more of a policy or diplomatic level. U.S. financial regulators, for example, have been blacklisting cryptocurrency exchanges that fail to honor "know your customer" and anti-money laundering requirements, which makes using them a crime (see: US Treasury Blacklists Cryptocurrency Exchange Chatex).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing fraudtoday.io, you agree to our use of cookies.