Académique Documents
Professionnel Documents
Culture Documents
ORGANISED
CRIME THREAT
ASSESSMENT
INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2019
www.europol.europa.eu
CONTENTS
#1 #2 #3
key findings 08 recommendations 10 introduction 13
#4 #5 #6
crime priority: crime priority: child sexual crime priority: payment fraud 35
cyber-dependent crime 14 exploitation online 29
6.1. Key findings
4.1. Key findings 5.1. Key findings 6.2. Card not present fraud
4.2. Ransomware 5.2. Online distribution of CSEM 6.3. Skimming
4.3. Data compromise 5.3. Online sollicitation of children for 6.4. Jackpotting
sexual purposes
4.4. DDoS attacks
6.5. Business email compromise
5.4. Production of self-generated
4.5. Attacks on critical infrastructure explicit material 6.6. Future threats and developments
4.6. Website defacement 5.5. Sexual coercion and extortion 6.7 Recommendations
of minors for new CSEM
4.7. What happened to…?
5.6. Live distant child abuse
#9
4.8. Future threats and
developments 5.7. Future threats and developments
4.9. Recommendations 5.8. Recommendations
cross-cutting
#7 #8
crime factors 50
9.7. Recommendations
references 60
4 IOCTA 2019 FOREWORD
FOREWORD This year’s IOCTA demonstrates that while we must look ahead to anticipate what
challenges new technologies, legislation, and criminal innovation may bring, we
must not forget to look behind us. ‘New’ threats continue to emerge from vulnera-
bilities in established processes and technologies. Moreover, the longevity of cyber
threats is clear, as many long-standing and established modi operandi persist,
despite our best efforts. Some threats of yesterday remain relevant today and will
continue to challenge us tomorrow.
Ransomware maintains its reign as the most widespread and financially damaging
form of cyber-attack, while criminals continue to defraud e-commerce and attack
the financial sector. Criminals target and exploit vulnerable minors across the
globe. All of these crimes seriously impact the physical, financial and psychological
safety, security and stability of our society and require a coherent and coordinated
response by law enforcement.
Cybercrime continues to mature and become more audacious, shifting its focus to
larger and more profitable targets. To tackle it, law enforcement must be equally
audacious in order to meet the challenge head-on.
To do so, however, law enforcement needs the knowledge, tools and legislation
required to do so quickly and effectively. As criminals adapt, law enforcement and
legislators must also innovate in order to stay ahead, and seek to capitalise on new
and developing technologies. This in turn requires training to produce the special-
ised capabilities required to investigate technically challenging or complex cyber-
crimes, such as those involving the abuse of cryptocurrencies or the dark web.
Europol is addressing these challenges with its Strategy 2020+. Our agency is at
the forefront of law enforcement innovation and acts as a knowledge platform for
the provision of EU policing solutions in relation to encryption, cryptocurrencies
and other issues. In doing so, we expand the toolbox available to law enforcement
officers across Europe and beyond, increasing their technical and forensic capabil-
ities. The European Cybercrime Centre (EC3) at Europol is the first port of call for
cybercrime investigators.
This only enforces the need for greater cooperation and collaboration with the
private sector and academia, with whom law enforcement shares the responsibility
for fighting cybercrime, and with the policy-makers who shape our society.
The IOCTA continues to celebrate the many successes of law enforcement in the
fight against cybercrime, and the feats that can be achieved from the synergistic
relationships with its partners in both the public and private sector. I have no doubt
that such relationships will continue to go from strength to strength, but their full
potential can only be realised under the right legislative and budgetary conditions.
We can look forward to reporting further successes in the years to come.
Catherine De Bolle
Executive Director of Europol
ABBREVIATIONS IOCTA 2019 5
ABBREVIATIONS
AMLD 5 5th EU Anti-Money Laundering GDPR General Data Protection Regulation
Directive
GPU Graphics Processing Unit
APT Advanced Persistent Threat
I2P Invisible Internet Project
ATM Automated Teller Machine
ICANN Internet Corporation for Assigned
BEC Business Email Compromise Names and Numbers
EMMA European Money Mule Actions SWIFT Society for Worldwide Interbank
Financial Telecommunications
EMPACT European Multidisciplinary Platform
Against Criminal Threats THB Trafficking in Human Beings
FIOD Dutch Fiscal Information and VIDTF Victim Identification Task Force
Investigative Service
VPN Virtual Private Network
6 IOCTA 2019 EXECUTIVE SUMMARY
EXECUTIVE
SUMMARY
This annual assessment of the centre stage even more after the scam exploits the way corporations
cybercrime threat landscape highlights implementation of the General Data do business, taking advantage of
the persistence and tenacity of a Protection Regulation (GDPR). While it segregated corporate structures, and
number of key threats. In all areas, we is too early for a full assessment, the internal gaps in payment verification
see how most of the main threats have response to data breaches — through processes. Such attacks vary by the
been reported previously, albeit with media headlines and high fines — will degree of technical tools used. Some
variations in terms of volumes, targets potentially have a positive impact and attacks can successfully employ only
and level of sophistication. This is not lead to enhanced data security. social engineering, while others deploy
for lack of action on the side of the technical measures such as malware
public and the private sector. Rather, Ransomware remains the top threat and network intrusion. In both cases,
this persistence demonstrates the in this year’s IOCTA. Even though data is again at the centre of the crime
complexity of countering cybercrime we have witnessed a decline in the scene.
and the perspective that criminals only overall volume of ransomware attacks,
innovate when existing modi operandi those that do take place are more While using ransomware to deny
have become unsuccessful. Therefore, targeted, more profitable and cause an organisation access to its own
while much focus in contemporary greater economic damage. As long data may be the primary threat in
parlance is on the potential impact of as ransomware provides a relatively this year’s report, denying others
future technological developments easy income for cybercriminals, access to that organisation’s data
on cybercrime, such as Artificial and continues to cause significant or services is another significant
Intelligence, we must approach damage and financial losses, it is likely threat. Distributed Denial of Service
cybercrime in a holistic sense. to remain the top cybercrime threat. (DDoS) Attacks are yet another data-
Countering cybercrime is as much In the area of payment fraud, we focused threat to cope with. Of all
about its present forms as it is about continue to identify card not present the motivations behind such attacks,
future projections*. New threats do (CNP) fraud as the main priority — as those with an extortion element were
not only arise from new technologies reported by law enforcement and overwhelmingly the most prevalent.
but, as is often demonstrated, come confirmed by private sector reporting
in the payment fraud arena. Criminals Whereas criminals require data for
from known vulnerabilities in existing
primarily manage to carry out CNP most of their crimes, law enforcement
technologies.
fraud through data gathered from needs access to relevant data for
This year’s IOCTA demonstrates data security breaches and social their investigations. Indeed, the
that for all cybercrime, data remains engineering. ability of law enforcement agencies
the key element, both from a crime to access the data needed to
perspective and from an investigative Data returns to the discussion of conduct criminal investigations is an
perspective. Criminals target data for other threats as well. A crucial priority increasing challenge. This is a result of
their crimes, making data security reported by both Member States technological developments, such as
with respect to organisations and and the private industry is Business the enhanced use of encryption which
awareness of consumers all the more Email Compromise (BEC). While criminals abuse to obfuscate their
important. Data security has taken BEC is not new, it is evolving. This tracks, as well as cryptocurrencies
* These were usefully explored in Europol’s recent publication “Do Criminals Dream of Electric Sheep? How Technology Shapes the Future of Crime and Law Enforcement”
(https://www.europol.europa.eu/publications-documents/do-criminals-dream-of-electric-sheep-how-technology-shapes-future-of-crime-and-law-enforcement)
EXECUTIVE SUMMARY IOCTA 2019 7
to hide their illicit earnings. However, how the evolution of existing threats is and deterring users from illicit activity
inaccessibility of relevant data also often a result of scale. Self-generated on the dark web.
comes due to legislative barriers explicit material (SGEM) is more and
or shortcomings, which we must more common, driven by a growing As more and more companies
overcome to enhance cross-border number of minors with access to outsource areas of their business,
access to electronic evidence and high-quality smartphones. On top such as moving more infrastructure to
the effectiveness of public-private of this growing access, a lack of third-party cloud services, we expect to
cooperation through facilitated awareness about the risks on the side see a growth in supply chain attacks,
information exchange. of minors exacerbates the problem. At and the evolution of such attacks to
Europol, through the organisation of become increasingly complex. This
These barriers are often related to the the first European Youth Day, we have develops a clear interdependency
principle of territoriality, which sets specifically aimed to enhance minors’ between organisations and leads to
limits to the scope of jurisdiction and awareness about online risks. The the necessity of having a higher level of
to the investigative powers which law online solicitation of children for sexual cybersecurity across the spectrum to
enforcement and judiciary have at purposes remains a serious threat, with ensure the minimisation of successful
their disposal under their national law. a largely unchanged modus operandi in cybercrime attacks. When an attack
As a result, the tools in the hands of terms of grooming and sexual coercion, does occur, being prepared to respond
investigators and prosecutors do not demonstrating again the tenacity of rapidly is essential. Therefore, building
correspond to what would be needed existing forms of cybercrime. on important steps already taken, we
to deal with data flows, for which need to continue to enhance synergies
questions of territoriality are of no Access to data allows criminals to carry between the network and information
relevance. out various forms of fraud. Such data security sector and the cyber law
is also available on the dark web, which enforcement authorities, in order to
At the same time, there is also the ever- is often a key enabler of many other improve the overall cyber resilience of
increasing challenge of data overload, forms of illegal activity. Within this the entire cybersecurity ecosystem.
as we can see in the area of online report, it once again becomes evident
Child Sexual Exploitation (CSE). The how the dark web underpins many The IOCTA is a resource for the
amount of Child Sexual Exploitation crime areas and how investigators intelligence-led deployment of law
Material (CSEM) detected online by highlight the phenomenon as a priority. enforcement resources. It also contains
law enforcement and the private sector recommendations for policy-makers
continues to increase. This increase Moreover, as the dark web evolves, and for the orientation of further
puts a considerable strain on law it has become a threat in its own research and prevention measures.
enforcement resources and requires a right, and not only as a medium for The diversity and complexity of
response to ensure that the volume of the sale of illicit commodities such online threats is such the full range
data does not impede law enforcement as drugs, firearms or compromised of public and private actors must
authorities’ responsibility to conduct data. The impact of law enforcement work together to make progress in
criminal investigations into CSEM. action in this arena is palpable as prevention, legislation, enforcement and
This is one example where innovation the environment remains in a state prosecution. All of these elements are
and law enforcement agencies must of flux. As a result, more coordinated necessary in order to disrupt organised
innovate to find ways to digest the investigation and prevention actions crime activity and reduce the online
increasing volumes of data coming in. targeting the phenomenon are required, threat to businesses, governments and,
demonstrating the ability of law above all, EU citizens.
Related challenges also demonstrate enforcement to have a lasting impact
8 IOCTA 2019 KEY FINDINGS
KEY
FINDINGS #1
RECOMMEN-
#2
DATIONS
PAYMENT FRAUD
Cooperation between the public and the private
sector as well as within the sectors is crucial
to come to fruitful results. To this point, speedy
and more direct access to and exchange of
information from the private sector is essential
CHILD SEXUAL for Europol and its partners.
THE CONVERGENCE
OF CYBER AND
TERRORISM
Cross-platform collaboration and a multi- Law enforcement must continue to build trust-
stakeholder crisis response protocol on terrorist based relationships with cryptocurrency-related
content online would be essential to crisis businesses, academia, and other relevant private
management the aftermath of a terrorist attack. sector entities, to more effectively tackle issues
posed by cryptocurrencies during investigations.
A better understanding of new and emerging
technologies is a priority for law enforcement Despite the gradual implementation of the
practitioners. Upcoming policy debates and Directive (EU) 2018/843 of the European
legislative developments should take into Parliament and of the Council1 (known as AMLD
account the features of these technologies in 5, 5th Anti-Money Laundering Directive) across the
order to devise an effective strategy to prevent EU, investigators should be vigilant concerning
further abuse. emerging cryptocurrency conversion and cash-out
opportunities and share any new information with
Europol.
INTRODUCTION IOCTA 2019 13
#3
Aim
Methodology
The IOCTA aims to inform decision-makers at strategic,
policy and tactical levels in the fight against cybercrime, The 2019 IOCTA was drafted by a team of Europol analysts
to direct the operational focus for EU law enforcement. and specialists drawing predominantly on contributions
The 2019 IOCTA will contribute to the setting of priorities from 26 Member States and European third-party members,
for the 2020 EMPACT operational action plan in the three the European Union Cybercrime Taskforce, Eurojust,
above-mentioned sub-areas of the EMPACT priority of cy- Europol’s Analysis Projects Cyborg, Dark Web, Terminal,
bercrime, as well as cross-cutting crime enablers. Twins and the Cyber Intelligence Team of Europol’s
European Cybercrime Centre (EC3), via structured surveys
Scope and feedback sessions. This has been enhanced with open
The 2019 IOCTA focuses on the trends and developments source research and input from the private sector, namely
pertinent to the above-mentioned priority crime areas. In EC3’s Advisory Groups on Financial Services, Internet
addition to this, the report will discuss other cross-cutting Security and Communication Providers. These contributions
factors that influence or impact the cybercrime ecosystem, have been essential to the production of the report.
such as criminal abuse of cryptocurrencies and social
engineering. Acknowledgements
This report provides an update on the latest trends and Europol would like to extend thanks to all law enforcement
the current impact of cybercrime within Europe and the and private sector partners who contributed to this report,
EU. Each chapter provides a law enforcement-centric in particular the European Banking Federation (EBF) and the
view of the threats and developments within cybercrime, EC3’s Academic Advisory Network.
based predominantly on the experiences of cybercrime
investigators and their operational counterparts from
other sectors. Furthermore, it draws on contributions from
strategic partners in private industry and academia to
support or contrast this perspective. The report seeks to
highlight future risks and emerging threats and provides
recommendations to align and strengthen the joint efforts
of EU law enforcement and its partners in preventing and
fighting cybercrime.
14 IOCTA 2019 CYBER-DEPENDENT CRIME
CRIME PRIORITY
cyber-
dependent
crime
4.2 » RANSOMWARE
Ransomware evolves as it the top cyber threat faced by European Curve-Tor-Bitcoin-Locker also featured
remains the most prominent cybercrime investigators, the second prominently in EMAS submissions.
threat most prominent threat for the private While the Rapid ransomware only
sector5, and one of the most common surfaced in January 2018, the other
The majority of private sector
samples submitted to the Europol families, and many of the less
reporting indicates that there was
Malware Analysis Solution (EMAS). frequently reported families have
a notable decline in ransomware
Moreover, as long as ransomware been in circulation for several years,
attacks throughout 20184. This may be
provides a relatively easy income highlighting the persistence of these
attributable to a number of factors: an
for cybercriminals, and continues to threats once released into the wild.
increased awareness among potential
cause significant damage and financial
victims — fuelled by industry and law
losses, it is likely to remain the top Attacks shift to more valuable
enforcement initiatives to mitigate the
cybercrime threat. targets
threat (such as NoMoreRansom); the
increasing use of mobile devices by Investigators cited over 25 individual
consumers (with most ransomware identifiable families of ransomware, Last year law enforcement began to
targeting Windows-based devices); targeting citizens, and private and see the shift from untargeted, scat-
and a decline in the use of exploit kits public entities within Europe. Several tergun attacks affecting citizen and
(which were a key delivery method). of these featured more prominently in businesses alike, to more targeted at-
law enforcement reporting, including tacks. Both European law enforcement
Despite this, the number of victims is and Europol’s private sector partners
the various versions of Dharma/
still high, and ransomware clearly and confirm a diminishing number of ran-
CrySiS, ACCDFISA, GlobeImposter,
overwhelmingly retains its position as somware attacks targeting individual
and Rapid. GandCrab, Locky, and
16 IOCTA 2019 CYBER-DEPENDENT CRIME
citizens, and more attacks specifically primary infection vector7. The use of
engineered towards individual private vulnerable RDPs also continues to
and public sectors entities. This is also grow. Attackers can either brute force
a likely explanation for the apparent access to a target’s RDP or often can
decline in the overall volume of attacks. buy access to the target network on
a criminal forum. In this area, the
While targeting specific companies is importance of patching once again
potentially more labour-intensive and becomes apparent. In May 2019, for
technically challenging, requiring the example, Microsoft published the
attackers to follow the cyber kill-chain6, security vulnerability CVE-2019-0708,
it also means that attackers are able named sometime later as BlueKeep.
to pitch the ransom for decrypting
An attacker can exploit this
the victim’s files based on the victim’s
vulnerability by connecting via RDP
perceived ability to pay. For example,
to the target machine and sending
there are cases where a company’s
specifically crafted requests. This
encrypted files have been ransomed for
particular vulnerability does not
over EUR 1 million.
require either victim interaction nor
user authentication, allowing any
Remote desktop protocols and attacker who succeeds in exploiting
emails remain the key infection the vulnerability to execute arbitrary
case study methods code on the compromised machine.
The exploit works completely filelessly,
Such targeted cyber-attacks require
Ransomware attacks against local providing full control of a remote
specific tactics to infect the target
and state government agencies in system without having to deploy any
network. The trend in the use of social
the United States: malware. In addition, it also does not
engineering and targeted phishing
require an active session on the target.
Most visible ransomware attacks emails as a primary infection method
in 2019 were those against continues from last year. Some reports Almost one million devices may
local governments, specifically highlight that as many as 65 % of be vulnerable to this exploit8.
in the United States. This trend groups rely on spear-phishing as their Unfortunately, the vast majority of these
commenced earlier. In 2018, a
ransomware attack paralysed the
city of Atlanta for several weeks
and this only proved to be the tip
of the iceberg. After that, already
more than half a dozen cities and
public services across the US
had fallen victim to ransomware,
on a near-monthly basis11. Other
examples of 2019 include Baltimore
and Florida. The Governor of
Louisiana even declared a state
of emergency after another local
ransomware attack12. According to
an extensive historical overview of
ransomware attacks targeting local
and state governments, based on
public disclosures, every state in
the US has been hit with an attack
with the exception of Delaware and
Kentucky13. Whether this trend will
also become a threat to Member
States is something to be seen, but
the experiences in the US definitely
function as a warning.
CYBER-DEPENDENT CRIME IOCTA 2019 17
case study
Partners 151
Academia
Founding EU Agencies
members
3% 4%
3 Associate Supporting
15 133 Law CERTs
28% 12%
enforcement
Non profit / Public
6% organisations
Partners
28% 72%
breakdown
Law Public - Private 7% Telcos
Enforcement entities 7%
Financial services
34%
Tools 82 109
32 32 Emsisoft ransomware
11 11 Avast families covered
7 9 Bleeping Computer
7 7 Bitdefender
5 30 Kaspersky
5 5 Check Point
200K
3 4 McAfee Tools victims helped
3 6 Cisco Ransomware
2 2 CERT_PL families
2 2 ESET
$108M
2 27 Trend Micro
11 French Police criminal profit prevented
1 1 Telefónica
11 F-Secure
188
countries have accessed
Language & countries the NMR portal
User accesses
affected online
stores
WEB SERVER
ATTACKER’S SERVER
Shared libraries
injected with User loads skimming
malicious script script and unwittingly
get loaded by sends payment
front-end information to
FRONT-END ONLINE STORE USER
online store. attackers’ server
― P R O F E S S O R A L A N W O O D W A R D, U N I V E R S I T Y O F S U R R E Y, U K
industry insight
89,000+ 500,000
data breach ORGANIZATIONS are
ESTIMATED to have
NOTIFICATIONS registered DPOs
280,000+ 440+
cross-border
CASES RECEIVED CASES
by DPAs
Operation ShadowHammer
In January 2019, Kaspersky Lab
discovered that a server for a
about GDPR now is whether companies means of data security on the side of
live software update tool for will become complacent and companies that handle customer data.
users of ASUS products had downscale their privacy programs18‘. At In this sense, the impact of such an
been compromised by attackers the time of its one-year anniversary, the action based on legislation such as
and that an estimated 500 000 largest fine issued — to Google — did GDPR could be significant; especially
Windows machines had received not concern a data security breach, the public coverage of the development
a compromised file that effectively rather the French Data Protection can lead to improved security
acted as a backdoor to the devices Authority issued the fine because of the practices. Previous research with
for the attackers. The malicious file processing of data by the company. regard to investment in cybersecurity
was signed with legitimate ASUS demonstrates the value of incidents in
digital certificates to make it appear After the passage of the one-year terms of enhancing security practices
to be an authentic software update anniversary mark, however, at of companies21. The magnitude of the
from the company. least two companies received a fine combined with increasing public
However, the malware was ‘headline’ fine. The United Kingdom’s awareness of the impact of data
designed to only activate on about Information Commissioner’s Office compromise must act as a strong
600 unique machines, based on (ICO) issued its biggest penalties to incentive for boards to closely examine
their MAC addresses, indicating date when it fined British Airways for their cybersecurity posture. At the same
that despite the number of affected GBP 183 million19 and the Marriott for time, high fines could also backfire, as
machines, the attack was extremely nearly GBP 100 million20. The fines are it could bring the potential for GDPR
targeted25. perceived as a wake-up call to improve extortion back into the discussion22.
22 IOCTA 2019 CYBER-DEPENDENT CRIME
4.5 » ATTACKS
ON CRITICAL
INFRASTRUCTURE
Early Detection
2
1 & Identification
of a Major
Threat
Classification
3
Cyber-Attack
Emergency
Emergency
Response
Response
Protocol OSINT & Coordination
Closure
Tactical Centre
7 Coordination
6
Enforcement
Operational
Action Plan
5
Financial sector increasingly hit Cryptocurrency exchanges continue to The motive behind such attacks varies,
by APT-style cybercrime gangs be a magnet for financially motivated but is typically for political/ideological
hacking groups. In 2018, over USD 1 reasons, or without purpose and purely
Another area of concern, highlighted billion in cryptocurrencies were stolen malicious. The latter likely represents
by both European law enforcement from exchanges and other platforms budding cybercriminals testing their
and Europol’s private sector partners, worldwide35. capabilities.
is attacks directed at internal networks
within the financial sector. There are a Such attacks not only result in huge The reason this crime area has been
growing number of cases of complex criminal profits, but cause severe highlighted as a key threat is that by
attacks on banks by sophisticated reputational damage to the victims and investigating these attacks, it provides
cyber-crime gangs employing Advanced undermine confidence in the financial law enforcement the opportunity to
Persistent Threat (APT)-style tactics to sector as a whole. intervene with the perpetrators at an
take control over certain aspects of a early stage in their cybercrime career.
bank’s internal network. Such attacks This could be a pivotal moment in
can manipulate internal fund transfer 4.6 » WEBSITE preventing them from pursuing a career
in cybercrime, which is the foundation
systems, such as those interfacing with
the SWIFT network, in order to make DEFACEMENT of many national cybercrime prevention
illicit payments, or take control of card campaigns.
processing systems to allow mass
cash-outs at ATMs.
Defacing websites — a gateway
to more serious cybercrime
Financially motivated criminal APT-style
groups such as Cobalt, MoneyTaker, While not a top priority for any individual
and Silence largely carry out such country, collectively a significant
attacks32. In some instances however, number of European states have
highlighted simple website defacement
nation states are involved, such as in
as one of the priorities for their
the case of the Lazarus group. This APT
jurisdiction. This implies that such
group, which has ties to North Korea,
activity, while low impact, is sufficiently
was allegedly responsible for over half
common to result in a significant
a billion USD in cryptocurrency thefts
number of cases and commands a
since 201733, and ongoing attacks
corresponding proportion of limited law
against banks in South East Asia34.
enforcement resources.
26 IOCTA 2019 CYBER-DEPENDENT CRIME
For the second year running, data stealing malware did not feature
prominently in law enforcement reporting, with only two Member
States stating it as a priority. What industry reporting highlighted,
is that criminals use some banking Trojans, particularly those with
a modular and therefore variable functionality, such as Emotet and
Trickbot, more for their network intrusion and malware delivery
capabilities than simply their data-stealing capacity37. In some
cases, criminals use such malware to install other malware,
including ransomware.
CRYPTOMINING
MOBILE MALWARE
The majority of attacks rely on existing modi operandi and that have implemented the SWIFT recommended security
benefit from known vulnerabilities. Often, existing attacks will program, it is not unlikely that sophisticated attackers could
spread to previously untapped victims, such as ransomware identify other upstream applications that generate transfers
targeting data centres or backup servers, and existing and similarly exploit those in a comparable fashion.
attack tools will continue to evolve, such as banking Trojans
routinely incorporating self-propagating worm functionality. Various entities within the cryptocurrency ecosystem have
presented themselves as profitable targets for competent
New threats do not only arise from new technologies but, as cybercriminals. As the trend of crimes that traditionally
is often demonstrated, come from pre-existing vulnerabilities target fiat currencies evolving to targeting cryptocurrencies
in pre-existing technologies. For example, Memcached continues, we will see more financially motivated APT-
was first released in 200341 and yet the first DDoS attack style cybercrime gangs shift their focus to any entity with
exploiting it only occurred 15 years later. large cryptocurrency assets42 — hacking exchanges and
manipulating the Blockchain with 51 % attacks*.
As more and more companies outsource areas of their
business, we expect to see a growth in supply chain attacks, In early, 2019, Internet Corporation for Assigned Names and
and the evolution of such attacks to become increasingly Numbers (ICANN) issued a warning over an ‘ongoing and
complex. Cloud services pose a particular risk in this regard, significant risk to key parts of the Domain Name System
as one company is likely to store the data for multiple clients, (DNS) infrastructure’. The warning relates to attacks with
marking itself as a valuable target for financially motivated the potential to see data in transit, redirect traffic or allow
criminals and having a major impact if compromised. attackers to ‘spoof’ specific websites. It is likely that either
further existing, ongoing attacks on the DNS infrastructure
While attacks on internal bank systems, which may interface will come to light, or that a new incident will occur.
with the SWIFT network, may have been mitigated by banks
* 51 % attacks can hypothetically occur when attackers control 51 % of the blockchain hashing power and can effectively double spend cryptocurrencies by reversing
transactions.
28 IOCTA 2019 CYBER-DEPENDENT CRIME
― D R J O N AT H A N L U S T H A U S , U N I V E R S I T Y O F O X F O R D, U K
4.9 » RECOMMENDATIONS
#5 child sexual
exploitation
online
5.3 » ONLINE
SOLICITATION
OF CHILDREN FOR
SEXUAL PURPOSES
#SaferInternetDay
Do you really know who is on the other side?
Not everyone is who they claim to be on the internet.
Child sexual offenders may pose as someone young to
gain your trust and explicit pictures.
SENDING AN
INTIMATE PICTURE That image can become public.
OF YOURSELF The receiver may share it with other
people (accidentally or voluntarily).
TO SOMEONE? Your data could be hacked.
CONSIDER THE You or the receiver could lose the
phone or have it stolen, compromising
WHOLE PICTURE the security of the files.
5.4 » PRODUCTION OF
SELF-GENERATED EXPLICIT MATERIAL
case study
#6 payment
fraud
marketing and chatbots. This means fingerprints contain all the necessary type of crime also facilitates other types
that when the code from one of information to enhance the possibility of illegal activity. Examples include the
these vendors is compromised, the of avoiding detection mechanisms facilitation of illegal immigration and
compromise affects all of the websites of companies, namely e-commerce. more specifically Trafficking in Human
that contract with the vendor49. This Criminals obtain the fingerprints as Beings (THB). Criminals do this through
also connects to the increasing threat real-time fingerprints or generated the purchase of plane tickets with
and growing concern with respect to when scratched by the bot from the compromised credit card credentials,
supply chain attacks (see Industry user’s device. booking hotels, rentals, etc. They do
insight in section 4.3). this through CNP fraud in combination
The platform provides a simple user- with forged identification documents.
The European Central Bank (ECB) also friendly interface which allows other
recognises the ‘ongoing shift of fraud criminals to set up a different digital One of our cases illustrates how CNP
from the card-present to the card not identity. This way it is much easier for fraud can underpin and facilitate other
present environment’. Data seems criminals to commit fraud compared to forms of illegal activity. In September
readily available. 23 million stolen purchasing compromised credit card 2018, with the support of Europol and
credit cards are for sale on the dark details or account details and risk the Frontex, two suspects were arrested
web in the first half of 201950. With detection of security measures. in a series of coordinated raids
all the data available and accessible across Germany and Sweden in an
for criminals, the focus ought to CNP fraud used to facilitate investigation targeting a Syrian OCG
be on monitoring and detection of other forms of crime suspected of cyber fraud. The arrestees
accounts as a means to curb the are believed to be the key organisers of
number of frauds and the amount Whereas we often discuss CNP fraud a cyber fraud gang.
of damage. From that perspective, purely from a financial perspective, this
the ECB notes how ‘the market has
started to develop a plethora of fraud
prevention and detection security tools
with the objective of bringing online
fraud rates down (e.g. implementation
of 3D Secure, risk-based analysis,
Tokenization)51’.
6.3 » SKIMMING
Skimming surfaced as both on the Darknet and via traditional
the second priority as websites. Several cases by the judicial
reported by investigators police have shown that this fraudulently
of payment card fraud acquired data is being reused in bank
within the Member States withdrawals, mainly in America and
throughout 2018. As one South-East Asia’. Other Member States
Member State describes, echo this conclusion. As long as EMV
The German Federal Criminal Police ‘the phenomena of credit card fraud compliance in those parts of the world
Office initiated operation Goldring continue to evolve with increasingly remains absent, skimming cards and
in October 2017. The intelligence- sophisticated skimming or shimming subsequently using the data remains
led operation uncovered an OCG, tools, often deployed by criminal groups profitable. The EPC confirms this when
composed of Syrian nationals, which from Central Europe or the Balkans, in it writes: ‘Concerning card payment
was involved in fraudulently purchasing real raids targeting the whole continent’. fraud, as long as the mag-stripe is
airline and train tickets. According Industry also confirms the lingering needed for international transactions,
to information from Germany, more threat of skimming. In general, the skimming will remain an issue53’.
than 493 fraudulent bookings were European Payment Council (EPC)
identified. The tech-savvy smugglers echoes law enforcement reporting
Deep insert skimmers
avoided detection by making the when it states how skimming remains
frequently used by criminals
bookings using compromised one of the most common frauds52.
corporate credit cards and credentials, The ongoing threat of skimming is
With respect to the modus operandi,
purchased online from other criminals the direct result of the fact that not all
several Member States describe how
offering them for sale. payment terminals and ATMs in Europe
suspects use deep insert skimmers in
contain the necessary anti-skimming
The private sector brought the order to copy the data stored on the
measures. This makes the copying of
fraudulent transactions to the attention magnetic stripe. This type of skimmer
magnetic-stripe track data at Point of
of law enforcement, highlighting is composed of metal or plastic. The
Sales terminals and ATMs possible
once again how instrumental public- criminal also installs a camera on the
and still a predominant type of fraud in
private partnerships are in fighting this ATM in order to steal the PIN. Other
Europe. Subsequent usage of a cloned
type of fraud. This effective working Member States specifically report on
magnetic-stripe payment card is hardly
relationship has been established over investigations pertaining to criminals
possible in the European area since
the course of recent years as a result who actually prepare and distribute the
the industry has secured cards with
of Europol’s Global Airport Action devices for skimming. Different OCGs
Europay, MasterCard and Visa (EMV)
Day, a recurrent operation bringing then use these devices to skim ATMs
chip technology. On a global level, the
together law enforcement, the airline both in and outside the EU. Software
situation is different especially with
industry and payment card companies skimming malware intercepts card
concern to countries that have yet
to target airline fraud. As part of this and PIN data at the ATM, allowing the
to introduce EMV compliance. As a
operation, Europol and Frontex have criminal to copy the data and later
result, this remains a major concern for
jointly identified significant crossovers create counterfeit cards for use at
European card issuers.
between payment card fraud and non-EMV compliant ATMs. Alternatively,
irregular migration and THB, leading Law enforcement provides the same criminals send the skimmed data with
to a number of arrests in recent years. perspective on the matter. As one the pin codes to other offenders to
The operational successes have respondent writes: ‘The European facilitate the unauthorised withdrawals
confirmed this trend. card data collected is then resold, from ATMs outside the EU.
PAYMENT FRAUD IOCTA 2019 39
6.4 » JACKPOTTING
Nowadays, jackpotting — also referred protected55. According to one law the screen from the ATM and a few
to as black-box attacks — to cash-out enforcement respondent, ‘attacks on technical operations in order to access
the ATM is the most widespread type of ATMs using the “jackpotting” technique also the connections of the server
logical ATM attack. Criminals perform have diversified and intensified’. The managing the cash registers. One
jackpotting in one of two ways. Either same Member State describes how in Member State reported three cases of
the criminal uses malware which sends 2018, its law enforcement unit recorded black box attacks in 2018, where the
commands to the dispenser, or uses 39 cases, including 27 attempts, mainly attacks involved melting a hole above
their own ‘black box’ hardware device in the capital region. The financial the monitor of the ATM and plugging a
connected directly to the dispenser, to losses from such attacks can vary USB cable into the ATMs printer cable.
cash-out the ATM and empty it of cash. between EUR 2 200 and EUR 128 800 Other Member States confirm this
These attacks can only be performed depending on the point of attack. Based modus operandi. Once criminals have
against certain ‘old’ ATMs which, due to on law enforcement intelligence, the gained physical access, they use, for
lower security standards, are vulnerable authors of the malware appear to come example, the Cutlet Maker software.
for these type of attacks. from Romania, Moldova and Russia. More recent cases involved criminals
The majority of reported jackpotting breaking the deposit slot plastic,
attacks have involved some physical opening the monitor and connecting
Jackpotting attacks appear to
access to the ATM. This is the main the ATM USB cable. Subsequent
be evolving
obstacle for criminals, since physical withdrawal of cash occurred through
access increases the risk of being usage of the software ATMdesk.
Compared to last year, jackpotting
caught.
attacks appear to be evolving. Some law enforcement respondents
Several Member States describe According to one Member State, the do indicate how in certain cases
how perpetrators have committed modus operandi of piercing the front of perpetrators get to the ATM without any
these attacks or at least attempted an ATM in order to connect a computer damage, using the original key to install
to do so. This may also be due to the seems to have disappeared. Criminals a laptop that connects to the USB
necessary equipment becoming more appear to have started using different output. The laptop is also connected to
available and accessible. WinPot and methods. The first method consists the internet via hotspot from a prepaid
Cutlet Maker are both available on of disconnecting the front of the ATM phone. The laptop is removed after
the dark web54. This seems to be an from its base in order to allow direct withdrawing money. Overall, the time of
unusual development, as ATM hackers access to the connections. The second the ATM attack is about 10 minutes.
have generally kept their work more method requires simply removing
40 IOCTA 2019 PAYMENT FRAUD
6.6 » FUTURE
THREATS AND
DEVELOPMENTS
A fraudster calls or
emails posing as a Often, the request is
high ranking figure for international
within the company payments to banks
(e.g. CEO or CFO). outside Europe.
The employee
They have good
knowledge about HOW DOES transfers funds to an
account controlled
the organisation.
IT WORK? by the fraudster.
They require an
urgent payment. Instructions on how
to proceed may be
given later, by a third
person or via email.
Direct contact from a senior Pressure and a sense of urgency Threats or unusual flattery/promises
official you are normally not in of reward
contact with
AS A COMPANY AS AN EMPLOYEE
Be aware of the risks and ensure that employees are Strictly apply the security procedures in place for
informed and aware too. payments and procurement. Do not skip any steps and do
not give in to pressure.
Encourage your staff to approach payment requests
with caution. Always carefully check email addresses when dealing with
sensitive information/money transfers.
Implement internal protocols concerning payments.
In case of doubt on a transfer order, consult a competent
colleague.
Implement a procedure to verify the legitimacy of payment
requests received by email.
Never open suspicious links or attachments received by
email. Be particularly careful when checking your private
Establish reporting routines for managing fraud. email on the company’s computers.
Review information posted on your company website, restrict Restrict information and show caution with regard to
information and show caution with regard to social media. social media.
Upgrade and update technical security. Avoid sharing information on the company’s hierarchy,
security or procedures.
Alongside instant payments, developments with respect to and technology-neutral legal framework is in place. It will help
the Directive (EU) 2015/2366 of the European Parliament and eliminate existing challenges to investigation and prosecution
of the Council58 (known as the Payment Services Directive of fraud and is expected to make a very positive impact
2, PSD 2) are also ongoing. The implementation deadline in the fight against NCPF. A particular focus of the NCPF
of the Directive has passed however on 14 September Directive is on improving cooperation on cross-border fraud
2019, financial service providers (from banks to Fintechs) cases. Such cooperation requires a fertile environment which
must adhere to certain security requirements with respect facilitates parties to engage in information exchange. Most
to strong customer authentication. The European Banking often, criminals attack the financial sector as a whole rather
Authority (EBA) has indicated that if needed providers can than a specific institution. As such, information exchange of
receive an extension. The EBA has a crucial role in the new modi operandi or ongoing criminal campaigns require
establishment of the security standards with respect to PSD information exchange between private parties as well as
2. As the EBA notes in its opinion, ‘[o]ne of the fundamental between public and private parties.
changes introduced by PSD 2 is to formalise payment
security requirements in national law. One such requirement
is for PSPs to apply SCA to electronic transactions59’. In
principle, if implemented, the SCA should enhance security;
6.7 » RECOMMENDATIONS
yet, the ability to file for an extension could in theory make
certain providers more vulnerable to attacks in case criminals Cooperation between the public and the private sector as well
discover SCA is not yet in place by the deadline. as within the sectors is crucial to come to fruitful results. To
this point, speedy and more direct access to and exchange of
Other developments around the same date are relevant for
information from the private sector is essential for Europol as
the criminal landscape. As we reported last year, one of the
well as its partners.
central issues arising out of open banking revolves around
the concept of screen scraping. Screen scraping allows Organisations must ensure they train their employees as well
third-party providers to access customers’ interfaces and as make their customers aware of how they can detect social
collect relevant data to gain access to a bank account. While engineering and other scams.
aimed at improving consumer experience, screen scraping
is susceptible to man-in-the-middle attacks and other forms
of fraud. Given the number of security-related concerns, the
European Commission has decided to ban screen scraping
from September 2019 as part of the regulatory technical
standards of PSD 2. If this goes through, it would be a
positive development as it eliminates a criminal opportunity.
Despite this, the overall open banking development remains
one to monitor from a threat perspective and makes proper
and timely implementation of SCA all the more important to
manage fraud. As Fortuna notes, ‘[w]ith Open Banking, data
will increasingly be passing through a client (a customer) to
an open interface, becoming extremely vulnerable to attacks
as there is no way to control the customer’s device, whether
that be a mobile phone or a web browser. By facilitating
access to customer data, third-party providers also become
targets for client-side attacks60’.
However, for this market growth has and keeps them under the radar of law
been slow due to continued suspicion enforcement, compared to the attention
over law enforcement involvement. they might receive operating as a
Finally, some markets have changed single multi-commodity vendor with
their policies to prohibit the sale of a higher customer base. This creates
fentanyl and weapons and explosives further challenges for law enforcement,
in an attempt to avoid law enforcement as in addition to the usual attribution
attention, albeit the sale of these issues associated with dark web
commodities continues under different investigations, investigators must also
guises and on other sites. make these connections on order to
determine the true scope and scale of
Instead, criminals are exploring an OCG.
alternative means of circumventing
law enforcement within the Tor In addition to circumventing law
environment. In last year’s report, the enforcement, criminal developers are
suggestion was the closure of larger also motivated by the need to increase
marketplaces would result in a growth trust with their customer-base on Tor,
in the number of single-vendor shops both in terms of anonymity but also
and smaller fragmented markets. by reducing the risk of exit scams. An
case study This forecast is indeed true with example of such a market is Black
confirmed increases in single-vendor Dog, scheduled for launch in August
In mid-2018, German authorities shops operating on independent 2019. It claims to be the ‘first ever
identified a Darknet market vendor .onion sites and smaller markets, truly decentralised crypto market’ and
selling various narcotic drugs, coun- including those catering for specific depends on the Ethereum blockchain to
terfeit currency and counterfeiting facilitate transactions, without the need
languages. However, not anticipated
equipment. The vendor had been
last year was the emergence of multi- for a traditional marketplace GUI as
active for over two years on multiple
identity business models, where OCGs found on Tor markets. The market also
marketplaces and was suspected to
maintain multiple profiles online, on utilises the smart contracts component
be living in Germany.
multiple platforms, in order to operate of the Ethereum blockchain to allow
Officers trained in cryptocurrency as multiple distinct individuals rather credible transactions without the need
investigation were able to identify than a single entity. By fragmenting for a third party. As with alternative
the vendor as a 35-year-old German their business over a range of online platforms, it is unclear how, and to what
national and affect an arrest. The monikers on marketplaces and extent, cybercriminals will adopted this
suspect had made over EUR 700 000 disparate vendor shops, it reduces the type of market model, again taking into
over the two years he was active. perception of the scale of the OCG, account the effects of AMLD 5.
46 IOCTA 2019 THE CRIMINAL ABUSE OF THE DARK WEB
Separate to Darknet platforms, to services and enabling closed security for their customers, i.e. there
predicted last year was that some communications, there does not appear is no escrow or similar services. They
vendors might migrate their business to be a full business migration. There can also be less technically challenging
to encrypted communications have been some instances where group than a Tor-based site to take down, as
applications, running their shops within functions have supported functional they sometimes only require an abuse
private channels/groups and even marketplaces with perpetrators notification sent to the provider, who,
the encrypted messaging platforms selling different criminal commodities, if they respond to such requests (not
evolving into functional marketplaces. much like the different sub-forums always the case), can ban or delete
Although there does appear to on a typical online forum. However, the group. It is therefore unclear how
be an increased use of encrypted these markets, although simple to and to what extent cybercriminals may
communications applications to set up (as the platform provides the adopt this market approach, and much
enhance the single-vendor trade on infrastructure) and easy to revive if of which depends on law enforcement
the dark web, helping direct users taken down, offer little in the way of relationships with industry partners in
The currency of the dark web More coordinated investigation and An EU-wide framework is required
enterprises remains virtual and an prevention actions targeting the to enable judicial authorities to take
estimated USD 1 billion has been dark web as a whole are required, the first steps to attribute a case to a
spent on the dark web this year demonstrating the ability of law country where no initial link is apparent
alone63. Bitcoin remains the most enforcement and deterring those due to anonymity issues, thereby
frequently used currency, believed to who are using it for illicit activity. preventing any country from assuming
be a consequence of familiarity within An improved real-time information jurisdiction initiating an investigation.
the customer base (see also section position must be maintained to enable
law enforcement efforts to tackle the Improved coordination and
9.4). However, there has been a more
dark web. The capability will enable standardisation of undercover online
pronounced shift towards more
the identification, categorisation and investigations are required to de-
privacy-orientated currencies, a trend
analysis through advanced techniques conflict dark web investigations and
that it is anticipated will continue as
including machine learning and artificial address the disparity in capabilities
criminal users become more security
intelligence. across the EU.
aware.
#8
the
convergence
of cyber and
terrorism
The loss of the Islamic State’s (IS) Terrorist groups boast a diversified online infrastructure for the
territorial control into core areas of diversified online infrastructure dissemination of its propaganda and
Iraq and Syria denied the group one of persists in publishing on a wide array of
its most potent propaganda assets. Terrorist groups continue to expand media and file-sharing sites, especially
IS’ online capabilities in 2018 reflect and diversify their conduits for the smaller platforms with reduced capacity
the overall collapse of the physical dissemination of their propaganda for disruptive actions64.
caliphate, previously the central pillar online. In doing so, they exploit a wide Similarly, the spread of terrorist content
of its project. However, this collapse array of OSPs, which are spread across linked to the Christchurch attack
combined with the group’s battlefield multiple jurisdictions and differ greatly in involved the concurrent exploitation
attrition did not stop the group’s terms of size, services offered, business of multiple kinds of OSPs by different
online sympathisers from exploiting models, and abuse policies. While communities of Internet users, spurred
the internet to advance their cause. certain platforms are more abused by different motives but a common
than others, the sheer number of OSPs purpose: making this type of terrorist
In parallel, the 15 March 2019 right- exploited for terrorist purposes presents content viral and resilient.
wing extremism (RWE) motivated a challenge for disruption efforts.
terrorist attack on two mosques These include forums, file-sharing sites,
in Christchurch, New Zealand, has pastebins, video streaming/sharing
IS propagandists strive to
brought about unprecedented sites, URL shortening services, blogs,
remain relevant online
elements in the exploitation of the messaging/broadcast applications,
IS’ critical situation in 2018 had
internet for terrorist purposes. The news websites, live streaming platforms,
a significant impact on its digital
attack’s recorded livestreaming video social media sites and various services
capabilities: propaganda produced
and the gunman’s manifesto rapidly supporting the creation and hosting
by official IS media outlets has visibly
went viral and gained digital depth, of websites (including registries* and
declined65. The only publication that
highlighting new challenges in the registrars**). The ongoing abuse of
continued to be issued on a regular
fight against terrorist content online. legitimate services by terrorist groups
basis throughout 2018 was the group’s
extends also to VPNs, anonymised
official Arabic weekly newsletter al-Naba’
cryptocurrencies and DDoS mitigation
(The News). In their quest for virtual
services.
survival, IS and its supporters responded
to frequent deletions of content in 2018
Faced with the loss of its state-building
by promoting ways to enhance online
project and increasingly hostile attitudes
resilience. Pro-IS media outlets, including
towards its online propaganda machine,
the al-Saqri Corporation for Military
IS continues to reconfigure its tactics
Sciences, Horizons Electronic Foundation
to remain relevant online. In spite of
and the United Cyber Caliphate became
intensified takedown campaigns in
more prolific in providing guidelines
2018 by law enforcement and social
on cyber and operational security. The
media platforms — including Telegram
instructions ranged from suggesting
— the group still boasts a highly
* A registry is an organisation that manages the administrative data for the TLD domains and subdomains under its
authority, including the zone files that contain the addresses of the name servers for each domain. Source: Google
Domains Help, “About registrars and registries”, https://support.google.com/domains/answer/3251189?hl=en, 2019.
** A registrar is an organisation that manages the registration of domain names for one or more top-level domain
(TLD) registries. Source: Google Domains Help, “About registrars and registries”, https://support.google.com/domains/
answer/3251189?hl=en, 2019.
THE CONVERGENCE OF CYBER AND TERRORISM IOCTA 2019 49
secure browsers and privacy-oriented of open source, decentralised was livestreamed and its recording,
applications to promoting the use of platforms. Accounts and pages alongside the gunman’s manifesto,
the Tor browser and decentralised disseminating mostly official IS spread rapidly online. The exceptional
platforms. These unofficial but propaganda have been created on virality, velocity and volume of the
increasingly specialised media Mastodon, Nextcloud, Rocket.Chat materials’ online diffusion points to
outlets also provided advice on how and ZeroNet. The resilient character a savvy use of internet technologies
to circumvent account suspension, of these platforms, coupled with and communication, not only by the
with suggestions including using multiple options for anonymity and attacker, but by multiple communities
channel names and profile pictures enhanced usability, are all features that of internet users, beyond RWE
that cannot be associated with IS. play into the online communication sympathisers.
Additionally, IS sympathisers created and distribution strategies of terrorist
multiple versions of the same account, groups. The interplay of online communities
allowing them to swiftly rebound from who share the same Internet slang and
account suspensions. IS-affiliated However, jihadist activities on these memes contributed to the widespread
websites that act as repositories for the platforms failed to gain traction in dissemination of the content and its
organisation’s propaganda responded 2018. This is probably due to the digital endurance.
to recurrent suspensions by creating alternative platforms’ smaller user
new domain names and re-emerging base and weaker outreach capabilities. Internet users have adopted different
at new locations from backup copies, Thus, Telegram remains the platform of techniques to circumvent disruption
including from and to the dark web. choice for terrorist sympathisers, who efforts by OSPs. In particular, edited
Yet despite its advantageous features continue to exploit its advantageous versions of the Christchurch video
in terms of privacy and resilience, encryption and file-sharing capabilities. appeared to fly under the radar of
the exploitation of the dark web for detection measures enforced by OSPs.
propaganda dissemination purposes Terror goes viral with Reponses by practitioners and OSPs
remained limited and propagandists Christchurch mosques attack could not measure up to the scale
continued to prefer the visibility and of online dissemination and with the
The Christchurch attack marks a existing cooperation frameworks
reach afforded by the surface web.
defining point in the fight against keeping terrorist content at bay
IS continue to seek out terrorist content online: the attack remains challenging.
new vectors for their online
propaganda
phishing was
present in 78 %
up to 0.55 % of all incoming of cyber espionage
emails were phishing emails 72
incidents 75
Much of the IOCTA is focused on the in 2018 has deprived law enforcement
threat posed by criminal actors and their of a number of key sources of data,
modi operandi. At the same time, it is namely communications data and
crucial to reflect on how law enforcement WHOIS data. In contrast, the wide-scale
can and does respond to these threats, implementation of carrier-grade network
and what barriers the law enforcement address translation technologies by
and judicial community encounter in internet service providers results in often
responding. In June 2019, Europol prohibitively large volumes of data (as
and Eurojust revisited their joint 2017 one IPv4 address may be shared by
paper on the Common Challenges in multiple end-users at one).
Combatting Cybercrime with a fresh look
at how these challenges developed over In last year’s report, we highlighted
the preceding two years. Many of these the impact of WHOIS ‘going dark’,
challenges are not unique to cybercrime particularly in the scope of cyber
and cut across all areas of serious investigations. In September 2018,
organised crime and terrorism. ICANN published the draft results of a
survey that directly measured the impact
These challenges are extremely relevant of the unavailability of WHOIS data.
to this assessment and therefore we will Almost 26 % of respondents indicated
summarise some of the most pertinent that it had resulted in investigations
issues. For full details, including ongoing being discontinued, with a further 52 %
activities and open issues, readers indicating that it delayed investigations
should refer to the full report76. to some degree. Moreover, only 33 % of
respondents indicated that WHOIS (at
The key challenges remain unchanged least partially) met their investigative
and fall into five main areas of needs, compared to 98 % prior to the
discussion. changes77.
investigators access to critical evidence international instruments continue large-scale cyber-attacks, particularly
by encrypting their data. The criminal to be a serious impediment to the where such attacks rapidly affect
abuse of encryption technologies, international criminal investigation multiple industries across a range of
whether it be anonymisation via VPNs and prosecution of cybercrime. sectors and geographies, such as the
or Tor, encrypted communications or The main differences relate to the WannaCry and NotPetya attacks of
the obfuscation of digital evidence criminalisation of conduct and 2017. Such attacks constitute a specific
(especially in cases of CSEM), was provisions to investigate cybercrime challenge to international cooperation.
a significant threat highlighted by and gather e-evidence. For example,
respondents to this year’s IOCTA should legislation that regulates law Challenges of public-private
survey. enforcement presence and action in partnerships
an online environment be harmonised
Cryptocurrencies are another The private sector plays a key role
at EU level, this would allow for more
application of encryption technology, in many cyber investigations and
effective joint operational actions
and, as outlined in 13.4, also present cybersecurity activity, being the
such as large-scale botnet takedowns,
significant challenges for law custodians of crucial data, having
or increased possibilities to monitor
enforcement78. essential capabilities in the takedown
criminal activities online and to lawfully
of criminal infrastructures and
collect critical evidence on the Deep
The loss of location Web and Dark Web.
removal of illicit content. Public-private
partnerships also play a key role in
The increasing level of criminal use of mitigating cybercrime and increasing
encryption and/or anonymisation tools, Obstacles to international cybersecurity through prevention and
crypto-currencies and the Dark Web, cooperation awareness. There is, however, little
as well as the growing use of cloud- consensus on the legal framework
based technologies, have also led to The lack of a common legal framework that is required to facilitate effective
situations in which law enforcement which exists for the expedited sharing and trust-based cooperation with the
may no longer (reasonably) establish of evidence continues to hamper private sector, while at the same time
the physical location of perpetrators, criminal investigations and judicial regulating legal and transparency
criminal infrastructure or electronic proceedings, with the current process issues surrounding that cooperation.
evidence. The territoriality-based of Mutual Legal Assistance being
investigative powers and jurisdiction of perceived as too slow to gather and This challenge also includes those
the competent national authorities offer share electronic evidence effectively. associated with new and emerging
no appropriate tools to tackle these The use of the European Investigation technologies. The criminal misuse of
situations. Order (EIO) may go some way towards technology has become an engine of
addressing these issues for the cybercrime, although many of these
majority of Member States, but may technologies can be equally dual-
Challenges associated with not provide the speed that is required to purposed to assist law enforcement.
national legal frameworks capture electronic evidence. Technologies such as quantum
computing, and artificial intelligence
Differences between domestic legal Another issue under this banner is law may have applications at both ends of
frameworks in the member states and enforcements ability to respond to the lawful spectrum*.
* For a more extensive description of these please see: Europol & Eurojust, First Report of the Observatory Function on Encryption, 2019.
58 IOCTA 2019 CROSS-CUTTING CRIME FACTORS
― P R O F E S S O R D R M A R C O G E R C K E, U N I V E R S IT Y O F C O LO G N E, G E R M A NY
CROSS-CUTTING CRIME FACTORS IOCTA 2019 59
REFERENCES
14 Jay, J. “Formjacking attacks compromised over 50,000 26 Cimpanu, C. “Dark web crime markets targeted by recur-
retailer websites in 2018”, https://www.scmagazineuk.com/ ring DDoS attacks”, https://www.zdnet.com/article/dark-web-
formjacking-attacks-compromised-50000-retailer-web- crime-markets-targeted-by-recurring-ddos-attacks/, 2019;
sites-2018/article/1526282, 2019; Stone, J. “British Airways Crawley, K. “What about all those Dark Web DDoS attacks?”,
fined $229 million under GDPR for data breach tied to https://www.peerlyst.com/posts/what-about-all-of-those-dark-
Magecart”, https://www.cyberscoop.com/british-airways-gd- web-ddos-attacks-kimberly-crawley, 2019.
pr-fine-magecart/, 2019.
27 Europol, “Authorities Across the World Going After Users
15 https://www.zdnet.com/article/at-t-employees-took- of Biggest DDoS-for-hire Website”, https://www.europol.europa.
REFERENCES IOCTA 2019 61
38 IBM, X-Force Threat Intelligence Report, 2019. 56 Federal Bureau of Investigation, “Business e-mail com-
promise the 12 billion scam”, https://www.ic3.gov/me-
39 Palmer, D., “This new cryptomining malware targets Busi-
dia/2018/180712.aspx, 2018.
ness PCs and servers”, https://www.zdnet.com/article/this-new-
cryptomining-malware-targets-business-pcs-and-servers/, 2018. 57 Seals, T., “ATM Jackpotting Malware Hones Its Heist
Tools”, https://threatpost.com/atm-jackpotting-malware-win-
40 Symantec, “Beapy: Cryptojacking Worm Hits Enterprises pot/141960/, 2019.
in China”, https://www.symantec.com/blogs/threat-intelli-
gence/beapy-cryptojacking-worm-china, 2019. 58 Directive 2015/2366/EU of the European Parliament and of
the Council of 25 November 2015 on payment services in the
41 Wikipedia, “Memcached”, https://en.wikipedia.org/wiki/ internal market, amending Directives 2002/65/EC, 2009/110/
Memcached, 2019. EC and 2013/36/EU and Regulation (EU) No 1093/2010, and
repealing Directive 2007/64/EC.
42 Akamai, State of the Internet Report, 2018.
59 European Banking Authority, Opinion of the European Bank-
43 Trend Micro, “2018 Mobile Threat Landscape”, https://
ing Authority on the elements of strong customer authentication
www.trendmicro.com/vinfo/in/security/research-and-analy-
under PSD2, 2019.
62 IOCTA 2019 REFERENCES