Europol, the European Union’s law enforcement agency, recently published the 2021 Internet Organized Crime Threat Assessment (IOCTA) report. The report, which is Europol’s flagship strategic product that provides a law enforcement focused assessment of evolving threats and key developments in the area of cybercrime, highlights the expansion of the cyber threat landscape due to the impact of the COVID-19 pandemic and accelerated digitization. For this year’s assessment, the project team surveyed all European Union Member States (EU MS), a limited number of third Countries, members of Europol’s advisory groups, and internal specialists.
The report includes detailed findings from the last 12 months in the areas of cyber dependent crime, child exploitation material, online fraud, and dark web.
Cyber Dependent Crime
Europol has previously defined cyber-dependent crime as any crime that can only be committed using computers, computer networks, or other forms of information communication technology. In essence, without the Internet, these crimes could not be committed.
The assessment revealed that criminals are exploiting new opportunities created by expanded digitalization and the increase of work-from-home or telework for many employees due to the pandemic. Cybercriminals essentially began exploiting the fact that in many cases information security policies became more relaxed, the overall number of vulnerabilities and attack surfaces increased, and organizations struggled to quickly mitigate new security risks.
The report examines the three ways criminals work to commit cyber-dependent crimes. These are ransomware affiliate programs, mobile malware, and DDoS attacks for ransom.
The Europol report notes that ransomware affiliate programs have increased in prominence and are tied to a multitude of high-profile attacks against healthcare institutions and services providers. The affiliate programs enable a larger group of criminals to attack big corporations or high-value targets and gain access to their infrastructure. They use supply chain attacks to compromise the networks of large corporations and public institutions as well as utilize new multi-layered extortion methods such as DDoS attacks discussed below. Bad actors are moving towards human-operated ransomware targeted at private companies, the healthcare and education sectors, critical infrastructure, and governmental institutions.
The Europol assessment reveals that the number of mobile malware complaints submitted to law enforcement increased significantly. Mobile malware has become a scalable business model. Cybercriminals who resort to this method of attack are abusing consumers’ increased use of online shopping services and are increasingly seizing on opportunities to steal these individuals’ personal information.
There are signs that mobile malware operations are evolving. For instance, criminals carrying out such attacks sometimes are able to circumvent additional security measures such as two-factor authentication. They also sometimes use overlay attacks and SMS spamming capabilities to carry out attacks.
Mobile malware operators have seized upon the increase in online shopping and incorporated delivery services into their attacks as phishing lures for the purpose of tricking their victims into downloading malicious code, stealing their victims’ credentials, or perpetrating different forms of delivery fraud. Mobile banking trojans have become a specifically noteworthy threat due to the increased popularity of mobile banking. Criminals have continued utilizing COVID-19 narratives for the online sale of counterfeit medical products and vishing to steal login credentials.
Distributed Denial-of-Service (DDoS) Attacks
The assessment findings also show that DDoS for ransom seems to be making a return as criminals use the names of well-known advanced persistent threat (APT) groups to scare their targets into complying with ransom demands. Law enforcement and private partners are reporting a re-emergence of DDoS attacks accompanied by ransom demands as well an increase in high-volume attacks compared to the previous year. Cybercriminals have been targeting internet service providers (ISPs), financial institutions, and small- to medium-sized businesses (SMBs).
Criminals Exploit Increased Online Activity
Consumers are shopping online at record highs. This has created additional opportunities for criminals to commit fraud and steal personal data from online shoppers. In this regard, the assessment found increased cases of payment and delivery fraud. One of the key findings of the report for this particular area is that phishing and social engineering remain the main vectors for payment fraud, increasing in both volume and sophistication. Of the types of frauds identified in the report, investment fraud has emerged as the most dominant type of fraud in the last 12 months.
The Europol report noted a considerable rise in the number of COVID-19 themed phishing attempts conducted via telephone (i.e., vishing) and text message (i.e., smishing). Successful phishing campaigns grant criminals fraudulent access to their victim’s personal, financial, or security data. Vishing and smishing actors have particularly profited from the exploitation of stolen data. In combination with spoofing, whereby victims are contacted using legitimate-looking caller IDs or text aliases, criminals have lent these types of fraud attempts significant credibility.
Child Exploitation Material
The main trends and threats related to online child sexual exploitation have stayed relatively stable throughout the reporting period. The proliferation of encrypted messaging applications and social media platforms have an impact on the grooming methods and distribution of child sexual abuse material (CSAM). CSAM is actively traded on peer-to-peer (P2P) networks and the dark web. There, cryptocurrencies are also used for payment, with law enforcement reporting an increase in for-profit distribution.
The threats in the cybercrime landscape are exacerbated by the growing crime-as-a-service market on the dark web. Criminals continue to abuse legitimate services such as VPNs, encrypted communication services, and cryptocurrencies. This area is particularly challenging because the anonymity that dark web users desire is exacerbated by the wide-scale adoption of encryption technologies. These solutions can benefit lawful users and criminals simultaneously, creating a paradoxical situation for policymakers.
The dark web is another area, however, where EU law enforcement agencies have reported few major changes in the threat landscape during the assessment period. Rather, several smaller developments that had already been taking place for some years have now become more commonplace. The following are described as key findings in the report:
- Dark web users are increasingly using Wickr and Telegram as communication channels or to bypass market fees
- Dark web users are increasingly adopting anonymous cryptocurrencies, such as Monero, and swapping services
- Users rely on increasingly sophisticated operational security, migrating quickly to other user-less markets or markets enforcing manual PGP after takedowns
- Grey infrastructure is increasingly helping dark web users thrive
The report demonstrates that cybercriminals are opportunistic, determined, and resourceful as ever. They continue to innovate and use sophisticated methods to achieve their goals. To mitigate the risks associated with the areas discussed above, the report provides several recommendations including integrating law enforcement into the cybersecurity ecosystem. Readers are encouraged to read the Europol report to understand both the developing threats and how they can be better prepared to mitigate these challenges.
About the Author: Ambler is an attorney with a background in corporate governance, regulatory compliance, and data privacy. She currently consults on governance, risk and compliance, enterprise data management, as well as data privacy and security matters in Washington, DC.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.