Cybercrime: 15 Top Threats and TrendsEuropol's Internet Threat Report Finds That Older Crimes Remain Alive and Well
Criminals operating online continue to target cryptocurrencies, leverage phishing and other social engineering attacks, as well as tweak age-old scams - including Nigerian prince emails - for the modern age. Those are just a handful of takeaways from the Internet Organized Crime Threat Assessment for 2018 from Europol, the EU's law enforcement intelligence agency.
The report charts the ongoing prevalence of ransomware, the rise in cryptocurrency mining attacks as well as the shift by one-time bank hackers to target cryptocurrency users and exchanges.
But the potential domain of internet-enabled crime remains vast.
"While some cyberattacks continue to grab headlines with their magnitude, other areas of cybercrime are no less of a threat or concern," Catherine De Bolle, Europol's executive director, says in an introduction to the new IOCTA report.
"Payment fraud continues to emphasize criminal gains and the facilitation of other crimes, as well as significant financial losses for citizens and financial institutions alike," says De Bolle, who was the commissioner general of the Belgian Federal Police before she took the helm of Europol in May.
But online crime is not always about the pursuit of financial gain, especially where child abuse is concerned. "Online child sexual exploitation epitomizes the worst aspects of the internet and highlights the ever present danger to our children from those who would seek to exploit or abuse them," De Bolle says. "The fight against this heinous crime must continue unabated."
Top Online-Enabled Crime Trends
Europol's fifth annual report says the story of cybercrime in 2018 is often less about reinvention and more about refinement. "Many areas of the report ... build upon previous editions, which emphasizes the longevity of the many facets of cybercrime," the report notes. "It is also a testimony to an established cybercrime business model, where there is no need to change a successful modus operandi."
In the 2016 IOCTA report, for example, Europol noted that online criminality ranged from ransomware and cyber extortion to distributed denial-of-service attacks and the criminal abuse of internet of things devices. By the 2017 IOCTA report, meanwhile, Europol was warning that "ransomware attacks have eclipsed most other global cybercrime threats."
This year's report lists 15 of the of dominant online attack threats and trends:
- Ransomware and malware
- Data breaches
- Online child sexual exploitation material
- Distributed denial-of-service attacks
- Payment card fraud
- Bitcoin popularity
- Social Engineering
- Spam and RDP attacks
- Encrypted communications
- Convergence: 'Cyber' and Terrorism
- WHOIS data goes dark
- New life for old tricks
Ransomware and Malware
The report notes that while the growth in ransomware attacks might be beginning to slow, such attacks remain prevalent, more common that banking Trojan infections and appear to be increasingly launched by nation-states.
But law enforcement as well as security experts note that ransomware isn't the only malware game in town.
"Broadly speaking, we've seen ransomware as one of the dominant forms of attack throughout the last year, though it's starting to slow down a little and lose something in terms of innovative attacks," Christopher Boyd, lead malware intelligence analyst at security firm Malwarebytes, tells Information Security Media Group. "However, we've also seen a lot of targeted threats in countries like South Korea, often using a variety of clever techniques to infect systems. It also frequently goes hand in hand with malvertising, and we don't see that changing anytime soon."
"Illegal acquisition of data following data breaches is a prominent threat," Europol's report notes, and the stolen information is often used for identity theft and other forms of fraud.
Boyd says that attackers also appear to be increasingly targeting businesses. "We've seen an increase in popularity for certain attacks on businesses - versus consumers - which perhaps marks an increased interest in financial and corporate data which can be used to sell on or used as blackmail leverage."
Online Child Sexual Exploitation Material
Police also continue to track increasing quantities of online child sexual exploitation material, or CSEM, including self-generated explicit material, or SGEM. "Although most CSEM is still shared through P2P platforms, more extreme material is increasingly found on the darknet," the report says. "Meanwhile, live distant child abuse (LDCA), facilitated by growing internet connectivity worldwide, continues to be a particularly complex form of online CSE to investigate due to the technologies and jurisdictions involved."
Especially as more young children gain access to the internet and social media platforms, "the risk of online sexual coercion and extortion continues to rise," the report says.
Together with sextortion, Europol says it's seen an increase in self-generated material by children that gets live-streamed on social media platforms.
Distributed Denial-of-Service Attacks
DDos attacks persist, driven not just by attempted financial gain - often via extortion - but also "for ideological, political or purely malicious reason," the report says.
In 2017, the volume of DDoS attacks was second only to malware, Europol notes, adding that "it is also becoming more accessible, low cost and low risk," thanks to easy access to "stresser/booter" on-demand DDoS services (see Teen Hacker Sentenced Over 'Titanium Stresser' Attacks).
Payment Card Fraud
Almost all EU member states have reported skimming attacks over the past year, although Europol says geoblocking measures have blunted such attacks in Europe. Still, "skimmed card data is often sold via the darknet and cashed out in areas where ... EMV implementation is either slow or nonexistent," the report notes.
Other notable areas of fraud include "toll fraud" - avoiding having to pay tolls - as well as card-not-present fraud, with the transport and retail sectors in the EU particularly targeted. The report also notes that many EU countries have "reported an increase in the creation of fake companies to access and abuse points of sale as well as profit from compromised information."
Rik Ferguson, vice president of security research at Trend Micro and a cybersecurity adviser to Europol's European Cybercrime Center, EC3, tells ISMG that one of the dominant, recurring themes in this year's IOCTA report is the degree to which "cryptocurrency in many ways could be said to shaping today's threat environment."
"Currency exchangers, mining services and other wallet holders are facing hacking attempts as well as extortion of personal data and theft," Europol's report notes. "Money launderers have evolved to use cryptocurrencies in their operations and are increasingly facilitated by new developments, such as decentralized exchanges, which allow exchanges without any 'know your customer' requirements. It is likely that high-privacy cryptocurrencies will make the current mixing services and tumblers obsolete."
Attacks that aim to exploit computer users' bandwidth and processing power to mine for cryptocurrency are becoming more prevalent. "While it is not illegal in some cases, it nonetheless creates additional revenue streams and therefore motivation for attackers to hack legitimate websites to exploit their visitor's systems," the report notes. "Actual cryptomining malware works to the same effect, but can cripple a victims system by monopolizing their processing power."
The ease of such attacks and attack tool availability means "cryptomining malware is expected to become a regular, low-risk revenue stream for cybercriminals," Europol says.
Despite the growth of interest in virtual currencies such as monero, which promise greater privacy and which can be mined - including on malware victims' systems - without having to use highly specialized equipment, Europol says bitcoin "remains the predominant cryptocurrency encountered in cybercrime investigations."
Attacks that utilize social engineering - trickery - continue to be easy, inexpensive and effective, Europol warns. "Phishing via email remains the most frequent form of social engineering, with vishing (via telephone) and smishing (via SMS) less common," the report says.
"Criminals use social engineering to achieve a range of goals: to obtain personal data, hijack accounts, steal identities, initiate illegitimate payments, or convince the victim to proceed with any other activity against their self-interest, such as transferring money or sharing personal data," it adds
Spam and RDP Attacks
Automated attack toolkits designed to exploit vulnerabilities in widely used software - such as the Windows operating system or plug-ins such as Flash and Java - continue to decline, Europol notes (see Neutrino Exploit Kit: No Signs of Life).
Instead, attackers are increasingly turning to "spam, social engineering and newer methods such as remote desktop protocol (RDP) brute-forcing" to gain access to targeted networks, Europol says (see How Much Is That RDP Credential in the Window?).
Last year, law enforcement agencies managed to disrupt the world's three biggest cybercrime marketplaces: AlphaBay, Hansa and RAMP. In response, at least nine other cybercrime marketplaces "closed either spontaneously or as a result of their administrators absconding with the market's stored funds," Europol notes.
Instead of using such marketplaces to conduct cybercrime business, many users have shifted to using encrypted messaging apps, or highly regionalized and language-specific "smaller vendor shops," Europol says, which makes such criminal activity tougher for police to track and disrupt, even as such activity remains widespread.
"They are still very active and alternative venues are appearing, so there is no room for complacency," Alan Woodward, a visiting professor at the University of Surrey's department of computer science, tells ISMG.
Convergence: 'Cyber' and Terrorism
Law enforcement agencies do not appear to expect terrorist organizations or sympathizers to launch major cyberattacks. In particular, while sympathizers of the group known as Islamic State - IS, aka ISIL, Daesh - "have demonstrated their willingness to buy cyberattack tools and services from the digital underground, their own internal capability appears limited," Europol says.
But the propaganda threat remains pronounced. "Islamic State continues to use the internet to spread propaganda and to inspire acts of terrorism," Europol says. Law enforcement efforts, furthermore, have driven IS sympathizers to use "encrypted messaging apps which offer private and closed chat groups, the dark web or other platforms which are less able or willing to disrupt their activity," meaning their activities are more difficult to trace.
WHOIS Data Goes Dark
Identifying suspects could become more difficult due to technological and legislative changes, the report says, citing, in particular, the rise of 5G as well changes to WHOIS, a service for looking up domain owners. Following the May 25 start of enforcement of the EU's General Data Protection Regulation, many domain registries have started redacting domain ownership information to comply with the privacy law.
Europol warns that these moves "will significantly inhibit the attribution and location of suspects for law enforcements and security researchers."
"Law enforcement is seeing a new set of hurdles emerge with certain new technologies such as 5G and the redaction of WHOIS," says the University of Surrey's Woodward, who contributed to this year's IOCTA report. "It doesn't make things impossible but adds another layer of complexity when trying, for example, to attribute attacks."
Raj Samani, chief scientist at security firm McAfee and an EC3 cybersecurity adviser, says the EU must ensure that WHOIS data can be obtained for legitimate purposes. "It is imperative that access models are established that allow for transparency to those that require the data to safeguard society," Samani tells ISMG. "Fighting cybercrime is difficult at the best of times. The stark warning from the report highlighting the fact WHOIS is going dark serves as a reminder that things are getting harder not only for law enforcement but also everybody else."
New Life for Old Tricks
The Europol report is also a reminder that many types of crime never die; they just get tweaked for the modern age.
For example, fraudsters operating out of West Africa - and other areas - continue to adapt their attack tools and tactics, the report notes, including launching more sophisticated business email compromise schemes.
"Many of the classic scams, such as technical support scams, advanced fee fraud and romance scams, still result in a considerable numbers of victims," the report notes (see Google Promises Crackdown on 'Tech Support' Fraudsters).
Phishing also remains a potent threat, Europol warns, because of the severity of damage such attacks may cause. "Although only a small proportion of victims click on the bait, one successful attempt can be enough to compromise a whole organization," it says.
Takeaway: Stay Vigilant
One takeaway from the Europol report is that individuals remain at serious risk from both low-tech and more high-tech types of attacks.
"We still need to ask the public to be vigilant and practice their ABCs," Woodward says. "Some of these older-style crimes are evolving. The old 419 [aka Nigerian prince] scam emails haven't gone away, but have evolved to use new technology."
In short, many criminals appear to be trying to refine sometimes simple-looking schemes to ensure they keep turning an illicit profit.
"Probably the biggest takeaway is that some of the older cybercrimes - phishing, support scams, etc. - are still alive and well and they continue to claim many, many victims," Woodward says.