Ransomware attacks remain the top cyber-enabled threat seen by law enforcement agencies. But phishing campaigns, business email compromises, and other types of fraud that are now using COVID-19 themes are increasing. Red Sky Alliance has members, clients, and readers from around the world and this article has been written from the European Union viewpoint, which actually applies internationally to global defense against cyber-crimes. Our source is the seventh annual Internet Organized Crime Threat Assessment, produced by the European Cybercrime Center (EC3), which is part of the EU's law enforcement intelligence agency called Europol.
As Europol Executive Director Catherine De Bolle writes in her introduction to the latest IOCTA, it "provides a unique, law enforcement-focused assessment of emerging challenges and key developments in the area of cybercrime."
The following is a highlight from this report that provides listed threats:
- Business Email Compromise (BEC)
BEC attacks continue to rise, Europol warns. "As criminals are more carefully selecting their targets, they have shown a significant understanding of internal business processes and systems' vulnerabilities.”
- COVID-19 Themes
Whatever is topical - gets tapped by scammers, fraudsters, and others to trick potential victims and, of course, nothing this year has loomed larger than COVID-19.
"Criminals tweaked existing forms of cybercrime to fit the pandemic narrative, abused the uncertainty of the situation and the public's need for reliable information," the report says. But such opportunism is just the latest variation on long-established schemes. "In many cases, COVID-19 caused an amplification of existing problems, exacerbated by a significant increase in the number of people working from home," the report adds.
- Criminal Cooperation
One major malware concern for law enforcement agencies is the extent to which crime gangs are working closely and using malicious code. "Both member states and private sector respondents have noticed an increase in subcontracting and cooperation among threat actors, which has improved their capabilities," the report says. "Similarities in how criminals behind the trio [of] Ryuk ransomware, Trickbot, and Emotet malware operate suggests that criminals across different attack approaches could either belong to the same overall structure or that they are becoming smarter at cooperating with each other."
A similar trend has been seen with ransomware gangs increasingly "cooperating using malware, infrastructure, and money-laundering activities."
- Criminals (Still) Love Cryptocurrency
Following the money continues to be a challenge as criminals tap virtual currency. "Cryptocurrencies continue to facilitate payments for various forms of cybercrime, as developments evolve with respect to privacy-oriented crypto coins and services," the IOCTA report states. On the flip side, exchanges and wallets where users legitimately store their cryptocurrency also continue to be top targets for criminals.
- Distributed Denial-of-Service Attacks
While the overall quantity of DDoS attacks has recently declined, some individual attacks have nevertheless caused massive disruptions. "Law enforcement agencies also came across cases where threat actors engaged in small attacks against larger organizations, extorting them for money with the threat of conducting larger attacks," the report says.
Another DDoS trend: Targeting smaller organizations that are less likely to have DDoS defenses in place and are thus relatively easy for extortionists to disrupt.
- Modular Malware
In years past, banking Trojans were a favored tool for criminals keen to steal individuals' bank details and drain their accounts. Today, a tactic more common is "more advanced, modular malware," which is designed to give attackers a much broader range of capabilities, the report states. But of them all, Emotet is malware No. 1, based on the damage it continues to cause.
- Non-Cash Fraud
"Card-not-present fraud continues to increase as criminals diversify in terms of target sectors and electronic skimming - e-skimming - modi operandi," the report notes. "Fueled by a wealth of readily available data, as well as a cybercrime-as-a-service community, it has become easier for criminals to carry out highly targeted attacks," as well as to cash out stolen data, including payment card details.
- Online Child Abuse
Unfortunately, the online distribution of child sexual abuse material as well as exploitation has continued to increase. "As in previous years, the amount of online CSAM [child sexual abuse material] detected continues to increase, further exacerbated by the COVID-19 crisis, which has had serious consequences for the investigative capacity of law enforcement authorities," Europol's report states.
"The Philippines remains the main country where live distant child abuse (LDCA) takes place," Europol says, and cases there surged as "already poor families struggled to generate income and children did not go to school." But a large operation in Romania also revealed "significant levels of live streaming taking place within the country, demonstrating that the EU is not immune to this threat."
Simply put, "ransomware remains the most dominant threat as criminals increase pressure by threatening publication of data if victims do not pay," the report notes. The threat is being felt globally. Attacks appear to be getting increasingly targeted and could soon extend to smart cities and devices.
One challenge, however, is the underreporting of such crime by victims. "Considering the scale of damage that ransomware can have, victims also appear to be reluctant to come forward to law enforcement authorities or the public when they have been victimized, and this makes it even more difficult to identify and investigate such cases," says Philipp Amann, head of the strategy at Europol's European Cybercrime Center. "What criminals have done is, in addition to taking hostage of the data ... they've added a twist by saying, if you do not pay," then the data will get leaked, potentially triggering an EU General Data Protection Regulation fine, said Nicole S. van der Meulen, head of policy and development at EC3, at a 05 October 2020 press conference.
- SIM Swapping
This is the first IOCTA report to include subscriber identity module – known also as SIM - swapping as one of the major trends. It is included because this tactic has been causing "significant losses" and also attracting much more attention from law enforcement agencies, Europol says.
"As a highly targeted type of social engineering attack, SIM swapping can have potentially devastating consequences for its victims, by allowing criminals to bypass text message-based (SMS) two-factor authentication (2FA) measures gaining full control over their victims' sensitive accounts," the report states.
- Smishing Attacks
Smishing - sending fraudulent text messages, often to emulate banks - is a fast-rising type of fraud that resembles phishing, but which may not be suspicious by recipients. "As most bank customers receive the advice to be suspicious of emails, customers do not yet have the same level of skepticism towards potentially fraudulent text messages," the report says. "In addition, it is difficult to impossible for banks to protect their customers from smishing attacks, as criminals aim to abuse the Alpha Tag of the SMS thread and Signaling System 7 (SS7) vulnerabilities".
- Social Engineering and Phishing
Social engineering also remains a top threat - especially when it comes to phishing attacks. "Cybercriminals are now employing a more holistic strategy by demonstrating a high level of competency when exploiting tools, systems, and vulnerabilities, assuming false identities and working in close cooperation with other cybercriminals," Europol's report states. "However, despite the trend pointing toward a growing sophistication of some criminals, the majority of social engineering and phishing attacks are successful due to inadequate security measures or insufficient awareness of users ... as attacks do not have to be necessarily refined to be successful."
- Coda to Victims: Please Come Forward
With the release of the latest IOCTA, Europol has again issued a call to victims: Please come forward to help police better understand the full scale of such attacks as well as track targets and tactics. "Not reporting cases to law enforcement agencies not only means you will never get justice, but it can also hamper any wider police investigations. So, the more victims report a crime, the more data law enforcement can gather, and therefore, the more likely connections between different crimes can be established," says EC3's Amann.
Red Sky Alliance offers tools and services to help stop cyber-attacks.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication company-wide.
- Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cybersecurity software, services, and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance has been analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
Our services can help protect with attacks similar to the Comcast hack. We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941