Cybercrime: 12 Top Tactics and TrendsFrom Ransomware and DDoS to Malware and SIM Swapping: Europol Describes Latest Threats
Ransomware attacks remain the top cyber-enabled threat seen by law enforcement agencies. But phishing, business email compromises and other types of fraud - many now using a COVID-19 theme - also loom large.
So says the seventh annual Internet Organized Crime Threat Assessment, produced by the European Cybercrime Center, aka EC3, which is part of the EU's law enforcement intelligence agency, Europol.
As Europol Executive Director Catherine De Bolle writes in her introduction to the latest IOCTA, it "provides a unique, law enforcement-focused assessment of emerging challenges and key developments in the area of cybercrime."
What are the top cybercrime trends? Here's a sampling from the report, with threats listed alphabetically:
1. Business Email Compromise
BEC attacks continue to rise, Europol warns. "As criminals are more carefully selecting their targets, they have shown a significant understanding of internal business processes and systems’ vulnerabilities" (see: Business Email Compromise: Battling Advanced Attackers).
2. COVID-19 Themes
Whatever is topical gets tapped by scammers, fraudsters and others to trick potential victims and, of course, nothing this year has loomed larger than COVID-19 (see: Cybercrime Review: Hackers Cash in on COVID-19).
"Criminals tweaked existing forms of cybercrime to fit the pandemic narrative, abused the uncertainty of the situation and the public’s need for reliable information," the report says. But such opportunism is just the latest variation on long-established ploys. "In many cases, COVID-19 caused an amplification of existing problems, exacerbated by a significant increase in the number of people working from home," the report adds.
3. Criminal Cooperation
One major malware concern for law enforcement agencies is the extent to which crime gangs that wield malicious code appear to be collaborating. "Both member states and private sector respondents have noticed an increase in subcontracting and cooperation among threat actors, which has improved their capabilities," the report says. "Similarities in how criminals behind the trio [of] Ryuk ransomware, Trickbot and Emotet malware operate suggests that criminals across different attack approaches could either belong to the same overall structure, or that they are becoming smarter at cooperating with each other." (See: Emotet, Ryuk, TrickBot: 'Loader-Ransomware-Banker Trifecta')
A similar trend has been seen with ransomware gangs increasingly "cooperating over malware, infrastructure and money-laundering activities."
4. Criminals (Still) Love Cryptocurrency
Following the money continues to be a challenge as criminals tap virtual currency. "Cryptocurrencies continue to facilitate payments for various forms of cybercrime, as developments evolve with respect to privacy-oriented crypto coins and services," the IOCTA report states. On the flip side, exchanges and wallets where users legitimately store their cryptocurrency also continue to be top targets for criminals (see: DOJ: 2 Russians Defrauded Cryptocurrency Exchanges).
5. Distributed Denial-of-Service Attacks
While the overall quantity of DDoS attacks has recently declined, some individual attacks have nevertheless caused massive disruptions. "Law enforcement agencies also came across cases where threat actors engaged in small attacks against larger organizations, extorting them for money with the threat of conducting larger attacks,” the report says (see: New Zealand Exchange's Massive DDoS Attack: What Went Wrong?).
Another DDoS trend: Targeting smaller organizations that are less likely to have DDoS defenses in place and are thus relatively easy for extortionists to disrupt (see: Ransomware and DDoS Attacks Disrupt More Schools).
6. Modular Malware
In years past, banking Trojans were a favored tool for criminals keen to steal individuals' bank details and drain their accounts. Today, more common is "more advanced, modular malware," which is designed to give attackers a much broader range of capabilities, the report states. But of them all, Emotet is malware public enemy No. 1, based on the damage it continues to cause (see: CISA Warns of Emotet Attacks Against Government Agencies).
7. Non-Cash Fraud
"Card-not-present fraud continues to increase as criminals diversify in terms of target sectors and electronic skimming - e-skimming - modi operandi," the report notes. "Fueled by a wealth of readily available data, as well as a cybercrime-as-a-service community, it has become easier for criminals to carry out highly targeted attacks," as well as to cash out stolen data, including payment card details (see: Police Bust 3 Suspected Magecart Hackers in Indonesia).
8. Online Child Abuse
Unfortunately, the online distribution of child sexual abuse material as well as exploitation has continued to increase. "As in previous years, the amount of online CSAM [child sexual abuse material] detected continues to increase, further exacerbated by the COVID-19 crisis, which has had serious consequences for the investigative capacity of law enforcement authorities," Europol's report states (see: Spies Join UK Online Crime Fight).
"The Philippines remains the main country where live distant child abuse (LDCA) takes place," Europol says, and cases there surged as "already poor families struggled to generate income and children did not go to school." But a large operation in Romania also revealed "significant levels of livestreaming taking place within the country, demonstrating that the EU is not immune to this threat."
Simply put, "ransomware remains the most dominant threat as criminals increase pressure by threatening publication of data if victims do not pay," the report notes. The threat is being felt globally. Attacks appear to be getting increasingly targeted and could soon extend to smart cities and devices (see: Want Your Coffee Machine Back? Pay a Ransom).
One challenge, however, is underreporting of such crime by victims. "Considering the scale of damage that ransomware can have, victims also appear to be reluctant to come forward to law enforcement authorities or the public when they have been victimized, and this makes it even more difficult to identify and investigate such cases," says Philipp Amann, head of strategy at Europol's European Cybercrime Center.
"What criminals have done is, in addition to taking hostage of the data … they've added a twist by saying, if you do not pay," then the data will get leaked, potentially triggering an EU General Data Protection Regulation fine, said Nicole S. van der Meulen, head of policy and development at EC3, at an Oct. 5 press conference.
10. SIM Swapping
This is the first IOCTA report to include subscriber identity module - aka SIM - swapping as one of the major trends. It's included because this tactic has been causing "significant losses" and also attracting much more attention from law enforcement agencies, Europol says.
"As a highly targeted type of social engineering attack, SIM swapping can have potentially devastating consequences for its victims, by allowing criminals to bypass text message-based (SMS) two-factor authentication (2FA) measures gaining full control over their victims’ sensitive accounts," the report states (see: DOJ: Pair Used SIM Swapping Scam to Steal Cryptocurrency).
11. Smishing Attacks
Smishing - sending fraudulent text messages, often to emulate banks - is a fast-rising type of fraud that resembles phishing, but which may not be seen as suspicious by recipients. "As most bank customers receive the advice to be suspicious of emails, customers do not yet have the same level of skepticism towards potentially fraudulent text messages," the report says. "In addition, it is difficult to impossible for banks to protect their customers from smishing attacks, as criminals aim to abuse the Alpha Tag of the SMS thread and Signaling System 7 (SS7) vulnerabilities" (see: Bank Account Hackers Used SS7 to Intercept Security Codes).
12. Social Engineering and Phishing
Social engineering also remains a top threat - especially when it comes to phishing attacks. "Cybercriminals are now employing a more holistic strategy by demonstrating a high level of competency when exploiting tools, systems and vulnerabilities, assuming false identities and working in close cooperation with other cybercriminals," Europol's report states. "However, despite the trend pointing toward a growing sophistication of some criminals, the majority of social engineering and phishing attacks are successful due to inadequate security measures or insufficient awareness of users … as attacks do not have to be necessarily refined to be successful." (See: Trump's COVID-19 Illness Sparks Phishing Campaigns)
Coda to Victims: Please Come Forward
With the release of the latest IOCTA, Europol has again issued a call to victims: Please come forward to help police better understand the full scale of such attacks as well as track targets and tactics.
Reporting cybercrime helps police to crack lots of cases! The more victims report a crime, the more data we can gather and the more connections between cases can be established.— Europol (@Europol) October 9, 2020
Find out more by checking our latest report on cybercrime #IOCTA2020 here: https://t.co/c9uOG4eGjk pic.twitter.com/Qh1CQPYJ5l
"Not reporting cases to law enforcement agencies not only means you will never get justice, but it can also hamper any wider police investigations. So, the more victims report a crime, the more data law enforcement can gather, and therefore, the more likely connections between different crimes can be established," says EC3's Amann.
Senior Correspondent Chinmay Rautmare contributed to this report.