The Internet Organised Crime Threat Assessment (IOCTA) 2015 2 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 3

TABLE OF FOREWORD 5 CONTENTS ABBREVIATIONS 6 EXECUTIVE SUMMARY 7

KEY FINDINGS 10

KEY RECOMMENDATIONS 12

SUGGESTED OPERATIONAL PRIORITIES 15

INTRODUCTION 16

MALWARE 18

ONLINE CHILD SEXUAL EXPLOITATION 29

PAYMENT FRAUD 33

SOCIAL ENGINEERING 37

DATA BREACHES AND NETWORK ATTACKS 40

ATTACKS ON CRITICAL INFRASTRUCTURE 44

CRIMINAL FINANCES ONLINE 46

CRIMINAL COMMUNICATIONS ONLINE 50

DARKNETS 52

BIG DATA, IOT AND THE CLOUD 54

THE GEOGRAPHICAL DISTRIBUTION OF CYBERCRIME 57

GENERAL OBSERVATIONS 62

APPENDICES 67

A1. THE ENCRYPTION DEBATE 67 A2. AN UPDATE ON CYBER LEGISLATION 70 A3. COMPUTER CRIME, FOLLOWED BY CYBERCRIME FOLLOWED BY …. ROBOT AND AI CRIME? 72 4 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 FOREWORD

These include concrete actions under the three main mandated Threat Assessment (IOCTA), the annual presentation of the areas – child sexual exploitation, cyber attacks, and payment I am pleased to present the 2015 Internet Organised Crime fraud – such as targeting certain key services and products Centre (EC3). offered as part of the Crime-as-a-Service model, addressing the cybercrime threat landscape by Europol’s European Cybercrime growing phenomenon of live-streaming of on-demand abuse of children, or targeted actions with relevant private sector partners ofUsing cybercrime the 2014 for report the asperiod a baseline, under this consideration. assessment Itcovers offers the a cross-cutting crime enablers such as bulletproof hosting, illegal viewkey developments, predominantly changes from a law and enforcement emerging threats perspective in the based field tradingagainst onlinesites on payment Darknets fraud. and The money report muling also identifies and laundering several on contributions by EU Member States and the expert input of services that require concerted and coordinated international Europol staff, which has been further enhanced and combined law enforcement action. academia. with input from private industry, the financial sector and in supporting the implementation of the proposed The assessment highlights the increasing professionalisation recommendationsI am confident that and operational the 2015 IOCTA,actions, will and help Europol’s set priorities work of cybercriminals in terms of how attacks are planned and for an international law enforcement response to cybercrime. orchestrated using both new methods and techniques in addition The last 12 months have shown some remarkable successes by to employing well-known attack vectors, and with an increased risk appetite and willingness to confront victims. forward to celebrating further successes as we move towards EU law enforcement in the fight against cybercrime, and I look The report lists a number of key recommendations to address of traditional policing with our partners in the EU and beyond. 2016 with law enforcement continuing to push the boundaries the growing phenomenon of cybercrime and identifies several for EU law enforcement in the framework of the EMPACT Rob Wainwright priority topics to inform the definition of operational actions Policy Cycle. Director of Europol 6 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

ABBREVIATIONS

IoT Internet of Things AV anti-virus IOCTA Internet Organised Crime AI artificial intelligence APT Advanced Persistent Threat Threat Assessment ATM automated teller machine IP Internet protocol CaaS Crime-as-a-Service ISP Internet service provider CAM child abuse material J-CAT Joint Cybercrime Action Taskforce C&C command and control JIT joint investigation team ccTLD country code top-level domain LE law enforcement CERT computer emergency response team MLAT mutual legal CI critical infrastructure assistance treaty CNP card-not-present MS Member State(s) CP card-present OCG organised crime group CSE child sexual exploitation OSINT open-source intelligence CSECO commercial sexual exploitation P2P peer to peer, or people to people of children online PGP Pretty Good Privacy DDoS Distributed Denial of Service EC3 European Cybercrime Centre PoS point-of-sale EMPACT European Multidisciplinary Platform Against PIN personal identification number Criminal Threats RAT Remote Access Tool EMV Europay, MasterCard and Visa SEPA Single Euro Payments Area EU European Union SGIM self-generated indecent material FP Focal Point SMS short message service I2P Invisible Internet Project SSDP Simple Service Discovery Protocol ICANN Internet Corporation for Assigned Names TLD top-level domain and Numbers Tor The Onion Router ICT information & communications technology UPnP Universal Plug and Play IaaS Infrastructure-as-a-Service URL uniform resource locator IETF Internet Engineering Task Force VoIP Voice-over-Internet Protocol IoE Internet of Everything VPN virtual private network THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 7

EXECUTIVE SUMMARY

shows that cybercrime is becoming more aggressive and confrontational.The 2015 Internet While Organised certain Crime elements Threat of Assessmentcybercrime (IOCTA)such as social engineering have always had an element of interaction between victim and attacker, such contact would typically be of a passive, persuasive nature; otherwise cybercriminals were content to stealthily steal what they wanted with confrontation actively avoided. Today, however, cybercrime is becoming increasingly hostile. Instead of subterfuge and covertness, there is a growing trend of aggression in many cyber-attacks, and in particular the use of extortion, whether it is through sexual extortion, ransomware or by Distributed Denial of Service (DDoS) attacks. This boosts the psychological impact of fear and uncertainty it has on its victims. Whilst the cautious, stealthy approach goes with the stereotype of the uncertain, geeky hacker, the aggressive, confrontational necessitate better sharing of banking malware samples and approach of putting blunt pressure on individuals and businesses criminal intelligence, particularly relating to enabling factors bears the signature of organised crime. such as money mules.

Cybercrime remains a growth industry. The Crime-as-a-Service (CaaS) business model, which grants easy access to criminal breach”, with record numbers of network attacks recorded. products and services, enables a broad base of unskilled, entry- AlthoughThe media thiscommonly undoubtedly referred representsto 2014 as thean “Yearactual of increasethe data level cybercriminals to launch attacks of a scale and scope disproportionate to their technical capability and asymmetric in organisations. The perception of how an organisation handles a breachin attacks, – which it also today signifies is considered a change inevitable in attitude – is crucial. by victim This has led to greater publicity and more frequent involvement of Theterms sphere of risks, of costscybercrime and profits. encompasses an extremely diverse law enforcement in such attacks. Nonetheless, is it is evident that data has become a key target and commodity for cybercrime.

IOCTA,range of ransomware criminality. In attacks, the context particularly of ‘pure’ cybercrime,those incorporating malware Notably, there is blurring of the lines between Advanced encryption,predictably have persists grown as ain keyterms threat. of scale As and projected impact in and the almost 2014 unanimously represent one of the primary threats encountered with both camps borrowing tools, techniques and methodologies by EU businesses and citizens as reported by law enforcement Persistent Threat (APT) groups and profit-driven cybercriminals (LE). Information stealing malware, such as banking Trojans, and the criminal use of Remote Access Tools (RATs) also feature Whilefrom each it is possible other’s forportfolios. organisations to invest in technological means heavily in law enforcement investigations. to protect themselves, the human element will always remain as an unpredictable variable and a potential vulnerability. As such social Banking malware remains a common threat for citizens and engineering is a common and effective tool used for anything from complex multi-stage attacks to fraud. Indeed, CEO fraud – where the cybercriminals. A coordinated effort between law enforcement, attackers conduct detailed research on selected victims and their the financial sector alike, whilst generating sizeable profits for behaviour before initiating the scam – presents itself as a prominent required in order to effectively tackle this problem. This will emerging threat which can result in large losses for those affected. the financial sector and the Internet security industry will be 8 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

Child sexual exploitation (CSE) online poses major concerns in It is a common axiom that several respects. Hidden services within the Darknet are used technology, and cybercrime as a platform for the distribution of child abuse material (CAM). with it, develops so fast that law The nature of these services drives the abuse of new victims enforcement cannot keep up. because the production of fresh material is demanded for Whilst this may be true in some membership on child abuse forums and it reinforces the status respects, the vast majority of of the contributors. These offences will require more intensive cybercrimes consist of using cooperation and capacity building in jurisdictions where vulnerabilities that were well- they occur. Law enforcement must focus on identifying and known for quite a while. It is dismantling these communities and forums in which offenders the lack of digital hygiene of citizens and businesses that be paramount. provides fertile ground for congregate. The identification and rescue of victims must also The apparent proliferation of self-generated indecent material reselling proven exploit kits to the (SGIM) can be attributed to the increased availability of mobile expandingthe profitable army CaaS of non-tech-savvy market of devices and their ease of use in producing such content and cybercriminals. Ingenuity often only communicating it to others. Photos and videos of this nature that implement such tools and methods. The those who collect this material or intend to further exploit the scopeextends and to pacefinding of newtrue waysinnovation to use within or victim,are initially in particular shared with by means innocent of extortion. intent often The find volume their of way SGIM to the digital underground is therefore more and the rate of its growth represents a serious challenge for LE. limited than many may believe. Furthermore, a key driver of innovation within cybercrime may The live streaming of child abuse may grow, fuelled by increasing be law enforcement itself. Every law enforcement broadband coverage in developing countries. Commercial success provides impetus for criminals to innovate and target harden with the aim of preventing or mitigating incorporating anonymous payment mechanisms are adopted by further detection and disruption of their activities. offenders.streaming isThis expected development to become further more reinforces prolific as the streaming necessity tools for closer cooperation and enhanced capacity building within the That said, where genuine innovation exists in technology, international law enforcement community. criminals will rapidly seek ways to exploit it for criminal gain. Developing technologies such as Darknets, the Internet of Things, Furthermore, child abuse offenders are facilitated by many of the same services and products as mainstream cybercriminals attack vectors and opportunities for cybercrime, often combined including encryption, anonymisation and anti-forensic tools. Use withartificial existing intelligence, tools and and techniques blockchain such technology as steganography. all provide new of these methods among offenders is no longer the exception but the norm. Increasing abuse of remote storage facilities and The attention of industry is yet not fully focussed on cyber virtual currencies was also observed last year and has continued security or privacy-by-design. Many of the so-called smart to grow since. devices are actually quite dumb when it comes to their security posture, being unaware of the fact that they are part of a botnet Card-not-present (CNP) fraud grows steadily as compromised or being used for criminal attacks. The Simple Service Discovery card details stemming from data breaches, social engineering Protocol (SSDP), which is enabled by default on millions of attacks and data stealing malware become more readily available. Internet devices using the Universal Plug and Play (UPnP) The push towards CNP fraud is further driven by the effective protocol including routers, webcams, smart TVs or printers, implementation of measures against card-present fraud such as EMV (chip and PIN), anti-skimming ATM slots and geoblocking. 1. This trend is only likely to increase as the USA, a primary cash- became the leading DDoS amplification attack vector in the first out destination for compromised EU cards, will implement EMV 1quarter Akamai, of State2015 of the Internet – Security Report, https://www. report.html stateoftheinternet.com/resources-web-security-2015-q1-internet-security- technology as of October 2015. , 2015 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 9

threats reported by EU law enforcement that are deemed most important to take out by means of criminal investigations are bulletproof hosting, criminal expert forums, malware distribution through botnets, CaaS vending sites, counter- anti-virus services and carding sites. Also,

Bitcoins, laundering services and money mules deservefinancial priority. facilitation To the by theextent criminal possible use and of realistic, the focus should primarily be on the arrest of key perpetrators and organised crime groups (OCGs). Yet such an approach should be complemented by dismantling, awareness raising, prevention, dissuasion and asset recovery.

The main investigative challenges for law enforcement are common to all areas of cybercrime: attribution, anonymisation, encryption and jurisdiction. Even cybercriminals with minimal operational security awareness can pose a challenge in terms of attribution due to the range of easily accessible products and services that obfuscate their activity and identity. These include the abuse of privacy networks like I2P and The Onion Router (Tor) for communications and trade, and virtual currencies for criminal transactions. Effective investigations require an increasing volume of digitised data and yet law enforcement often faces inadequate data retention periods and regulations. Encryption is increasingly used to safeguard communications and stored data but also to frustrate forensic analysis and criminal investigations. Cybercriminals continue to The response of law enforcement has produced several successes operate from – or house infrastructure in – jurisdictions where EU law enforcement lacks adequate basis for support. taken are the increasing level of international cooperation betweenin the fight main against cybercrime cybercrime. divisions Strong withinelements the in EUthe andapproach with those of non-EU partners. The alignment of priorities under the operational actions of EMPACT and the establishment of the Joint Cybercrime Action Taskforce (J-CAT) have clearly contributed to that. But also the close involvement of private sector partners, institutions has helped to get a better grip on cybercrime. especially in the Internet security industry and among financial Tactically, some consideration should be given to the investigative focus and approach to increase the effectiveness of operational activities even further. Merely trying to investigate what gets reported is unlikely to lead to the best results. It is important to identify the different components and facilitating factors to addressed most effectively. The key enablers of the pertinent understand with which tactics specific types of crime can be 10 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

KEY FINDINGS

¡¡ Cybercrime is becoming more aggressive and confrontational. fraud. While card-present fraud is slightly in decline, novel Various forms of extortion requiring little technical skills malware attacks on ATMs are still evolving.

increase the psychological impact on victims. ¡¡ Rather than devising novel attack methods, most cyber- suggest changes in the profile of cybercrime offenders, and attacks rely on existing, tried and tested exploits, malware ¡¡ While there may always be a need for laws which compel code and methodologies such as social engineering, which are private industry to cooperate with law enforcement, there re-used and recycled to create new threats.

relationships in order to stimulate the voluntary and proactive ¡¡ The lack of digital hygiene and security awareness contributes engagementis greater benefit of the private in establishing sector. and building working to the long lifecycle and continued sales of exploit kits and other basic products through CaaS models, bringing ¡¡ Malware predictably remains a key threat for private citizens opportunities and gain to the criminal masses. and businesses. Ransomware attacks, particularly those

in terms of quantity and impact. Information stealers, such as bankingincorporating Trojans, encryption, and the criminal were identified use of Remote as a key Access threat Tools both (RATs) also feature heavily in malware investigations.

¡¡ Trojans such as Zeus, Citadel or Spyeye being withdrawn, eitherDue to voluntarily the support or as for a result many of of law the enforcement ‘old school’ action, banking the use of many of these products is in decline, paving the way for a new generation of malware such as such as Dyre or Dridex.

¡¡ The number and frequency of publically disclosed data breaches is dramatically increasing, highlighting both a change in attitude by industry and that data is still a key target and commodity for cybercriminals. Such breaches, particularly when sensitive personal data is disclosed, inevitably lead to secondary offences as the data is used for fraud and extortion.

¡¡ Social engineering is a common and effective tool used for anything from complex multi-stage cyber-attacks to fraud. CEO fraud is one such threat which is emerging, leading to

technical knowledge to commit. significant losses for individual companies and requiring little ¡¡ Payment fraud has seen a further shift to card-not-present fraud, and is increasing in line with the growing number of merchants embracing e-commerce and the implementation of effective measures to combat skimming and card-present THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 11

¡¡ Operation Onymous resulted in an unprecedented mass ¡¡ Growing numbers of children and teenagers own smart phones takedown of Darknet marketplaces and disruption of market that they use to access social media and communication apps. interactions. The underground ecosystem has since recovered This enables the generation and distribution of large amounts of self-generated indecent material (SGIM), which makes number of prominent marketplaces exit scams. these adolescents vulnerable to sexual extortion. to some degree but confidence has been further eroded by a ¡¡ In the aftermath of operation Onymous, there were many ¡¡ The use of anonymisation and encryption technologies is proponents for a shift to allegedly more secure platforms such widening. Although these address a legitimate need for as I2P. This has not occurred however and Tor remains the privacy, they are exploited by criminals. Attackers and preferred platform for underground fora and marketplaces. abusers use these to protect their identities, communications, data and payment methods. ¡¡ Growing Internet coverage in developing countries and the development of pay-as-you-go streaming solutions providing ¡¡ Bitcoin is establishing itself as a single common currency a high degree of anonymity to the viewer, are furthering the for cybercriminals within the EU. Bitcoin is no longer used trend in the commercial live streaming of child sexual abuse. preferentially within Darknet marketplaces but is increasingly being adopted for other types of cybercrime as well. 12 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

KEY RECOMMENDATIONS

INVESTIGATION

¡¡ Cybercrime investigations are often complex and resource stimulate the production of fresh child abuse material, thus intensive. Law enforcement therefore must be granted generating new victims and ensuring the continued abuse of the latitude it requires in order to conduct long-term existing victims. comprehensive investigations for maximum impact without undue pressure to obtain rapid results or arrests. ¡¡ Law enforcement must continue and expand successful initiatives to share knowledge, expertise and best practice ¡¡ on dealing with Bitcoin and other emerging/niche digital currencies in cyber investigations. ofWhile targeting targeting either high shared profile, criminal high infrastructure value targets or suchthe less as ubiquitousmalware developers actors who may provide be beneficial, key support the services,disruptive such effect as CAPACITY BUILDING & TRAINING

a greater division of the cybercrime community and represent ¡¡ In order to counter the increasing occurrence of encryption abulletproof more pragmatic hosting, approach may have for more law enforcement. significant impact across used by offenders, law enforcement should invest in live data forensics capability and prioritise in situ analysis of devices, ¡¡ in order to capture the relevant artefacts in an unencrypted to effectively investigate underlying criminality instead of state. simplyLaw enforcement that which requires is directly greater reported flexibility by victims. and/or resources ¡¡ Investigators must familiarise themselves with the diverse ¡¡ sector and the Internet security industry will be required of digital wallets used by different payment mechanisms. inA coordinatedorder to effectively effort between tackle law banking enforcement, malware. the This financial will range of account and payment references and the file formats necessitate better sharing of banking and ATM malware ¡¡ Law enforcement requires the tools, training and resources to samples (using the Europol Malware Analysis System (EMAS) deal with high volume crime such as payment card fraud and for example) and criminal intelligence, particularly relating to enabling factors such as money mules. for-purpose reporting mechanism. Online reporting channels aresocial considered engineering. to be Such highly crimes suitable also for require high-volume an efficient, crimes fit- of ¡¡ The protection of victims of child abuse is paramount. a minor nature.

equal priority to those directed at the arrest of offenders ¡¡ In order to continue the successes law enforcement has Therefore victim identification investigations should be given demonstrated in tackling crime on the Darknet, law ID databases, taking into account the current and future enforcement must continue to share best practice, knowledge for production of CAM. The efficient use of available Victim and expertise in performing such investigations, focusing as detailed analysis of the material, often lead to successful on such issues as the ability to trace and attribute criminal rescueefforts operations.undertaken by EC3 and Interpol in this field, as well transactions and communication on the Darknet.

¡¡ Law enforcement investigation of CSE must focus on ¡¡ There is a need to inform law enforcement on a broad basis identifying and dismantling the communities and forums about Big Data and the challenges and opportunities that in which offenders congregate. These environments act to come with it. THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 13

PREVENTION PARTNERSHIPS

¡¡ While dismantling or disrupting criminal groups is ¡¡ It is essential for law enforcement to build and develop effective and necessary, adequate resources should be given to prevention strategies in order to raise awareness banks, payments industry, money transfer agents, virtual of cybercrime and increase standards in online safety and currencyworking scheme relationships operators with and the exchangers financial in sector order including to: information security. o Promote the lawful exchange of information and ¡¡ Prevention activity in relation to child sexual exploitation intelligence in relation to areas of criminality such as online should incorporate school visits and explain the banking malware, money mules and fraud; potential impact of SGIM. Real case examples can demonstrate how seemingly harmless interactions may lead to serious o consequences for the victim. initiative to counter the threat of money mules, drawing onIn thisdata regard from Europol’sprivate industry EC3 will and drive law a enforcementcomprehensive in ¡¡ To mitigate the risk of ATM malware attacks law enforcement order to inform and direct EU law enforcement in tackling this key support service.

should promote Europol’s ‘Guidance and Recommendations international level, to banking and payments industry o Establish a secure common channel through which to contacts.regarding Logical Attacks on ATMs’, at a national and pass details of compromised card and account data in order to prevent their subsequent use in fraud.

¡¡ In order to address the under-reporting and cybercrime in general, law enforcement must continue to engage with

ability to investigate both effectively and discretely. private industry to increase confidence in law enforcement’s ¡¡ In the context of the draft Directive on Network and Information Security (NIS), there is a need to improve coordination, active partnership, and relationships between the private sector, law enforcement and the CERT community.

¡¡ Law enforcement should continue to collaborate with the private sector and academia to explore investigative and research opportunities related to emerging technologies

blockchain technology. such as decentralised marketplaces, artificial intelligence and ¡¡ EU law enforcement must develop working relationships and build capacity within law enforcement in non-EU jurisdictions, particularly south-east Asia, in order to improve information sharing and investigative capability in relation to criminality such as live streaming of child abuse and payment card fraud. 14 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

¡¡ EU Member States should provide intelligence relating ¡¡ Legislators and policymakers, together with industry and academia, must agree on a workable solution to the issue comprehensive intelligence picture of hidden services across of encryption which allows legitimate users to protect Europe.to hidden Additionally services to there Europol’s needs EC3to be to greater allow itengagement to build a their privacy and property without severely compromising from non-cybercrime law enforcement in tackling hidden criminal or national security threats. A quantitative analysis much of an issue on these services as cybercrime. ofgovernment the impact of and encryption law enforcement’s on law enforcement ability toinvestigations investigate services. Extremism and the sale of drugs or firearms are as is required in order to support the qualitative arguments in ¡¡ Law enforcement must continue to share information with this debate. and via Europol in relation to high volume crime such as social engineering attacks in order to identify the campaigns that are having the greatest impact, thereby allowing law enforcement to manage its resources more effectively.

¡¡ Law enforcement should seek to actively engage in and share

Airline Action Days2 and E-commerce initiative in order to combatthe success payment of multi-stakeholder fraud in their jurisdiction. initiatives such as Europol’s

LEGISLATION

¡¡ There is still a need for harmonised legislative changes at EU level, or the uniform application of existing legal tools such as laundering regulations to address the criminal use of virtual currencies.

¡¡ In order to effectively investigate closed offender communities on the Darknet and other networks, investigators require rele- vant legal instruments that allow undercover work and the ef-

¡¡ Policymakersficient online use must of traditionalensure the policing swift implementation investigation methods. of the EU Directive on attacks against information systems3 which will introduce tougher, consistent and EU-wide penalties for cyber-attacks and criminalise the use of malware as a method of committing cybercrimes.

2 Europol Press Release, Global Action against Online Air Ticket Fraudsters https://www.europol.europa.eu/content/global-action-

3 EUSees Directive 130 Detained, on Attacks against Information Systems, http://eur-lex.europa. against-online-air-ticket-fraudsters-sees-130-detained, 2015

eu/LexUriServ/LexUriServ.do?uri=OJ:L:2013:218:0008:0014:en:PDF, 2013 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 15

SUGGESTED OPERATIONAL PRIORITIES In view of the role of the IOCTA to inform the priority setting for PAYMENT FRAUD the operational action plans in the framework of the EMPACT, and considering the information presented in this report, the ¡¡ Takedowns of carding sites;

¡¡ Targeted actions with relevant private sector partners; following topics are proposed for the forthcoming definition of CYBERoperational ATTACKS actions for EU law enforcement for 2016: ¡¡ ATM malware;

¡¡ Botnet takedowns, in particular those deployed for DDoS ¡¡ (Cyber-facilitated) CEO fraud and phishing. attacks and distribution of banking malware (e.g. Dyre and Dridex); CROSS-CUTTING CRIME ENABLERS

¡¡ Sales of ransomware and exploit kits as part of the CaaS ¡¡ Bulletproof hosting; model; ¡¡ Illegal trading sites on the Darknet; ¡¡ Structured deployment of malware, in particular ransomware and banking malware; ¡¡ Money mules and money laundering services;

¡¡ Data breaches and APTs; ¡¡ Criminal schemes around Bitcoin and other virtual currencies;

¡¡ Counter anti-virus services. ¡¡ Criminal expert online forums.

CSE To the extent possible and realistic, the focus should primarily be on the arrest of key perpetrators and OCGs. This should be ¡¡ Live streaming of on-demand abuse; complemented by dismantling, awareness raising, dissuasion and asset recovery. ¡¡ Sexual extortion; In addition to these predominantly investigative topics, it is also ¡¡ advised to implement facilitating actions around intelligence stimulate active CAM production, in particular on the Darknet; sharing and tactical analysis, especially around the above Lawful infiltration and takedown of online communities that mentioned themes to better enable successful operations. ¡¡ Furthermore, these activities can be complemented by more strategic initiatives around training and capacity building, as Victim identification and rescue. well as prevention and awareness. 16 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

INTRODUCTION

AIM SCOPE was drafted by the European Cybercrime Centre (EC3) at – cyber attacks, child sexual exploitation online and payment Europol.The 2015 It Internet aims to Organised inform decision-makers Crime Threat Assessment at strategic, (IOCTA) policy fraud.The 2015 Where IOCTA relevant, focuses it alsoon EC3’s covers three other mandated related areas crime such areas as money laundering and social engineering. directing the operational focus for EU law enforcement, and in and tactical levels in the fight against cybercrime, with operational a view to The report examines the main developments since the previous action plan in the three sub-areas of the cybercrime4 priority: report, highlighting the increasing professionalisation of cyberparticular attacks, the prioritypayment setting fraud andfor the child 2016 sexual EMPACT exploitation.

thecybercrime use of decentralised and further online refinement platforms of for the criminal CaaS model. purposes In report provides an update on the latest trends and the current andaddition a convergence to the identification of tools and of tactics some usedemerging by different trends suchgroups, as impactBuilding of on cybercrime the broad basiswithin established the EU from in the a law2014 enforcement IOCTA, this the assessment also shows the continuing criminal exploitation perspective. It highlights future risks and emerging threats and of well-known attack vectors and vulnerabilities. provides recommendations to align and strengthen the joint efforts of EU law enforcement and its partners in preventing and the report offers a number of examples of successful law enforcementDespite the identified actions against technical, cybercriminals legal and operational and organised challenges, crime fighting cybercrime. in cyberspace, for instance in relation to the criminal abuse of Tor. At the same time, it highlights the pressure such operations aUnlike slightly the 2014different IOCTA approach which offered and presents a broad, strategica view overviewfrom the put on cybercriminals requiring them to update their modus trenchesof the cybercrime. This year, threatthe focus landscape, is on the the threats 2015 and IOCTA developments has taken operandi and to become more innovative in their attacks. This within cybercrime, based predominantly on the experiences of is evident, for instance, in the increasing tendency towards the cybercrime investigators and their operational counterparts criminal abuse of encryption, anonymity and the increased use from other sectors, drawing on contributions from more of obfuscation and anti-forensic tools and methods. strategic partners in private industry and academia to support The assessment provides an update on topics such as the Internet highlights the threats that are more visibly impacting industry of Things and Big Data that have or are likely to have an impact andor contrast private citizens. this perspective. In this sense the report chiefly on the crime areas covered in this report.

Each chapter provides a law enforcement centric view on the lags behind the criminals they investigate in terms of skills most prominent crimes or threat areas, followed by a prediction orThe technical 2015 IOCTA capability challenges by thehighlighting conception the that successes law enforcement of law of the future developments that are likely to impact law enforcement across the EU and globally in tackling complex enforcements ability to combat the threat. Each chapter ends cybercrime in areas such as the Darknet and dismantling botnets. enforcement to effectively address the threats presented. with a set of specific recommendations predominantly for law

(EMPACT), is a structured multidisciplinary co-operation platform of the 4 relevantThe European Member Multidisciplinary States, EU Institutions Platform and Against Agencies, Criminal as well Threats as third countries and organisations (public and private) to address prioritised threats of serious international and organised crime. THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 17

of the IOCTA is the development ofNot onlinecovered inradicalisation this year’s edition and the proliferation of violent extremism through social media. With the establishment of the EU Internet Referral Unit (EUIRU) at Europol from 1 July subject will be covered next year, 2015, it is most probable that this as a separate product by the newly- establishedeither as part unit. of the 2016 IOCTA or

METHODOLOGY AND ACKNOWLEDGEMENTS analysts within EC3 drawing predominantly on contributions fromThe 2015EU Member IOCTA was States, drafted the byEUCTF, a team Focal of strategicPoints Cyborg, Terminal and Twins, as well as the Cyber Intelligence team, and the SOCTA team via structured surveys, moderated workshops and interviews. This has been enhanced with open source advisory groups, and academia. These contributions have been essentialresearch to and the input production from of the the private report. sector, including EC3’s

Europol would like to extend special thanks to Professor Marco Gercke, Professor Michael Levi and Professor Alan Woodward of the IOCTA Advisory Board for their contributions. 18 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

MALWARE CryptoLocker

affecting EU citizens in terms of volume of attacks and impact onCryptoLocker the victim, is but not onlyis considered identified asto thebe topone malwareof the fastest threat Whether it is used in direct methods of attack or as an enabler growing malware threats. First appearing in September for downstream cybercrime, malware remains one of the key current threats across the EU by EU law enforcement can be 2013, CryptoLocker is. believedCryptoLocker to have is infectedalso a notable over 250 threat 000 looselythreat areas divided within into cybercrime. three categories The malware based on identified their primary as the computers and obtained6 over EUR 24 million in ransom within functionality – ransomware, Remote Access Tools (RATs) its first two months and info stealers. It is recognised that many malware variants amongstIn May EU 2014, financial Operation institutions. Tovar significantly disrupted the are multifunctional however and do not sit neatly in a single Gameover Zeus botnet, the infrastructure for which was also category. For example, Blackshades is primarily a RAT but has used to distribute the CryptoLocker malware7. At the time the botnet consisted of up to one million infected machines Trojans have DDoS capability or download other malware onto worldwide. The operation involved cooperation amongst infectedthe capability systems. to encrypt files for ransom attacks; many banking multiple jurisdictions, the private sector and academia. Tools to decrypt encrypted files are now also freely available from KEY THREAT – RANSOMWARE Internet security companies8. Cryptlocker Ransomware remains a top threat for EU law enforcement. Almost two-thirds of EU Member States are conducting investigations into this form of malware attack. Police ransomware accounts may be due to an increased probability of victim reporting or itfor simply a significant being proportioneasier for victimsof reported to recognise incidents, and however describe. this phenomenon is highly concentrated geographically in Europe, NorthIndustry America, reporting Brazil from and 2014Oceania indicates. that the ransomware 5

CRYPTOLOCKER

and Cryptolocker Ransomware, http://www.europol.europa.eu/content/ 6 international-action-against-gameover-Zeus-botnet-and-cryptolocker-Europol Press Release, International Action against Gameover Zeus Botnet ransomware 7 Europol Press Release, International Action against Gameover Zeus Botnet and Cryptolocker, 2015 Ransomware, http://www.europol.europa.eu/content/ http://download.microsoft.com/download/7/1/ international-action-against-gameover-Zeus-botnet-and-cryptolocker- ransomware 5 Microsoft SIR v18, https://www.decryptcryptolocker.com/ A/71ABB4EC-E255-4DAF-9496-A46D67D875CD/Microsoft_Security_ , 2015 Intelligence_Report_Volume_18_English.pdf, 2015 8 Decryptolocker, , 2014 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 19

CTB-LOCKER Blackshades.NET

Curve-Tor-Bitcoin (CTB) Locker is a more recent iteration of cryptoware using Tor to hide its command and control (C2) infrastructure. CTB Locker offers its victims a selection of toBlackshades typical RAT first functionality, appeared in Blackshades approximately can 2010 encrypt and wasand language options to be extorted in and provides the option to cheaply available (~€35) on hacking forums. In addition the capability to perform DDoS attacks, and incorporates a deny access to files (effectively acting as ransomware), has threatdecrypt by a a “test”number file of for EU free. Member Although States. not This as is widespread supported by as Blackshades users10. CryptoLocker, CTB Locker was noted as a significant and growing “marketplace” to allow users to buy and sell bots amongst other victims reside within EuropeCTB-Locker9. In May 2014, a two-day operation coordinated by Eurojust industry reporting which indicates that up to 35% of CTB Locker and Europol’s EC3 resulted in almost 100 arrests in 16 countries worldwide. The operation targeted sellers and users of the Blackshades malware including its co-author. Despite this, the malware still appears to be available, although its use is in decline.

Blackshades

CTB-LOCKER

KEY THREATS – REMOTE ACCESS TOOLS (RATS)

Remote Access Tools exist as legitimate tools used to access a third party system, typically for technical support or administrative reasons. These tools can give a user remote access and control over a system, the level of which is usually determined by the system owner. Variants of these tools have been adapted for BLACKSHADES NET malicious purposes making use of either standard or enhanced capabilities to carry out activities such as accessing microphones and webcams, installing (or uninstalling) applications (including providing live remote desktop viewing, all without the victims knowledgemore malware), or permission. keylogging, editing/viewing/moving files, and

Malwarebytes, You Dirty RAT! Part 2 – Blackshades NET, https://blog. http://www.mcafee.com/nl/ 10 net/ 9 McAfee Labs Threat Report, Q1 2015, malwarebytes.org/intelligence/2012/06/you-dirty-rat-part-2-blackshades- resources/reports/rp-quarterly-threat-q1-2015.pdf, 2015 , 2012 20 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

DarkComet Zeus

DarkComet was developed by a French security specialist known as DarkCoderSC of malware to date. The Zeus source code was publically leaked DarkCoderSC withdrew support for the project and ceased First appearing in 2006, Zeus is one of most significant pieces development as ina result2008. Theof its tool misuse is available11. However for free. it is In still 2012 in then a number of cybercrime groups have adapted the source circulation and widely used for criminal purposes. codein May to produce2011 after their its owncreator variants. abandoned As such it Zeus in late still 2010. represents Since a considerable threat today and will likely continue to do so as Darkcomet long as its original code can be updated and enhanced by others.

Gameover Zeus (GOZ) or Peer-to-Peer (P2P) Zeus was one such variant which used a decentralised network of compromised computers to host its command and control infrastructure, thereby making it more resistant to law enforcement intervention.

In June 2015, a joint investigation team (JIT) consisting of investigators and judicial authorities from six European countries, supported by Europol and Eurojust, arrested a Ukrainian cybercrime group who were developing and distributing the Zeus and Spyeye malware and cashing-out the proceeds of their crimes. The group is believed to have had tens of thousands of victims and caused over EUR 2 million in damages.

Zeus DARKCOMET

KEY THREATS – INFO STEALERS

Data is a key commodity in the digital underground and almost any type of data is of value to someone; whether it can be used unsurprising then that the majority of malware is designed with thefor theintent furtherance of stealing of data. fraud Banking or for immediate Trojans – malwarefinancial gain.designed It is to harvest login credentials or manipulate transactions from online banking – remain one of the top malware threats.

ZEUS

11 http://www. symantec.com/connect/blogs/darkcomet-rat-it-end/ Symantec Official Blog, DarkComet RAT – It is the END, , 2012 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 21

Citadel Ice IX

release the Zeus source code, appearing in the same time period beforeCitadel being is a successful withdrawn descendant from general of Zeus. distribution It first appeared later that in asIce Citadel. IX is another Although first its use generation appears Zeusto be variantin decline, following several theEU year.circa 2012Its sale and and was use initially is now sold limited openly to on select underground groups. forumsCitadel Member States have still actively investigated cases of its use. infection rates have never reached the huge numbers Zeus itself has attained. Instead Citadel appears to be used for much more Ice IX or government entities12,13 targeted (APT) attacks – campaigns targeting specific businesses. . Citadel has been noted as the first14 malware to specifically target password management solutions Citadel

ICE IX

CITADEL

12 https://blogs.mcafee.com/mcafee-labs/labs-paper-looks-inside-the-world- of-the-citadel-trojan/McAfee Labs, Labs Paper Looks ‘Inside the World of the Citadel Trojan’, 13 Security Intelligence, Massively Distributed Citadel Malware Targets Middle Eastern Petrochemical, 2013 Organizations, https://securityintelligence. com/massively-distributed-citadel-malware-targets-middle-eastern- petrochemical-organizations/ Security Intelligence, Cybercriminals Use Citadel to Compromise Password Management and Authentication, 2014 Solutions, http://securityintelligence. 14 com/cybercriminals-use-citadel-compromise-password-management- authentication-solutions/

, 2014 22 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

Spyeye Dridex

Cheaper than the leading malware kit at the time (Zeus) while the successor to the Cridex banking malware. However, unlike mirroringSpyeye appeared much inof lateits functionality,2009 on Russian Spyeye underground quickly grewforums. in Cridex,Dridex firstwhich appeared relied on in exploit circa November kit spam for2014 propagation, and is considered Dridex popularity. It is believed that when Zeus developer Slavik ceased has revived the use of malicious macro code in Microsoft Word attachments distributed in spam in order to infect its victims . Spyeye developer Harderman/Gribodemon, only a short while Several EU Member States have encountered Dridex and,15 beforeZeus’s development,the Zeus source the code source was code leaked was publically. sold/transferred In January to although instances are low in number, the sensitivity of the Panin pleaded guilty before a US federal harvested data, increasing degree of sophistication and growing court on charges related to the creation and distribution of Spyeye.2014, Russian Despite national this several EU Member States are still actively investigating cases related to Spyeye, although its use is number of cases confirm Dridex is an upcoming threat. apparently in decline. SpyEye Dridex

SPYEYE DRIDEX

Trend Micro, Dealing with the Mess of Dridex, http://www.trendmicro.com/

15 dridex vinfo/us/threat-encyclopedia/web-attack/3147/dealing-with-the-mess-of- , 2014 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 23

Dyre Tinba

Dyre is a new malware kit which appeared in 2014, using a largelyTinba, thetargeting truncation non-English of ‘tiny languagebanker’ – countries referring suchto its as small Croatia, file organisationsnumber of ‘Man-in-the-Browser’ including electronic payment attack techniquesand digital currency to steal Czechsize (~20kb) Republic – first and appeared Turkey21 in. The 2012. source Tinba code has forbeen Tinba noted was as services,banking credentials.with a particular Dyre targetsfocus on over those 1000 in English-speaking banks and other 20 countries . Some campaigns use additional social engineering cybercriminals for free. techniques16 to dupe their victims into revealing banking details17. leaked in 2014 allowing its ready-made code to be used by other Dyre is also noted for its ability to evade popular sandbox environments used by researchers to analyse malware and by its ability to download additional malware payloads onto18 an infected system such as the Cryptowall ransomware . 19 Dyre Tinba

DYRE TINBA

Symantec, Dyre: Emerging Threat on Financial Fraud Landscape, http://

16 whitepapers/dyre-emerging-threat.pdf 17 Securitywww.symantec.com/content/en/us/enterprise/media/security_response/ Intelligence, The Dyre Wolf Campaign: Stealing Millions and Hungry Avast Blog, Tinybanker Trojan Targets Banking Customers of Major Banks for More, http://securityintelligence.com/dyre-wolf/, 2015 Worldwide, The Register, Nasty Dyre Malware Bests White Hat Sandboxes, http://www. 20 banking-customers/ , 2015 21 CSIS and Trendhttps://blog.avast.com/2014/07/17/tinybanker-trojan-targets- Micro Threat Report, Tinybanker: The Turkish Incident, 18 http://www.mcafee.com/nl/ http://www.trendmicro.nl/media/wp/tiny-banker-the-turkish-incident-, 2014 theregister.co.uk/2015/05/04/dyre_malware_sandbox_evasion/, 2015 whitepaper-en.pdf 19 McAfee Labs Threat Report, Q1 2015, resources/reports/rp-quarterly-threat-q1-2015.pdf, 2015 , 2012 24 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

Carberp Torpig

First encountered in 2010, Carberp was initially found to be22. onlyThe allowingTorpig was it tooriginally execute developedbefore the in operating 2005 and system was mainly is launched active targeting Russian-speaking countries but was later modified makingcirca 2009. it harderTorpig isfor installed anti-virus on asoftware system’s Masterto detect Boot23. SeveralRecord to additionally target Western financial organisations European countries have active Torpig investigations however Carberp source code was leaked in June 2013. numbers are low and decreasing. Carberp Torpig

CARBERP TORPIG

22 http:// www.symantec.com/connect/blogs/new-carberp-variant-heads-down- 23 Carnegie Mellon University, Torpig, http://www.cmu.edu/iso/aware/be- underSymantec Official Blog, New Carberp Variant Heads Down Under, aware/torpig.html

2015 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 25

Shylock OTHER MALWARE THREATS – ENABLERS

Although the harm deriving from any malware attack is ultimately the result of one of the above mentioned attack methods, there transactions.Shylock first appearedShylock isin 2011a privately and used owned advanced (by its‘Man-in-the- creators) are many other types of malware which facilitate or enable these Browser’ attacks to steal financial data and make fraudulent attacks. These malware products are infrequently the main focus constrained. It is not available for purchase on underground of law enforcement activity as it is the malware they enable that marketsfinancial Trojan. Despite and successful as such its disruption use and distributionactivity, several is highly EU will spark an investigation. These enabling malware products 24

Member States still report significant Shylock activity. are offered ‘as-a-service’ on the digital underground. In July 2014, a UK-led operation resulted in the seizure of Exploit kits command and control (C2) servers and domains associated with the operation of a Shylock botnet consisting of 30 000 Exploit kits are programs or scripts which exploit vulnerabilities infected computers. The malware campaign had largely in programs or applications to download malware onto targeted customers of UK banks. The operation involved vulnerable machines. Since the demise of the ubiquitous cooperation between several other jurisdictions, private sector companies and CERT-EU, and was coordinated by EC3 at Europol. widely-usedBlackhole exploit exploit kit kits in include late 2013, Sweet a number Orange, ofAngler, other Nuclear exploit andkits Magnitudehave emerged. to fill the vacuum. Some of the current, most 25 Spam

Shylock One of the most common methods of malware distribution is by malicious email attachment and the most productive way to reach the most potential victims is via spam. The primary function of some malware is to create botnets geared to generate

Cutwail which has been known to distribute malware such as CTBlarge Locker, volumes Zeus of spam.and Upatre One such. example of such ‘spamware’ is 26

SHYLOCK

Trend Micro, Evolution of Exploit Kits, http://www.trendmicro.com/cloud- content/us/pdfs/security-intelligence/white-papers/wp-evolution-of- 25 exploit-kits.pdf Gang Hit by Takedown, http://www.symantec.com/connect/blogs/all- Trend Micro Threat Encyclopedia, Cutwail, http://www.trendmicro.com/ 24 glitters-no-longer-gold-shylock-Trojan-gang-hit-takedownSymantec Official Blog, All That Glitters Is No Longer Gold – Shylock Trojan vinfo/us/threat-encyclopedia/malware/CUTWAIL, 2015 26 , 2014 , 2013 26 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

Primary Threat Primary Malware Infection Aliases/Variants Trend Level Function Vector

Droppers would be to take it to a police station. Reporting of this threat is Email therefore low and consequently the law enforcement response Cryptolocker HIGH Ransomware - attachment The core function of some malware is simply, once installed, to is minimal. download other malware onto the infected system. Malware such as Upatre is one such product and has been observed The following table highlights the threats posed by different Fynloski, Fynlos, DarkComet HIGH RAT Exploit kit downloading malware such as Zeus, Crilock, Rovnix and more malware variants reported to and/or investigated by EU law Krademok,DarkKomet recently Dyre27. Upatre itself is commonly distributed via enforcement. malicious email attachment distributed by botnets such as Email Cutwail. FUTURE THREATS AND DEVELOPMENTS Dridex HIGH Data Stealer attachment Bugat,Feodo, Cridex (Word macros) In April 2015, Europol’s EC3 and the Joint Cybercrime Action The recent experiences and investigative focus of European law enforcement suggests that the top malware threats of the last Taskforce (J-CAT), joined forces with private industry and the Zeus HIGH Data Stealer Exploit kit Zbot, Gameover (GOZ) FBI to support Operation Source. This Dutch-led operation targeted the Beebone (also known as AAEH) botnet, a comes to the fore. Although some variants remain a threat, the polymorphic downloader bot that installs various forms of investigation5+ years are steadilyrates of inZeus decline (plus as its a variantsnew generation Ice IX and of malwareCitadel), malware on victims’ computers. The botnet was ‘sinkholed’ Torpig, Spyeye and Carberp have either plateaued or are in Blackshades HIGH RAT Exploit kit - and the data was distributed to the ISPs and CERTs around decline. Many of these products have had their development the world, in order to inform the victims. and support discontinued by the developer either voluntarily or as a result of their arrest. The continued threat posed by these Citadel HIGH Data Stealer Exploit kit - products is likely due to their availability, with the source code for most publically leaked. Instead, newer names on the malware OTHER MALWARE THREATS – MOBILE scene such as Dridex and Dyre are becoming more prominent MALWARE in law enforcement investigations, a trend which is likely to SpyEye HIGH Data Stealer Dropper - increase. Industry reporting indicates that the volume of mobile malware Email continues to grow, although some reporting suggests that A common and perhaps inevitable fate for any malware is to have CTB-Locker MEDIUM Ransomware Critroni the rate of growth is decelerating or that infection levels are its source code publically leaked, either by a rival criminal gang attachment (.zip) even decreasing . While it remains28 a recurring, prominent and or by security researchers. Whilst this may be of tremendous contemporary topic29 in both industry reporting and the media, Dropper Dyre MEDIUM Data Stealer Dyreza mobile malware currently does not feature as a noteworthy into the hands of prospective coders allowing them to rework (UPATRE) threat for EU law enforcement. andbenefit enhance to the the Internet code tosecurity create communitytheir own products it also puts with the a largecode part of their work already done for them. As an example, a hybrid The majority of mobile malware is typically less malicious than of the Zeus and Carberp Trojans, dubbed Zberp, was detected in Tinba MEDIUM Data Stealer Exploit kit Tinybanker, Zusy its desktop counterpart. Although there is a growing volume . It is likely that, given the success and sophistication of many of30 the older malware products, we will continue to see devices, the majority of mobile malware is still from premium mid-2014new threats which draw on their code. Carberp MEDIUM Data Stealer Exploit kit - serviceof banking abusers, malware i.e. those and that trojanised subscribe financial victims appsor make on calls mobile to premium rate services. It is less probable therefore that a victim would feel the need to report an attack due to the relatively small losses incurred. Furthermore, victims are more likely to either Shylock MEDIUM Data Stealer Exploit kit Caphaw reset their own device or take it to a phone repair shop, than they

27 Trend Micro Threat Encyclopedia, Upatre, http://www.trendmicro.com/ Ice IX MEDIUM Data Stealer Exploit kit - vinfo/us/threat-encyclopedia/malware/upatre http://www.symantec.com/ , 2015 28 Symantec, 2015 Internet Security Threat Report, http://www. Security Intelligence, Meet the Zberp Trojan, https://securityintelligence. security_response/publications/threatreport.jsp, 2015 com/new-zberp-Trojan-discovered-zeus-zbot-carberp/ Torpig MEDIUM Data Stealer Exploit kit Sinowal, Anserin 29 Verizon, 2015 Data Breach Investigations Report, 30 verizonenterprise.com/DBIR/2015/, 2015 , 2015 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 27

Primary Threat Primary Malware Infection Aliases/Variants Trend Level Function Vector

Email Cryptolocker HIGH Ransomware - attachment

Fynloski, Fynlos, DarkComet HIGH RAT Exploit kit Krademok,DarkKomet

Email Dridex HIGH Data Stealer attachment Bugat,Feodo, Cridex (Word macros)

Zeus HIGH Data Stealer Exploit kit Zbot, Gameover (GOZ)

Blackshades HIGH RAT Exploit kit -

Citadel HIGH Data Stealer Exploit kit -

SpyEye HIGH Data Stealer Dropper -

Email CTB-Locker MEDIUM Ransomware Critroni attachment (.zip)

Dropper Dyre MEDIUM Data Stealer Dyreza (UPATRE)

Tinba MEDIUM Data Stealer Exploit kit Tinybanker, Zusy

Carberp MEDIUM Data Stealer Exploit kit -

Shylock MEDIUM Data Stealer Exploit kit Caphaw

Ice IX MEDIUM Data Stealer Exploit kit -

Torpig MEDIUM Data Stealer Exploit kit Sinowal, Anserin 28 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

Similarly newly published vulnerabilities are rapidly incorporated into exploit kits. This often occurs faster than patches can be released and almost certainly quicker than most potential victims would update their software. As an example, the Zero-Day exploits which were released as a result of the

Neutrino and Nuclear exploit kits within days31. Hacking Team exposure in June 2015 appeared in the Angler, RECOMMENDATIONS services (banking, mobile payments, etc) the effectiveness ¡¡ In order to maintain the trend of successful multi- andAs more impact consumers of mobile move malware to mobile will increase.devices for It theircan thereforefinancial jurisdictional operations targeting cybercrime groups, law be expected to begin to feature more prominently on law enforcement should continue to:

o Pro-actively share criminal intelligence related to Oneenforcement’s advanced techniqueradar. that we can expect to see further future cybercrimes with other EU Member States via Europol; steganography. Rather than simply encrypting data so that it is o Build and maintain relationships with private industry examples of is the use of ‘information hiding’ methods such as and academia with expertise and capability in Internet security and cybercrime; unreadable, such techniques hide data within modified, shared hardware/software resources, inject it into network traffic, or content. Malware employing these techniques can, for example, o Contribute malware samples to the Europol Malware embed it within the structure of modified file structures or media Analysis System (EMAS). ifstealthily such methods communicate become with more C2 widelyservers employed.or exfiltrate Smartphones data. It may ¡¡ While a focus on the apprehension of the groups and maytherefore be particularly become increasingly vulnerable difficultto such malware to detect as, malware coupled traffic with individuals behind malware campaigns is recommended, their array of in-built sensors, they provide additional channels consideration should also be given to targeting shared via which hidden data can be transmitted32. criminal infrastructure which may have a disruptive impact on multiple OCGs carrying out a range of attacks and may increase their cost of operation.

¡¡ Where the capacity and capability exists, law enforcement should target criminal groups developing and distributing enabling malware such as exploit kits, spamware and droppers.

¡¡ While dismantling or disrupting criminal groups is effective and necessary, adequate resources should be given to prevention strategies in order to raise awareness 31 Trend Micro Security Intelligence Blog, Hacking Team Flash Zero-Day of cybercrime and increase standards in online safety and Integrated into Exploit Kits, http://blog.trendmicro.com/trendlabs-security- intelligence/hacking-team-flash-zero-day-integrated-into-exploit-kits/ information security. This must include awareness in relation 32 Mazurczyk, W., Luca Caviglione, L.; Information Hiding as a Challenge for to mobile devices. , 2015

Malware Detection. IEEE Security & Privacy, 2015 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 29

ONLINE CHILD SEXUAL EXPLOITATION

Online child sexual exploitation (CSE) is a constantly evolving by reliable quantitative data, it perfectly supports an assumption phenomenon, shaped by developments in technology, growing that current online distribution of CAM is very dynamic, and levels of Internet adoption via territorial coverage and bandwidth, and further expansion of mobile connectivity. misuse of particular environments. the operations of LE agencies inevitably influence the extent of The key threat areas include criminal activities in P2P KEY THREAT – THE DARKNET environments and the Darknet, live streaming of child sexual abuse, sexual extortion, and developments in the commercial Criminals who are present on the Darknet appear more distribution of child abuse material (CAM). Focus will also be on comfortable offending and discussing their sexual interest the offender environments and threats relating to the growing in children than those using the Surface Web. The presumed level of competence amongst offenders in terms of networking greater level of anonymity and strong networking may be and technical capability, use of encryption and anonymisation favouring their sexual urges, which would not be revealed in any tools as well as the abuse of hosting services for distributing CAM. other environment lacking such features.

The use of use of Tor in the proliferation of CAM remains a they still remain the main challenges, even if there were no key threat, regardless of some loss of trust about its complete Some of these areas were already reported in the 2014 IOCTA; anonymity and technical limitations. significantKEY THREAT developments – P2P over ENVIRONMENT the last year. Restricted areas of Tor pose the highest risk to children as they are linked to the production of new CAM to retain community membership and status, which inevitably leads to further hands- child abuse material and the principal means for non-commercial on abuse. It is likely that more abuse of an extreme and sadistic distribution.P2P file sharing These methods are invariably remain theattractive main platformfor CSE offenders to access nature is being requested and shared in these areas. building and rebuilding a collection quickly after accidental loss KEY THREAT – LIVE STREAMING orand apprehension. easy to use. They are a highly effective and efficient means of The live streaming of abuse33 is no longer an emerging trend Some specialists describe the material which is being shared but an established crime, the proliferation of which is expected there as known and often dated. However, P2P is an important to further increase in the near future. Child sexual abusers part of a possible offending pathway, from open searching using continue to exploit technology that enables the streaming of search engines, via exchanges on the open Internet to the hidden live images and video in many different ways. This includes use services in the Darknet. of live streaming methods in sexual extortion cases, organising invitation-only videoconferencing of contact abuse among This environment is also – due to its nature – deemed to be the members of closed networks, as well as the trend reported in cases still constitute the majority of investigations conducted by live in front of a camera at the request of Westerners . specialisedone where units. the greatest volume of offending is identified. P2P 2014 concerning the profit driven abuse of children34 overseas,

Some specialists noted a slight shift of users of hidden services 33 Live-distant child abuse (LDCA) is a term suggested by specialists to underline the fact of sexual abuse even if physical contact between an to P2P environments as a result of recent successful LE offender and a victim does not take place https://www.europol.europa.eu/content/internet- organised-crime-threat-assesment-IOCTA interventions. While it is impossible to confirm such observations 34 Europol, IOCTA 2014, , 2014 30 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

The low cost to consumers of pay-per-view child sexual abuse As a methodology, business models based on blackmailing young makes it possible to order and view the abuse regularly without people may also be attractive to those who are not sexually for such a modus operandus to become even more widespread. crimes are not primarily aimed at minors, it is likely that children Thethe needfrequent for downloading. small amounts This representsof money abeing significant transferred driver interested in children but seek financial gain. Although such experience serious psychological damage. Cybercrime groups transaction monitoring agencies . running(below the such age schemes of 18 years) are known may be to among operate its out victims, of north-west and may through intermediaries minimises35 any red flags from financial African states and south-east Asia. Recently, some intelligence strengthened the connection between live streaming and hands-on abuse, where live-distant KEY THREAT – COMMERCIAL DISTRIBUTION abuse is followed by travel to another country to contact abuse the same children. There is a need to widen the understanding of the current scope of online commercial CAM distribution. It is necessary to KEY THREAT – ONLINE SOLICITATION AND acknowledge that new CAM can be a currency in itself. The value SEXUAL EXTORTION its circulation. This needs to be differentiated from instances of The last few years have witnessed changes in the online of an image is its novelty which is likely to define the means of distribution of self-generated indecent material (SGIM) produced by young people, much of which is distributed through Aobtaining full understanding financial gain of from the distributioncommercial of distribution CAM. of CAM mobile devices and social media platforms. Although intended to requires taking into account all forms of commercial activity be shared with trusted partners, there is the potential for such material to be captured and distributed among CSE offenders if of dedicated websites offering such material on the open it is later placed on the open Internet. Internet.involving This its includes distribution, new notmethods only for the distributing ‘traditional CSE model’ such , dissemination through cyberlockers, SGIM can also be acquired by offenders through online live streaming of child36 sexual abuse for payment as well as solicitation, often combined with grooming, where children asinstances ‘disguised of commercial websites’ CSE in the Darknet. Additionally, a are offered money or gifts in exchange for complying with the continuation of migration from traditional payment mechanisms desires of the offender. Using mobile devices or webcams to to those offering a greater degree of anonymity, particularly record the media, a victim is lured into sending photos or videos pseudonymous payment systems37 such as Bitcoin, has been to the abuser, who may also pretend to be a teenager. Voluntary observed. Commercial distribution exists, and is evolving. This involvement, however, frequently turns into involuntary participation as the abuser turns to coercive measures to obtain compromise their security. valuable new material. is despite the producer’s perception that financial flows may

In the most extreme cases online solicitation may turn into sexual extortion, where victims are threatened by disseminating indecent materials depicting them and have to comply with offender demands, leaving them with psychological damage and increasing the potential for self-harm or suicide attempts. more extreme, violent or degrading demands where coercive techniquesSuch modus are operandiadopted. reflects the general trend towards

user takes to reach them. When the URL is loaded directly into the browser, 36 theThe page disguised which websites’ loads contains present legitimate different adult content content. depending However, on the when route the

https://www.europol.europa.eu/content/ 37 ICMEC,accessed The via Digital a particular Economy, gateway site (‘referrer’) the page displays child live-streaming-child-sexual-abuse-established-harsh-reality Economy.pdfsexual abuse content. IWF Annual report 2013 35 EFC Strategic Assessment 2014, http://www.icmec.org/en_X1/ICMEC_Digital_ , 2015 , 2014 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 31

CSE offenders continue to misuse legitimate hosting possibilities to store and distribute CAM. According to INHOPE records, in

2014 the total number of unique URLs confirmed to contain CAM and inserted into their reporting system was 83 644 (48 910 in 2013 and 33 821 in 2012). In 2014 the top hosting countries were United States (37% of identified CAM), Russian Federation (24%), Netherlands (16%) and Canada (11%). Image hosting sites were identified as hosting 42% of the reported URLs. (an The traditional distinction between commercial and non- increase from 22% in 2013), followed by website hosting –39 30% FUTURE(37% in 2013) THREATS and file hosting AND sites DEVELOPMENTS – 20% (29% in 2013) driven and conducted by those with limited sexual interest incommercial children, isdistribution, no longer aswhich obvious. cast theIt is former weakened as largely by the profit fact that offenders with a sexual interest in children who produce as a result of their true IP address being revealed during an and distribute CAM are becoming entrepreneurial, exploiting Historically, CSE offenders were commonly located and identified developing technologies . details from ISPs. The invalidation of the Data Retention Directive 38 investigation. These could then be used to obtain subscriber’s KEY THREAT – NETWORKING AND FORENSIC will increasingly stand as a barrier to the success of future CSE in May 2014 was replicated in several EU Member States and AWARENESS OF CSE OFFENDERS investigations.

CSE offenders continue to exploit currently available technology, In February 2015, a report passed to US liaison officers at coupled with anonymous networks to hide their activities Europol from the US National Center for Missing and Exploited from LE attention. Increasingly user-friendly Internet-related Children (NCMEC) prompted an investigation by EC3’s FP technologies provide access to a variety of services they can feel Twins. Swift cooperation with the Romanian authorities comfortable and secure with. It is likely that some of them will resulted in the arrest of the offender and the rescue of his make use of more than one route to access CAM simultaneously. 22-month old daughter from further abuse.

The use of techniques such as anonymisation, encryption and The development and use of technologies which complicate systems (OS) run from removable media, are now considered the offenders is likely to continue. It is expected that the link between normanti-forensic rather than tools, the suchexception. as ‘wiping’ software or operating onlinetraditional content police and user methods will be of less identification visible as a consequence of online CSE of using anonymising tools, encryption and the remote storage of Communities of offenders mature and learn from the mistakes of those that have been apprehended by law enforcement, in developing countries will result in live-distant child abuse becomingdata. Increasing more widespread, Internet coverage leading through to a growing broadband multitude and 4Gof unknown victims and complicated investigations requiring close tobecoming develop more trusted difficult relationships to infiltrate. and Thisshare is relevant believed technical to refer cooperation with LE outside the EU. more specifically to the users of the Darknet, who continue most popular directory of hidden services, in an effort to keep The further professionalisation of criminal activities on expertise. Offenders have also vacated Hidden Wiki, the Darknet’s the Darknet, including the evolution of online markets and perception of anonymity and strong support from a like-minded alternative payment methods, may be leading to the facilitation their profile low. Presumptions of safety, strengthened by the of illicit payments for novel CAM. Criminals offering commercial live streaming of CAM may also adopt decentralised streaming community, influence an offender’s behaviour and are likely to be reinforcing factors in an individual’s offending pathway. https://www.europol.europa.eu/content/ http://www.inhope.org/tns/resources/statistics- live-streaming-child-sexual-abuse-established-harsh-reality 38 EFC Strategic Assessment 2014, 39 INHOPE Statistics 2014, , 2015 and-infographics/statistics-and-infographics-2014.aspx, 2014 32 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

solutions with built-in payment systems instead of centralised RECOMMENDATIONS commercial products. 40 ¡¡ EU law enforcement must not only ensure they are familiar The noticeable online proliferation of SGIM corresponds with the with emerging trends, technologies and methodologies used increased online presence of children and teenagers. According in CSE online, but extend their expertise and experience to jurisdictions that require capacity building and additional support. areto a recentincreasingly media capableuse survey of inaccessing the UK, childrenthe Internet. aged 5-15Ownership spend of12.5 tablets hours in onlinethis age per group week. has 41% almost own doubled a mobile – growing phone, which from ¡¡ Cooperation with both reporting bodies as well as content . This trend will most probably service providers is essential. The marked increase in the increase, and with it the exposure41 of children to potential threats abuse of hosting services requires its providers to introduce 19%on the in Internet. 2013 to 34% in 2014 procedures for identifying and mitigating distribution of CAM.

It is safe to assume that emerging technologies such as virtual ¡¡ The relationship between the production of SGIM online and reality headsets, combined also with advancements in other CSE remains unclear and merits additional research. Tailor- made prevention activity resulting in a greater awareness of entertainment as well . online threats is vital to reduce the threat of online grooming fields such as artificial42,43,44 intelligence, will be adopted for adult and solicitation. The adult entertainment industry is a key driver for the adoption of media formats and emerging technologies, and it is therefore ¡¡ Law enforcement should focus on identifying and dismantling the communities and forums in which offenders congregate virtual reality platforms, allowing for a high degree of immersion as these drive the demand for fresh CAM leading to the abuse andlikely interactivity. that such content This technologywill find its mayway toalso one be of abusedthe developing by CSE of new victims. offenders to simulate child abuse virtually, although the legal implications of this are unclear . ¡¡ Effectively investigating CSE in closed like-minded offender 45 communities requires relevant legal instruments allowing

investigation methods. undercover work and the efficient use of traditional policing ¡¡ In order to counter the increasing occurrence of encryption Cryptocoinsnews.com, https://www.cryptocoinsnews.com/streamium- decentralizes-streaming-content-producers-get-paid-bitcoins-real-time/, used by offenders, law enforcement should invest in live data 40 forensics capability and prioritise the seizure of devices in Ofcom, Children and Parents: Media Use and Attitudes Report, http:// 2015stakeholders.ofcom.org.uk/binaries/research/media-literacy/media-use- situ when arresting suspects, to capture the relevant artefacts 41 in an unencrypted state.

attitudes-14/Childrens_2014_Report.pdf, 2014 42 The Register, Virtual Reality Porn on the Rift? ‘Why not?’ Says Oculus Founder, ¡¡ Gizmodo,http://www.theregister.co.uk/2015/05/20/vr_pornography_on_the_rift_ The Next Oculus Rift Might Let You See Your Actual Hands in VR, http://gizmodo.com/the-next-oculus-rift-might-let-you-see-your-actual-oculus_founder_says_sure_why_not/, 2015 There is a need to constantly enhance victim identification 43 Victim ID databases, taking into account current and future SingularityHub, The Future of Sex: Androids, VR, and the Orgasm Button, strategies. Resources spent on the efficient use of available hand-1718371825, 2015 44 as detailed analysis of the material, often lead to successful the-orgasm-button/ efforts undertaken by EC3 and Interpol in this field, as well http://singularityhub.com/2009/05/20/the-future-of-sex-androids-vr-and-http://news.bbc.co.uk/2/hi/ rescue operations. , 2009 45 BBC News, Second Life ‘child abuse’ Claim, technology/6638331.stm, 2007 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 33

PAYMENT FRAUD

Although ATM-related fraud incidents within the EU decreased 49. This is mainly due paymentIn 2013, thecards number per capita,of payment while cards the issuednumber in ofthe transactions EU reached to the cashing out of compromised cards in jurisdictions outside approximately 760 million, representing approximately 1.5 ofby the26% EU in where 2014, EMVoverall (chip losses and were pin) up protection 13% has not yet been transaction . The growing proportion of non-cash payments has fully implemented, mainly the Americas and Southeast Asia – encouragedreached EUR46 an 43.6arms billionrace between averaging new atattack almost methods EUR devised 50 per Indonesia and the Philippines in particular. Some OCGs set up by entrepreneurial cybercriminals and the countermeasures and permanent bases in these locations to facilitate their activities50. security features implemented by the card industry to protect their customers and business. In 2014, EU-funded Project Sandpiper resulted in 59 arrests in addition to the disruption of five organised crime groups exploiting electronic payments. Over 50 000 compromised using cards issued within SEPA47 cards were recovered, worth over EUR 30 million. The In 2013, the total value of fraudulent transactions conducted project involved UK and Romanian law enforcement and was reached EUR 1.44 billion, supported by Europol’s EC3. representing a growth of 8% on the previous year. The growth was driven by a 20.6% increase in card-not-present (CNP) fromfraud. transactions Of the total atfraud ATMs value,48. 66% of value resulted from CNP KEY THREAT – ATM MALWARE payments, 20% from point-of-sale (PoS) transactions and 14% KEY THREAT – SKIMMING There are several common malware-focused methods for attacking ATMs: In the last year, only three Member States indicated an increase 51 in the number of investigations into the skimming of payment ¡¡ Software skimming malware, once installed on the ATM PC, cards at ATMs. All three instances related to Eastern European allows the attacker to intercept card and PIN data at the ATM; countries while in Western Europe the trend has either plateaued or is in decline. Overall, both PoS skimming and attacks via ¡¡ Jackpotting is a technique which uses malware to take PoS network intrusion are in downturn across the majority of control of an ATM PC in order to direct the cash dispenser to jurisdictions. dispense money;

¡¡ Black Boxing is a Jackpotting variant where the attacker developments in miniaturisation and concealment techniques. uses their own PC to communicate with the cash dispenser to Skimmers continue to refine their tools with notable direct it to dispense cash; be embedded inside the card readers, rendering them invisible Skimming devices are now often sufficiently small that they can to users. ¡¡ Man-in-the-Middle attacks manipulate communication

system and can, for example, trigger requests to withdraw moneybetween without the ATM debiting PC andthe card the account. merchant The acquirer’s malware must host however be present in a high software layer of the ATM PC or

https://www.ecb.

46 European Central Bank: Payment Statistics for 2013, within the acquirer’s network. Liechtenstein,europa.eu/press/pdf/pis/pis2013.pdf Monaco, Norway, San Marino, 2014 and Switzerland Input provided by FP Terminal 47 EuropeanAs of July 2015,Central SEPA Bank: consists Fourth of Report all 28 EUon CardMS as Fraud, well as https://www.ecb. Iceland, 49 Europol,European Guidance ATM Security and Recommendations Team (EAST), European regarding ATM Logical Crime Report,Attacks 2015on ATMs, 50 48 51 europa.eu/pub/pdf/other/4th_card_fraud_report.en.pdf, 2015 2015 34 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

Many of these attacks can potentially be prevented through Following the successful Airline Action Days operations a mix of security/technical measures such as securing the supported by EC3, Hellas (Greece) has implemented a national BIOS, disabling booting from external drives, hardening OS or initiative to fight airline fraud on an ongoing basis and in equipping ATMs with alarm systems. Non-technical mitigation close cooperation with airline companies, travel agencies and methods include limiting physical access to ATMs, surveillance international airports. Notifications on possible fraudulent . transactions using payment cards are channelled through 52 the Cyber Crime Division of the Hellenic Police where they are KEYand more THREAT frequent –refilling CARD-NOT-PRESENT cycles (CNP) collated and analysed, leading to the arrest of fraudsters at the FRAUD boarding gate. The measures have proved to be highly effective; of the suspects identified via a fraud notification, 52% have Payment card data are actively traded on criminal marketplaces been arrested, 35% haven’t showed up at the airport and 13% and automated card shops. Bulk card data can be purchased have made their flight due to no confirmed fraud.

Proper implementation of 3D Secure55 and rigid internal anti- cardcheaply, data allowing (i.e. those re-sellers committing to profit CNP from fraud) redistributing can purchase the cardhigh fraud procedures could mitigate this threat to some degree. valuedata in products smaller, more and userefined criminal batches. drop ‘End and users’ reshipping of compromised services However, some merchants, fearing the loss of customers to receive their fraudulently obtained goods. These can then who dislike having their shopping experience complicated, either be retained for personal use or monetised via buy-and- have instead demonstrated a preference to absorb the losses sell websites. In some cases this process is carried out by highly and invested little effort into tackling online fraud through organised and experienced groups. implementing fraud screening technologies and secure e-commerce solutions. The majority of Member States have witnessed a shift towards CNP fraud as a result of the availability of compromised payment FUTURE THREATS AND DEVELOPMENTS card details stemming from data breaches, social engineering attacks and data stealing malware. Another push towards online The use of 3D printing to produce customised skimmers has fraud is the success of law enforcement in targeting OCGs involved in card-present (CP) fraud, as well as the implementation of likely to see a progressive development in this area. The ATM skimmingalready been devices documented that used in to five be EUproduced countries and anddistributed we are including EMV, anti-skimming ATM slots and geoblocking. within organised crime groups are now traded on legitimate buy- effective measures against CP fraud by the financial industry, and-sell websites, increasing their availability and convenience for the criminal customers. 3D printing will further lower the 53 bar of entry into the crime, as offenders will increasingly trade AccordingCNP fraud,54 to including card scheme online, operators postal and Visa telephone and Mastercard, orders. 67%Often, schematics for the devices or share these on P2P networks. andhowever, 69% incidents of losses are respectively reported inat 2014a local occurred level, with as a resultcrime data not collated at a national level. Moreover if this is then not The migration to EMV technology in the USA is expected to occur shared at an international level, the linking of related crimes across multiple jurisdictions in order to initiate coordinated international investigations becomes problematic. yearsin autumn in many 2015, other as merchantscountries wherewill be criminals liable for take losses advantage from 1 ofOctober a lack 2015.of EMV Similar technology initiatives to abuse are scheduled compromised over cards. the next This two is

expected to lead to a significant decrease in skimming.

Europol, Guidance and Recommendations regarding Logical Attacks on ATMs,

52 http://annualreport.visaeurope.com/Risk- management/index.html2015 53 Visa Europe 2014 Annual Report, Visa or MasterCard SecureCode , 2015 55 3D Secure is an online fraud prevention measure familiar through Verified by 54 Data provided to EC3 by MasterCard, 2015 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 35

While there has been a lot of discussion regarding the failure or a milestone in the development of ATM authentication security of emerging mobile and contactless payments, their remains to be seen. rapid growth has not yet led to a notable increase in related fraud. According to Visa Europe, the fraud-to-sales ratio for Successful initiatives that bring together law enforcement and . This is mirrored the private sector in order to combat industry related threats by law enforcement experience across Europe,56 with almost all and often previously under-represented crime areas are contactlessMember States transactions assessing remainsthe current at threat 0.01% level for mobile and becoming increasingly common and growing in impetus. As contactless payment fraud as low to non-existent. However, as such initiatives expand in scope and scale, law enforcement will EMV technology is further adopted globally and options for card- require increased capacity to deal with what is already a high present fraud diminish, we can perhaps expect growth in this volume crime. area of fraud. Europol’s e-commerce initiative brings together stakeholders Several ATM manufacturers have previously proposed in e-Commerce, law enforcement, logistics companies and payment card schemes in a collaborative effort to identify, arrest and prosecute the most prolific criminals involved in functionalfingerprint ATM and equippedface recognition with facial systems recognition on ATMs was in unveiledorder to using compromised payment cards for fraudulent online inincrease China, ATMhaving security. its biometric Earlier thisauthentication year, the world’s based firston facial fully purchases and those involved in the receipt and reshipping of feature and iris recognition . Whether this turns out to be a fraudulently obtained goods. 57

http://annualreport.visaeurope.com/Risk- management/index.html 56 Visa Europe 2014 Annual Report, http:// , 2015 57 unveils-worlds-first-facial-recognition-ATM.htmlThe Telegraph, China Unveils World’s First Facial Recognition ATM, www.telegraph.co.uk/news/worldnews/asia/china/11643314/China- , 2015 36 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

RECOMMENDATIONS ¡¡ Law enforcement requires the tools, training and resources to deal with high volume crimes such as payment card fraud. ¡¡ Law enforcement should seek to actively engage in multi- ¡¡ Following the adoption of EMV technology in previously non- and E-commerce initiative in order to combat payment fraud compliant jurisdictions, law enforcement and the payment instakeholder their jurisdiction. initiatives such as Europol’s Airline Action Days industry should work together in order to predict where card- present fraud will migrate to and try to ensure that adequate ¡¡ EU Member States should take advantage of the Europol prevention measures are in place. Malware Analysis System (EMAS) by submitting samples of ATM and PoS malware in order to cross-reference them against those supplied by other Member States, and identify potential links to ongoing investigations.

¡¡ To mitigate the risk of ATM malware attacks, law enforcement

internationalshould promote level, Europol’s to banking ‘Guidance and and payments Recommendations industry contacts.regarding Logical Attacks on ATMs’, at a national and

¡¡ To combat the sale and abuse of compromised card data, law enforcement should focus on targets either running carding websites or active traders on those sites, particularly those who offer large numbers of recently compromised cards and have a long and successful transaction history.

¡¡ A concerted effort is required to collate data at a national and international level in order to identify the activity of OCGs involved in multi-jurisdictional payment card fraud.

¡¡ Law enforcement requires a common secure channel through which they can pass details of compromised card and account details discovered through the course of their investigations to

in order to prevent their subsequent use in fraud. partners in financial institutions and payment card schemes ¡¡ Law enforcement should engage with providers of content sharing websites abused by criminals to sell or distribute compromised card data, to promote automated mechanisms for the removal of criminal content . 58

Lenny Zeltser, The Use of Pastebin for Sharing Stolen Data, https://zeltser. com/pastebin-used-for-sharing-stolen-data 58 , 2015 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 37

SOCIAL ENGINEERING

No matter how many resources a company spends on securing their networks and systems, they cannot fully prepare or compensate for what is often the weakest link in their security – the human factor. Without (or even with) adequate security awareness training, a lapse in judgement on behalf of an employee can leave a company open to attack.

Social engineering attacks are epitomised in advanced fee developing countries has led to higher numbers of innovative yet technicallyfraud (also unskilledknown as attackers 419 fraud). with Increasing access to Interneta greater access number in of victims.

Social engineering has developed into one of the most prevalent attack vectors and one of the hardest to defend against. Many sophisticated and blended attacks invariably incorporate some form of social engineering. Targeted spear-phishing attacks were espionage incidents have featured phishing . Phishing traditionally occurred on a larger scale in widely spoken identified as a growing trend in 2014 and 59two-thirds of cyber- languages such as English. Phishing attacks often originate from KEY THREAT – PHISHING countries sharing the same language (e.g. French victims targeted by offenders from French-speaking North African countries). Almost all Member States indicated that the amount of phishing Nevertheless, some smaller EU countries have also observed a notable increase in localised phishing. The quality of phishing has increased over the last few years due to professional web almosthas either every stabilised major business or increased indicated in their that jurisdiction it was targeted in 2014. by a design and translation services. phishingThis trend campaign. was substantiated Incidents of smishing by financial and vishing institutions throughout where the sector have seen an upward trend as well. While companies can invest in increased ICT security which in turn requires criminals to innovate their own technical Additional security measures adopted by banks have become . increasingly successful in identifying fraudulent transactions Training in cybersecurity awareness can be provided and safe60 related to phishing attacks although this in itself has resulted capability,practice encouraged it is harder but is to harder upgrade to enforce. the “human Each employee firewall” may in increased costs due to investment into proactive monitoring represent a unique fallibility in the overall security. The overall capability. As a result of these proactive measures, some institutions noted a decrease in the number of phishing attacks for high-value transfers and have observed fraudsters moving to effectiveness of phishing campaigns, which was formerly 10- high-volume low-value based attacks instead. will20%, continue increased to inopen 2014. any Research attachments shows. that 23% of recipients who receive a phishing messages will open61 it and a further 11%

McAfee, Hacking the Human Operating System, https://community.mcafee.

http://www. 60 http://www. com/docs/DOC-7035, 2015 59 Verizon, 2015 Data Breach Investigations Report, 61 Verizon, 2015 Data Breach Investigations Report, verizonenterprise.com/DBIR/2015/, 2015 verizonenterprise.com/DBIR/2015/, 2015 38 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

For untargeted attacks, the primary way to distribute phishing FUTURE THREATS AND DEVELOPMENTS emails is via spam. The overall volume of spam has continued As consumers continue to shift much of their online activity to mobile devices, this opens up additional attack opportunities and to decline over the last few years, dropping to 28 billion. Taking spam strategies to enterprising cybercriminals. Mobile phones already messagesinto account per overall day in increases 2014. In inJune malware 2015, andthe phishing,overall spam62 it is ratesafe provide SMS as an additional contact method, while the growing fellto assume below 50%;that attackers the lowest are rate gradually since September shifting their 2003 activities to volume of communication and social networking apps provide alternative distribution channels such as social media. further access to potential victims. Smaller, more compact screen sizes and reduced readability increase the likelihood of potential In 2014, Dutch and Belgian law enforcement authorities, in victims inadvertently clicking on a link. We can therefore expect cooperation with the EC3 and Eurojust, arrested 12 suspected to see the number of social engineering attacks via mobile members of a European voice-phishing ring, seizing their devices and social media platforms to increase. infrastructure and other assets. The group conducted phishing and vishing which purported to originate from financial institutions in an attempt to trick their victims into handing support for the still widely-used Microsoft XP operating system over credentials necessary to perform bank transactions, wouldIn 2014 lead there to a wasfresh widespread wave of scams concern from fraudsters that the cessation purporting of including one-time passwords generated by the authenticator provided by the bank. precautionsto represent to Microsoft mitigate potential support. Inexploitation 2015, Microsoft of this event released by KEY THREAT – CEO FRAUD notifyingits free upgrade customers to Windows directly through 10. Although their currentMicrosoft OS, has it istaken still likely that criminals will take advantage of this opportunity to target unsuspecting victims. reported an increase in CEO fraud which is now leading to Several member countries as well as financial institutions for such frauds involves an attacker impersonating the CEO any sporting event of this scale it can be expected that there will orsignificant CFO of thelosses company. for individual The attacker companies. will contactThe modus an employee operandi beIn 2016a notable Brazil increase will host in the phishing thirty-first and otherOlympic social Games. engineering As with targeted for their access and request an urgent transaction into attacks attempting to exploit both businesses and citizens in relation to the games. channelled via email or telephone. Subsidiaries of multinational companiesa bank account are often under targeted, the attacker’s as employees control. working The request for regional may be cells do not usually personally know senior management in the holding company and may be fearful of losing their job if they do not obey their ultimate boss. The scam does not require advanced technical knowledge as everything the attacker needs to know can be found online. Organisation charts and other information available from the company website, business registers and professional social networks provide the attacker with actionable intelligence.

http://www.symantec.com/

62 en-us.pdfSymantec Intelligence Report June 2015, content/en/us/enterprise/other_resources/intelligence-report-06-2015. , 2015 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 39

RECOMMENDATIONS

¡¡ ¡¡ Where it is not possible to identify or arrest individuals, law mechanism covering a range of social engineering offences. enforcement should focus on disrupting or dismantling the OnlineIt is necessary reporting to develop channels an efficient,are considered fit-for-purpose to be especially reporting criminal infrastructure which may be supporting multiple suitable for high-volume incidents of a minor nature. types of criminality.

¡¡ While social engineering attacks are scalable, law enforcement ¡¡ Law enforcement should establish and maintain working resources are not. Law enforcement should therefore continue relationships with both global and national webmail providers to share information with and via Europol in order to identify to promote the lawful exchange of information relating to the campaigns which are having the greatest impact, thereby criminals abusing those services. allowing law enforcement to manage its resources more effectively.

¡¡ Where the capacity and capability exists, law enforcement should target criminal groups providing enabling services such as spam which supports many aspects of cybercrime including social engineering attacks and phishing. 40 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

DATA BREACHES AND NETWORK ATTACKS

hacked. Both leaked personal and sensitive details related to millions of their customers, leaving them vulnerable to extortion customersThe scale of the Target data breach of late 2013 made it one of the largest63 data breaches in history, affecting up to 40 million were largely North American, however AdultFriendFinder had data breach”. However,across a variety it turned of industryout to only and be media the first reporting. of a series and social engineering attacks. AshleyMadison’s clientele of significant breaches that earned 2014 the title of “Year of the of these within Europe is unknown, therefore the impact of these breachesapproximately on European 3.5 million citizens customers may neverworldwide. be fully The appreciated. proportion hindered law enforcement from mounting a suitable response to networkIn the 2014 intrusions, IOCTA with it was industry highlighted preferring how (where a lack of possible) reporting to allow the incident to be handled by private security companies. Howeverare based overwithin 1400 Europe. customers It is therefore were66 identifiedsafe to assume as senior that Since then however, there has been a clear increase in the level executivesEuropean citizensof Fortune feature 500 companiesamongst those, over who one have fifth had of which their of reporting to and subsequent involvement of law enforcement personal details disclosed. in such investigations.

investigated some form of data breach or network intrusion, originatedThe table from beside within, identifies or which some are of believed the more to impact, prominent the Almost 75% of Member States indicated that they had EUpublicised. The number data breaches of breaches from apportioned the first half to each of 2015 country which is investigations. Over one third of EU law enforcement agencies at least67 partly representative of the stringency of the reporting with almost half of Member States running 10 or more distinct regulations within that jurisdiction.

Notidentified all network network intrusions intrusions lead as anto increasingthe leakage threat. of data or theft The majority of data breaches occurred as a result of of intellectual property. The defacement of business or private compromised credentials (typically those with administrator websites was one of the most commonly reported cyber-attacks rights), with the rest largely made up of phishing attacks and, within EU law enforcement. It was also noted that there is an in the case of industries using point-of-sale (PoS) terminals, increasing number of these attacks with a terrorist context.

64 RAM scraping. Broken down differently, 25% of breaches were Theestablished, 2015 Verizon a breach Data occurs Breach with Investigation the intention Report of instigating (DBIR) wereas a result additionally of crimeware, as a result 20% ofthe miscellaneous result of insider human misuse errors, and furtheridentified attacks that inon 70% secondary of attacks victims. where For the example, motive couldusing bea such15% as asending consequence sensitive of physicalinformation theft to or the loss. wrong Almost recipient one third or hacked server for hosting malware or phishing. accidentally publishing sensitive data to public servers . 68 data breaches. In May and July respectively, adult hookup websitesNevertheless AdultFriendFinder 2015 has already and witnessed AshleyMadison a number, ofan significant allegedly discreet website for those seeking extra-marital65 affairs, were

63 LowCards, 40 Million Card Accounts Affected by Security Breach at Target, International Business Times, John McAfee, Is the AdultFriendFinder Hack a http://www.lowcards.com/40-million-card-accounts-affected-security-http://www. Major Threat to National Security?, http://www.ibtimes.co.uk/john-mcafee- breach-target-21279, 2015 66 64 KrebsVerizon, on 2015 Security, Data Online Breach Cheating Investigations Site AshleyMadison Report, Hacked, http:// Breach Level Index, http://www.breachlevelindex.com/ verizonenterprise.com/DBIR/2015/, 2015 adult-friendfinder-hack-major-threat-national-security-1504070http://www. , 2015 65 hacked/ 67 , 2015 krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison- 68 Verizon, 2015 Data Breach Investigations Report, , 2015 verizonenterprise.com/DBIR/2015/, 2015 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 41

Records Organisation Industry Country Source of breach Data compromised compromised Name, address, telephone Talk Talk Telecoms UK Malicious outsider numbers, account number 4 000 000 Name, DOB, email address, gender, AdultFriendFinder Other Global Malicious outsider location, sexual orientation Moonpig Ltd Technology UK Accidental loss 3 800 000 Name, address, partial card details

Vivanuncios Technology UK Malicious outsider 3 600 000 Username, email address

TV Channel MyTF1 Media FR Malicious outsider 2 000 000 Name, address, email, password

Scout Association Other UK Accidental loss 1 900 000 Unknown Email address, encrypted MAPP.NL Retail NL Malicious outsider 450 000 password 157 000 Name, address, email address, French State TV Media FR Malicious outsider phone number Army & Airforce Exchange 108 000 Government DE Malicious outsider Address, email, phone number (Siga Telecom) 98 000 Name, DOB, email address, phone World Trade Organization Financial Global Hacktivist number, login credentials, job details 53 000 CISI Financial UK Malicious outsider Name, email address

Temporis Other FR Malicious outsider 40 000 Email, password

British Airways Transportation UK Malicious outsider 24 000 Unknown

PaymyPCN.net Other UK Malicious outsider 10 000 Name, address, photograph, email

10 000 DDOS ATTACKS

Approximately half of the Member States highlight Distributed an attacker to either achieve their goal or to realise their attack Denial of Service (DDoS) attacks as a considerable threat. This is was successfully mitigated . Also, opportunity costs or rental fees prevent those who own70 or rent the botnet from prolonged of DDoS attacks per day attacks. confirmed by security industry69 reports documenting hundreds which are an order of magnitude. So far in smaller,2015, several may alreadyof the attacks cause DDoS extortion attacks have become a well-established criminal availabilityhave exceeded issues 100 for Gigabitsmany hosts. per Three-quarters second while of even attacks attacks last of DDoS capable malware and increasing popularity of enterprise. These attacks further benefit from availability less than four hours, suggesting that this is sufficient time for https://securelist.com/ https://securelist.com/

69 Kaspersky, DDoS Intelligence Report Q2 2015, 70 Kaspersky, DDoS Intelligence Report Q2 2015, analysis/quarterly-malware-reports/71663/kaspersky-ddos-intelligence- analysis/quarterly-malware-reports/71663/kaspersky-ddos-intelligence- report-q2-2015/, 2015 report-q2-2015/, 2015 42 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

pseudonymous payment mechanisms. One of the most evident Part of this strategy is clearly more frequent engagement with law enforcement. A number of European law enforcement agencies noted that the threshold for reporting breaches was personifications of the threat is a group called DD4BC (DDoS for Bitcoin) emerging in early 2015. Their ransoms range between 1 instructions.and 100 Bitcoins, To increase depending the credibilityon the perceived of their financial claim, the standing group expertisedecreasing. in Asdoing both so confidence increases, wein lawcan enforcement’sexpect law enforcement ability to of the victim and their willingness to comply with the attacker’s toinvestigate become more such actively crimes and and frequently law enforcement’s involved in capability investigating and Companies that pay the ransom risk being approached by the this type of criminality. blackmailersoften launches again a small for aattack higher against amount. the victim’s infrastructure. The term Advanced Persistent Threat (APT) was originally used by the U.S. government to describe nation state cyber-attacks sector.DD4BC It primarily is no longer targets clear the whether online the gambling attacks canindustry be attributed but has over a prolonged period, typically with the agenda of stealing torecently a single broadened criminal group their or activity whether to other also attackcriminals the are financial trying datawhich or were causing sophisticated, damage for specifically strategic targetedgain. More and recently took place the to replicate the business model. As the reputation about the term has been adopted, and perhaps overused, by the media and crime group and its modus operandi spreads, it may become security vendors to apply to any cybercrime group operating increasingly effective for attackers with no technical skills and 72,73. That said, there is evidently a infrastructure to impersonate the group. blurring in the use of tools and techniques between the two groups;similar both tactics factions for profit using social engineering and both custom FUTURE THREATS AND DEVELOPMENTS malware and publically available crimeware . Industry reporting indicates that there is a clear trend 74,75in cybercrime groups increasingly performing long-term, targeted APT-style when an organisation has been the victim of a network intrusion attacks instead of indiscriminate scattergun campaigns . This orHistorically, data breach. law The enforcement reasoning behindhas not this been is likelythe first a combination port of call will make it increasingly harder for investigators and security76 of the belief that law enforcement would be either unwilling or researchers to distinguish between attacks by either group and will require investigators to look more deeply at the motive and purpose behind an attack. appropriateunable to investigate level of discretion. the crime and/or a lack of confidence in law enforcement’s ability to handle the investigation with the This trend appears to be changing however with the number of breaches being both reported to law enforcement and publically disclosed on the increase. Part of this may be a change in thinking aamongst breach was the privateconsidered sector. an exception Prior to 2014,whereas publicising today there a data is a growingbreach would realisation have that significant a breach reputational is to some degree damage. inevitable. Suffering In the wake of the volume and scale of the data breaches throughout 72 Websense, Advanced persistent Threats and Other Advanced Attacks, https:// www.websense.com/assets/white-papers/whitepaper-websense-advanced- responds to a breach is as important as whether it has had persistent-threats-and-other-advanced-attacks-en.pdf 2014, it has perhaps become apparent that how an organisation 73 McAfee, Combating Advanced Persistent Threats, http://www.mcafee.com/ us/resources/white-papers/wp-combat-advanced-persist-threats.pdf, 2011 71 stakeholders as part of an effective communication strategy FireEye, Targeted Crimeware in the Midst of Indiscriminate Activity, https:// one. A timely ‘clear and confident’ message to customers and , 2011 74 html prevent rampant speculation by the media. www.fireeye.com/blog/threat-research/2015/05/targeted_crimewarei.https://www2.fireeye.com/rs/fireye/images/rpt- can do much to maintain confidence in an organisation and , 2015 75 Computerworld,Mandiant, M-Trends Cybercriminals 2015, Borrow from APT Playbook in Attacking PoS Vendors,m-trends-2015.pdf , 2015 71 https://www2.fireeye.com/rs/fireye/images/rpt- 76 hacking/cybercriminals-borrow-from-apt-playbook-in-attacking-pos- vendors.htmlhttp://www.computerworld.com/article/2918406/cybercrime- Mandiant, M-Trends 2015, m-trends-2015.pdf, 2015 , 2015 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 43

Simple Service Discovery Protocol (SSDP) protocol that is ¡¡ Law enforcement must continue to engage with private enabled by default on millions of Internet devices using the industry to build and maintain relationships in order to Universal Plug and Play (UPnP) protocol – including routers, webcams, smart TVs and printers – has become the leading DDoS enforcement will be approached in the event of a breach. increase industry confidence and the likelihood that law the proliferation of the Internet of Things, attackers are likely ¡¡ If the affected party has not yet done so, law enforcement toamplification increasingly attack abuse vector large innumbers the first of quartervulnerable of 2015.unsecured With should advise contacting national CERTs for addressing the online devices for powerful DDoS attacks77. incident response and prevention of future incidents using anti-DDoS protection. RECOMMENDATIONS ¡¡ As the business costs of seizure of the targeted infrastructure ¡¡ In order to be able to effectively investigate this type of crime, for forensic examination may be prohibitive, law enforcement law enforcement must share experience, expertise and best should develop in-situ forensics capabilities. practice and seek to increase their capacity and capability in dealing investigations of this nature. Law enforcement must ¡¡ Law enforcement should closely cooperate with IT show that it is both ready and able to meet this challenge. departments of the affected companies to assure preservation of relevant evidence.

77 Akamai, State of the Internet – Security Report, https://www.

report.html stateoftheinternet.com/resources-web-security-2015-q1-internet-security- , 2015 44 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

ATTACKS ON CRITICAL INFRASTRUCTURE

Critical infrastructure continue to be at risk from constantly The threat theatre is increasingly characterised by organised evolving threats in cyberspace, which need to be addressed in a groups or non-state actors and individuals resorting to holistic and effective manner in order to protect economies and asymmetric attacks enabled by the universal connectivity the societies . Internet provides and the availability of the necessary tools 78,79 and attack information. Loss of control over technology as a Supervisory Control and Data Acquisition (SCADA), Industrial result of globalisation, the need for online accessibility, and foreign ownership of critical infrastructures is also increasing (AIS) are complex systems composed of various hardware and vulnerabilities. softwareControl Systemscomponents, (ICS) often and from Automatic different Identification vendors. They Systems were often designed with little consideration for network security. The time period from when a vulnerable system is breached Mergers and acquisitions, poor assessment management, by a malicious outsider to the breach being discovered and absence of patch management policies and a lack of knowledge transfer prior to staff turnover can all negatively impact the . This may be due to a variety of reasons, cybersecurity of CIs. Together with the persistence of legacy includingvulnerabilities the fact identified82 that the and scope patched, and nature is currently of attacks on may average not beabout clear 200 from days the beginning. of updates, a steady increase in the number of opportunities to exploitsystems vulnerabilities and the difficulties can be inexpected maintaining. a continuous cycle FUTURE THREATS AND DEVELOPMENTS 80 CI is becoming increasingly automated and interlinked, thereby The management and operation of critical infrastructure introducing new vulnerabilities in terms of equipment failure, systems will continue to depend on cyber information systems and electronic data. Reliance on the power grid and as physical and cyber-attacks. Network isolation is no longer telecommunications will also continue to increase, as will the configuration error, weather and other natural causes . as well number of attack vectors and the attack surface due to the 81 complexity of these systems and higher levels of connectivity sufficient to ensure the security of an industrial facility due to smart networks. The security of these systems and data is . 83,84,85 Evenvital tothough public confidencecyber sabotages and safety have been infrequent so far , attacks on critical infrastructures are a threat that is here to86 stay. In the future we will observe an increase in attacks on data brokers, on physical infrastructures, and on telecommunication

Tripwire, Cyberterrorists Attack on Critical Infrastructure Could be Imminent, http://www.tripwire.com/state-of-security/security- 78 data-protection/security-controls/cyberterrorists-attack-on-critical- infrastructure-could-be-imminent/ 82 days-inside/Infosecurity, Hackers Spend 200+ Days Inside Systems Before Discovery, Arstechnica, Fear in the Digital City: Why the Internet has Never been More NBChttp://www.infosecurity-magazine.com/news/hackers-spend-over-200- News, Critical Infrastructure Is Vulnerable to Cyberattacks, Says Eugene Dangerous, , 2015 Kaspersky, http://www.nbcnews.com/tech/security/critical-infrastructure-, 2015 79 in-the-digital-city-why-the-internet-has-never-been-more-dangerous/2/, 83 http://arstechnica.com/information-technology/2015/02/fear- http://www.dell.com/learn/us/en/ Trend Micro, A Security Evaluation of AIS, http://www.trendmicro.com/ vulnerable-cyberattacks-says-eugene-kaspersky-n379631, 2015 2015cloud-content/us/pdfs/security-intelligence/white-papers/wp-a-security- 84 Kaspersky,Dell, 2015 Annual Critical Threat Infrastructure Report, Protection, http://www.kaspersky.com/ 80 evaluation-of-ais.pdf industrial-security-cipuscorp1/press-releases/2015-04-13-dell-annual-threat-report, 2015 Kaspersky, Cyberthreats to ICS Systems, http://media.kaspersky.com/en/ 85 The Economist, Defending the Digital Frontier, http://www.economist.com/ , 2015 , 2015 81 web.pdf 86 increasingly-under-attack-cyber-criminals business-security/critical-infrastructure-protection/Cyber_A4_Leaflet_eng_ news/special-report/21606416-companies-markets-and-countries-are- , 2014 , 2014 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 45

RECOMMENDATIONS

¡¡ Policy makers must ensure the swift implementation of the EU Directive on attacks against information systems. The Directive aims to strengthen national cybercrime laws and introduce tougher, consistent and EU-wide penalties for illegal networks, such as global denial of service attacks on all connected access and system and data interference and criminalising the services. New forms of CI such as social media platforms will use of malware as a method of committing cybercrimes . become a87 prime target for cybercriminals . 93 88 ¡¡ In the context of the draft Directive on Network and Exploitation of existing vulnerabilities, zero days and targeted Information Security (NIS), there is a need to improve phishing attacks will increase and continue to pose threats coordination, active partnership, and relationships between against critical infrastructures owing to the complex mix of the private sector, law enforcement and CERT community94. legacy systems and new components combined with the need to minimise business disruption and cost, which often delay ¡¡ Law enforcement and prosecution must be engaged early upgrades and updates. Lack of supplier support and end-of-life following cyber security incidents to allow investigation of the criminal aspects of such attacks . Employees with privileged system access will remain key targets 95,96,97,98 andpolicies subject also to have social a engineering significant impactattacks on . the security of CIs. ¡¡ Organisations should consider adopting ENISA guidelines for 89,90 incident handling in order to minimise operational downtime Strengthening cyber security and tackling cybercrime requires when investigating incidents. a combination of prevention, detection, incident mitigation, and ¡¡ Member States should identify which entities should be necessitates a cooperative approach from the public and private considered as critical infrastructure within their jurisdiction. sectors,investigation. and connecting Addressing the critical local infrastructures’ and international vulnerabilities dimension. The challenge of protecting critical infrastructures requires ¡¡ Law enforcement and agencies dealing with National Security managing competing demands between security and privacy . Strategies should ensure there is a single point of contact 91,92 available to deal with key national critical infrastructure Informationweek, The Weaponization of Cyber Vulnerabilities, http://www. entities. informationweek.com/whitepaper/cybersecurity/network-&-perimeter- 87 ?gset=yes& CSO,security/week-to-weak:-the-weaponization-of-cyber-vulnerabilities/360793 Pressure Mounts in EU to Treat Facebook and Twitter as Critical Infrastructure,, 2015 EU Directive on attacks against information systems, http://eur-lex.europa. 88 eu-treat-facebook-twitter-critical-infrastructure/ Recorded Future,http://www.cso.com.au/article/578271/pressure-mounts- Real-Time Threat Intelligence for ICS/SCADA Cyber 93 ENISA, Critical Infrastructures and Services, https://www.enisa.europa.eu/ Security, http://go.recordedfuture.com/hubfs/data-sheets/ics-scada.pdf, 2015 , activities/Resilience-and-CIIP/critical-infrastructure-and-serviceseu/LexUriServ/LexUriServ.do?uri=OJ:L:2013:218:0008:0014:en:PDF, 2013 89 94 CERT-EU, DDoS Overview and Incident Response Guide, http://cert.europa. Techcrunch, The Dinosaurs of Cybersecurity Are Planes, Power Grids , 2011 and2014 Hospitals, 95 https://www2.fireeye.com/rs/fireye/images/rpt- 90 cybersecurity-are-planes-power-grids-and-hospitals/ eu/static/WhitePapers/CERT-EU-SWP_14_09_DDoS_final.pdf, 2014 Infosecurity Magazine,http://techcrunch.com/2015/07/10/the-dinosaurs-of- Destructive Cyber-Attacks Blitz Critical Infrastructure 96 CERT-EU,Mandiant, Data M-Trends Acquisition 2015, Guidelines for Investigation Purposes, http:// – Report, http://www.infosecurity-magazine.com/news/destructive-cyber-, 2015 m-trends-2015.pdf, 2015 91 attacks-critical/ 97 Trend Micro, Report on Cybersecurity and Critical Infrastructure in the ENISA,cert.europa.eu/static/WhitePapers/CERT-EU-SWP_12_04_Guideline_ Electronic Evidence – a Basic Guide for First Responders, https:// Americas, http://www.trendmicro.com/cloud-content/us/pdfs/security-, 2015 www.enisa.europa.eu/activities/cert/support/fight-against-cybercrime/DataAcquisition_v1_4_4.pdf, 2012 92 intelligence/reports/critical-infrastructures-west-hemisphere.pdf 98 electronic-evidence-a-basic-guide-for-first-responders

, 2015 , 2015 46 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

CRIMINAL FINANCES ONLINE

The digital underground, like any economy, relies on the free CRIMINAL-TO-CRIMINAL PAYMENTS to and used by cybercriminals is diverse. It ranges from real This category of payment includes any transaction where one world,flow of physical funds. Thepayments variety to ofuntraceable payment mechanismscryptocurrencies, available and cybercriminal makes a payment to another for purchase of or everything that falls in between. Many payment mechanisms with access to a crime-related product or service – a common scenario within the CaaS business model of cybercrime. enterprisea significant – oranonymity, absolute onlinerapid, aspectcheap andoffer irreversible a number of transfers, features For such payments the nature of the service or product paid that make them attractive as a financial instrument for criminal payment mechanisms can offer a level of anonymity similar to of compromised data (such as stolen credit card details) is cashand obfuscatedbut in an online financial environment. transactions. In many respects, some concerned,for is also the an influencinguse of Bitcoin factor. or money For service instance, bureaus where (typically the sale Western Union) is common; however the use of voucher systems The payment mechanisms used by cybercriminals can be broken (Ukash) or WebMoney is also noted. down into the following categories: Hidden services on the Darknet such as Agora or the now defunct ¡¡ Evolution almost exclusively use Bitcoin for payment, with the cards) mechanisms to handle payment and escrow functions built into Traditional financial instruments (e.g. banks accounts, credit the market interfaces. ¡¡ Money service bureaus (e.g. Western Union, MoneyGram) Overall, Bitcoin is beginning to feature heavily in many EU law ¡¡ Voucher systems (e.g. Ukash, paysafecard)

¡¡ Online payment services (e.g. PayPal, Skrill) notableenforcement payment investigations, system used accounting for transactions for over of this 40% nature, of all identified criminal-to-criminal payments. PayPal is another ¡¡ Centralised virtual currencies (e.g. PerfectMoney, WebMoney) lesser extent paysafecard, Ukash, Webmoney and Western Union wereaccounting also used. for almost one quarter of identified payments. To a ¡¡ Decentralised virtual currencies (invariably Bitcoin) PAYMENT FOR LEGITIMATE SERVICES ¡¡ Other pre-paid solutions (e.g. pre-paid debit cards) Transactions in this category represent scenarios where a Furthermore, when considering how and why cybercriminals cybercriminal is required to make a payment to a legitimate, use any particular payment mechanism it is important to public facing company for such things as hosting, hardware, consider the nature of the transaction. In this respect, four software or travel and accommodation. The nature of the payment mechanism used in these scenarios indicate that cybercriminals rarely feel the need to hide their identities, or distinct scenarios can be identified.

transfersdo not have from the bank skill accounts. set to do However, so, as over whether 60% of these transactions cards or accountsuse traditional are legitimate, financial compromised instruments or such fraudulently as credit obtained cards or is unknown. THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 47

VICTIM PAYMENTS FUTURE THREATS AND DEVELOPMENTS

Where a cybercrime victim is not simply subject to a Although there is no single common currency used by malicious, destructive attack there will frequently be an cybercriminals across the EU, it is apparent that Bitcoin may attempt to obtain funds from the victim. Cyber-extortion is gradually be taking on that role. Bitcoin features as a common becoming increasingly common, particularly with the growing payment mechanism across almost all payment scenarios, a trend which can only be expected to increase. methods of cyber-extortion such as the threat of DDoS attackspervasiveness are still ofcommonplace ransomware,. Again, however Bitcoin more features ‘traditional’ as the Cryptocurrencies are slowly gaining acceptance at government most common single payment99 mechanism used in extortion level, with a number of EU jurisdictions either proposing payments, accounting for approximately one third of cases. regulation of cryptocurrencies or already recognising them Voucher systems such as Ukash, paysafecard and MoneyPak also under existing legislation 100. It is inevitable that more accounted for over one quarter of cases. Direct bank transfers jurisdictions will follow suit101,102 although it would appear that there and money service bureaus also accounted for notable volumes is currently a lack of harmonisation in approaches. of such payments. Any regulation of cryptocurrencies would likely only be if they are victims of fraud, either as a result of social engineering such as those providing exchange services. The inability to orVictims when also paying make for payments non-existent to attackers or bogus in less goods flagrant or services attacks applicable and enforceable when applied to identifiable users such as fake anti-virus software. In these instances real world how any regulation could be enforced for everyday users. attribute transactions to end users makes it difficult to imagine account for half of all fraudulent payments, however Bitcoin is It is clear that cybercriminals will continue to use whichever alsofinancial used servicesin almost (money one third service of payments. bureaus and bank transfers) payment mechanism is convenient, familiar or perceived to be safe, including those that are already regulated and maintain MONEY MOVEMENT/LAUNDERING anti-money laundering controls.

There are naturally instances where a cybercriminal does not transfer funds to a third party, but simply moves money from anticipated that more niche, privately controlled currencies one location or payment system to another. This can include wouldIn the 2014come Internet to the fore.Organised However Crime these Threat have Assessment either yet itto was be discovered or have simply not materialised. That said, there cards and the use of exchangers to exchange to, from or between with new the ‘cashing out’ of compromised financial accounts and credit variants being released almost daily. 103 are currently over 650 recorded cryptocurrencies Asvirtual, with digitalvictim payments,and fiat currencies. over half of transactions are carried out via money service bureaus and bank transfers. In this scenario however, Bitcoin and other payment mechanisms such as CoinDesk, Will the New UK Government Create a Bitcoin Hub? http://www. WebMoney only account for a small proportion of transactions. coindesk.com/will-the-new-uk-government-create-a-bitcoin-hub 100 http://rt.com/news/ , 2015 101 JDSUPRA,RT, Germany Virtual Recognizes Currencies: Bitcoin International as ‘Private Money’,Actions and Regulations, http://www.jdsupra.com/legalnews/virtual-currencies-international-bitcoin-germany-recognize-currency-641/, 2013 102 Government, Crypto-Currency Market Capitalizations, http://www.coinmarketcap.com, 99 zealand-ddos-attacks/CoinDesk, Bitcoin Extortion Group DD4BC Prompts Warning from Swiss action-03024/, 2014 http://www.coindesk.com/bitcoin-extortion-dd4bc-new- 103 , 2015 accessed 03/07/2015 48 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (iOCTA) 2015

Common Payment Payment Purpose Payment For Mechanisms Example

Bitcoins, Payment extorted as a result Extortion Bank Transfer, of a ransomware or DDoS attack. paysafecard Victim Payment Bitcoins, Fraud Bank Transfer, Loss to an online fraud/scam. Western Union

Testing of malware against Counter AV PayPal commercial AV products.

Bitcoins, Ukash, Purchase of compromised Data Western Union, financial data such as

WebMoney credit cards.

DDoS Bitcoins DDoS services for hire.

Criminal to Criminal Payment Purchase of hosting Hosting Bitcoins (including bulletproof).

Visa, MasterCard, Purchase of malware such as Malware WebMoney, RATS and banking trojans. PayPal

Trade on Bitcoins, Ukash, Purchase of drugs Hidden Service paysafecard or weapons.

Bitcoins, Hosting, hardware, software, Payment for Legitimate Service Bank Transfer, travel, accommodation, etc. Visa, MasterCard

Movement of money to maintain control of funds, or hide/break a financial Bitcoins, trail, including ‘cashing out’ Money Movement Bank Transfer, of compromised financial Western Union accounts. This also includes exchange to, from or between virtual, digital and fiat currencies. THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 49

Many focus on developing features which further enhance their ¡¡ Law enforcement should continue to monitor the alternate anonymity, thereby making them more attractive for illicit use. payment community for emerging payment mechanisms, to However, with so many existing options available to conduct assess their potential or likelihood of being used in cyber- illicit transactions securely online there seems to be little need. enabled crime.

RECOMMENDATIONS ¡¡ It is essential for law enforcement to build and develop

¡¡ Investigators must familiarise themselves with the diverse banks, money transfer agents, virtual currency scheme operatorsworking relationshipsand exchangers with in theorder financial to promote sector the including lawful of digital wallets used by the different payment mechanisms exchange of information and intelligence. inrange order of to account recognise and paymentthese in both references standard and and file forensic formats investigations. ¡¡ There is a need for harmonised legislative changes at EU level, or the uniform application of existing legal tools such as anti- ¡¡ Law enforcement must continue to cooperate and share money laundering regulations, to address the criminal use of knowledge, expertise and best practice on dealing with virtual currencies. Bitcoin and other emerging/niche digital currencies in cyber investigations. 50 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

CRIMINAL COMMUNICATIONS ONLINE The Internet has changed the way the world communicates. The with forums providing meeting- and market-places for criminals variety of options for engaging with others online is very diverse. to do business and engage with like-minded individuals. Users can choose to contact one person, or potentially millions at once, sharing information in almost any format or form of media. In July 2015, Operation Bugbite saw the successful takedown Moreover, the range of devices and applications which support of the most prolific English-speaking cybercriminal forum this level of communication is growing. to date: Darkode. The popular cybercriminal hub facilitated a wide range of criminal products and services including CRIMINAL TO VICTIM COMMUNICATION malware, zero day exploits, hacking, stealing credit card and bank credentials, botnets for rent and DDoS attacks. How a cybercriminal initiates contact with their victim is The operation, which was led by the FBI and supported by dependent on the nature, scale and scope of the intended attack. Europol’s EC3 with the involvement of law enforcement For high volume, untargeted attacks, email is still a preferred officers from 20 countries in and outside the European Union, method of contacting potential victims, and is easily achievable resulted in 28 arrests, 37 house searches, and numerous with automated or well-established criminal services such as spam. seizures of computers and other equipment. Many malware and social engineering attacks are particularly well suited to this scattergun style of approach, compensating for low For real-time, one-to-one communication, Jabber, and to a success rates by targeting potential victims en masse. Following a successful initial contact or attack, email often remains the primary contact method between attacker and victim. historylesser extent of use ICQ, in cybercrime,are regularly there employed, is a notable and the avoidance use of both of commonis on the commercialincrease. With products the exception in favour of of ICQ, platforms which withhas aactual long For targeted, campaign-style attacks more direct one-to-one or perceived levels of increased privacy and/or anonymity. forms of communication are preferred. The use of email is still common (i.e. spear phishing), for both malware-related ownership moving into the hands of a Russian company (the and social engineering type attacks. Contact in this instance Mail.ruThe gradual Group) increase. in the use of ICQ may be as a result of its will typically be limited to a select group of victims or even 104 individuals and often only as a stepping-stone to gaining access THE INCREASING USE OF ENCRYPTION to a third party. In other instances, there is continuing growth in the use of applications which allow VoIP or text messaging, More than three-quarters of cybercrime investigations in the particularly those available on mobile phones such as Skype, EU encountered the use of some form of encryption to protect Viber or WhatsApp. In cases relating to online child abuse, Skype data and/or to frustrate forensic analysis of seized media. is noted as a common communication method in addition to Both TrueCrypt and BitLocker are commonly encountered web-based chat rooms.

CRIMINAL TO CRIMINAL COMMUNICATION notedand increasingly an increased so,use of despite encrypted the email, cessation typically of TrueCrypt’sPGP. development in May 2014. Almost half of all Member States also When communicating with each other, the range of While the use of encryption legitimately, for the protection of communication options used by criminals differs considerably. personal, customer and other business data and intellectual Email is still commonly used, as are web-based chat rooms and applications such as Internet Relay Chat (IRC). The use of forums http:// on either the open or deep web, or Darknets, is also very common, 104 growing-for-the-first-time-in-yearsBloomberg, ICQ Messenger Is Growing for the First Time in Years, www.bloomberg.com/news/articles/2014-07-29/icq-messenger-is- , 2014 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 51

property is to be actively encouraged, the issues for law enforcement arising from its use by criminals and terrorists to similarly protect themselves cannot be overstated.

ANONYMISATION

Any cybercriminal maintaining even the most basic operational security requires some form of IP anonymising solution. The use of simple proxies and virtual private networks (VPNs) has continued to increase over the past 12 months and is now the norm amongst cybercriminals. The adoption of Tor as an anonymising solution has seen the greatest growth in the past 12 months, with half of EU Member States noting an increase in its use for the obfuscation of criminal activity. Instances of I2P being used as an anonymising solution unanswered. The balance between privacy and the protection of are also on the increase although it is not as widespread as Tor. data, and the necessity for law enforcement to be able to access This may be due to the simplicity of access to Tor, whereas data to investigate crime and terrorist activity, is not an easy I2P requires some additional user input that may deter less one to work and government are yet to come forward with a technical users. workable solution or compromise.

FUTURE THREATS AND DEVELOPMENTS RECOMMENDATIONS

With the actions of Edward Snowden still echoing loudly in the ¡¡ thoughts of governments and the security conscious alike, there VPN and proxy services used by cybercriminals to determine is clearly a drive towards greater use of encryption in data storage ifLaw any enforcement are suitable wouldfor either benefit information from a centralexchange database with law of and also end-to-end encryption in communications. Some major enforcement or intervention if criminal in nature. IT manufacturers are slowly moving towards encryption-by- default in their products ¡¡ Legislators and policy makers, together with industry and and to the private sector105,106 cannot be denied, the question as to academia, must implement a workable solution to the issue where this leaves governments. andWhile law the enforcement benefits to is the currently public of encryption which allows legitimate users to protect their privacy and property without severely compromising

Operating System, criminal or national security threats. 105 apple-defies-fbi-encryption-mac-osxThe Guardian, Apple Defies FBI and Offers Encryption by Default on New government and law enforcement’s ability to investigate The Wall Street Journal,http://www.theguardian.com/technology/2014/oct/17/ Apple and Others Encrypt Phones, Fuelling Government Standoff, http://www.wsj.com/articles/apple-and-others-, 2014 106

encrypt-phones-fueling-government-standoff-1416367801, 2014 52 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

DARKNETS

Investigations into hidden services on anonymising overlay networks such as Tor are becoming commonplace for EU the Darknet. cybercrime units. Over half of EU Member States have 2014-2015 has been a turbulent period for criminal services on investigated drug or payment card related activity on the In November 2014, 21 countries participated in Operation Darknet and over one third have investigated criminal activity Onymous which saw the seizure of 619 .onion domains along related to intellectual property, weapons or compromised bank with bitcoins worth EUR 900 000 and EUR 180 000 in cash, accounts. Almost a third of EU law enforcement actively monitors drugs, gold and silver. Thirty-three high profile marketplaces and forums were taken out of action and 17 individuals were rather than general intelligence gathering. arrested. It is estimated that the seized sites represented marketplaces, although largely in relation to specific operations approximately 37% of the market share on the Darknet. A small fraction of criminals active in the Darknet manage to A consequence of Onymous was the displacement of customers and vendors to the remaining marketplaces, the two largest and operate successful businesses generating significant107 . profits. most successful of which were Agora and Evolution. Several new Recent research established that the top 1% most successful vendors were responsible for 51.5% of all transactions Additionally the prices of illegal goods on many of the remaining servicesmarketplaces were alsoseen opened to increase to fill108 the. vacuum left by the operation. Carnegie Mellon University, Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem, https://www.usenix.org/ 107 Its administrators left, taking with them over EUR 11 million system/files/conference/usenixsecurity15/sec15-paper-soska-updated.pdf, In March 2015, Evolution shut down as a result of an exit scam.109 2015 in Bitcoins belonging to vendors and customers which had been held in escrow. This was the second such major exit scam to occur

followingnot all criminalthe Sheep forums Marketplace or marketplaces which folded there in November is undoubtedly 2013 along with over EUR 36 million of members’ Bitcoins. On most if

Volume of law enforcement. Whether this paranoia is unwarranted Transactions a degreeor not, of exitparanoia scams that such the as sitethese has create been aninfiltrated additional by Darknet dimension of distrust that law enforcement could not Vendors 1% 51,5% in these marketplaces. hope to achieve and further undermines confidence Following the exit of Evolution, the Agora marketplace, along with several smaller markets such as Abraxas, Alphabay, Black Bank, and Middle Earth have absorbed the displaced vendors and

99% 48,5% 108 The Impact of Operation ONYMOUS; Exit Scam Europol Ever?, 2015 evolution-marketplace-exit-scam-biggest-exist-scam-ever109 DEEPDOTWEB, Evolution Marketplace Exit Scam: Biggest https://www.deepdotweb.com/2015/03/18/ , 2015

Social Engineering – Victims’ Demography

Mainstream users with limited security awareness

Expert Reckless users users with high ignoring security awareness THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 53

customers110. On top of additional security measures in the wake RECOMMENDATIONS of Onymous, such sites are now also implementing protocols to help prevent or mitigate potential exit scams such as multi- ¡¡ Law enforcement should proactively gather intelligence relating to hidden services; however this requires a these will not only reduce the amount of Bitcoin sitting in coordinated approach in order to prevent duplication escrowsignature but escrow also prevent and early a single finalisation person having of payments. full control Together over of effort. the funds. ¡¡ Member States should provide intelligence relating to hidden Post Onymous, the Agora, Outlaw and Nucleus marketplaces are the highest priority marketplaces for EU law enforcement, with intelligence picture of hidden services across Europe. There a number of Member States also targeting sites hosted in their needsservices to to be Europol’s greater EC3engagement to allow itfrom to build non-cybercrime a comprehensive law native language. enforcement in tackling hidden services. The sale of drugs or

FUTURE THREATS AND DEVELOPMENTS issue for these crime areas as it is for cybercrime. firearms in these marketplaces is as much, if not more, of an Between Operation Onymous and the growing number of ¡¡ Further intelligence gathering is required on the use of I2P and other peer-to-peer networks as hosts for illegal online undoubtedly been shaken. Onymous was a strong statement by marketplaces. lawlarge enforcement scale exit scams, that theseconfidence services in undergroundare certainly marketsnot beyond has their reach. Yet, despite this message, hidden services continue ¡¡ Law enforcement should collaborate with private sector and to grow, multiply and evolve. academia to explore investigative and research opportunities related to emerging technologies such as decentralised The prospect of services moving from Tor to I2P is still real, marketplaces like OpenBazaar. however research carried out to date suggests that Tor is still by far the preferred network111. A more concerning prospect (for law enforcement) is the development of decentralised marketplaces such as the OpenBazaar. OpenBazaar is a BitTorrent-style peer- to-peer network which allows direct contact between customers and vendors and uses Bitcoin as a payment mechanism112. As the be targeted by investigating law enforcement and intervention is a‘market’ considerable is peer-to-peer challenge, there mirroring would the be issuesno website law enforcement or server to currently has with investigations involving Bitcoin. Payments on the OpenBazaar use a multi-signature approach involving a that there is no possibility of performing an exit scam with third party ‘notary’ to control the release of funds. This means customers’ and vendors’ funds.

111 TNO research 112110 TheOpenbazaar, Impact of https://openbazaar.org Operation ONYMOUS; Europol 2015

, 2015 54 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

BIG DATA, IOT AND THE CLOUD

While the IoT is still seen as an emerging threat from a law Things (IoT) or the Internet of Everything (IoE) is seen as a enforcement point of view115 majorAs highlighted challenge infor the law 2014 enforcement IOCTA, thetogether rise ofwith the Big Internet Data and of including smart homes, smart cars116,117, smart medical devices118 the Cloud. Being able to keep up with the pace of technological and even smart weapons119 ,are the a rising clear numberindicator of ofsmart its growing ‘things’, development will require law enforcement to constantly update adoption120. This contributes to an increasing digitisation and their digital forensics capabilities. online presence of personal and social lives, and an increasing level of interconnectivity and automation, which creates a Based on the feedback received, Big Data for law enforcement number of challenges in terms of privacy, security, and trust. Law usually means a lot of data which is often referred to as the volume enforcement needs to be prepared to address the criminal abuse challenge. Cases involving several terabytes of data for one of such devices and of the data that is generated or collected via suspect are becoming more common, which has a considerable the IoT. impact on investigations in terms of resources and time, making The Cloud is an enabler for IoE and Big Data by providing the in the haystack. For instance, in one of the cases the amount of distributed and scalable resources needed to handle the data it more difficult for law enforcement to find the proverbial needle growth and provide the necessary processing services. Data tools and methods to improve the handling and analysis of large together with entire infrastructures will continue to move to the quantitiesdata exceeded of data 100113 .terabytes. This has stimulated research into Cloud, which is already creating technical and legal challenges for law enforcement. Equally, criminals aim to abuse Cloud services 121, for instance to and preventive police work is generally accepted114 host malware or C&C structures, as they are less likely to see any inWhile relation the potential to predictive benefit policing, of Big Data it appears for more that efficient, the majority proactive of such as popular file synchronisation services EU law enforcement agencies are not at a stage where, specifically Big Data analytics is being used to its full potential or even considered at Fortraffic law blocked enforcement, by security the systems.top challenges in relation to smart devices and the Cloud are: improved and more targeted analytical capabilities, an increased all. The potential benefits identified by law enforcement include process and the ability to create a denser timeline of events, and thechance support to find for relevant the automated evidence, analysis better ofsupport crime-relevant for the triage data, including speech and video recognition. involving a smart device. 115 Reuters,2015 IOCTA Daimler Survey; to Test Only Self-driving one EU law Trucks enforcement in Germany agency This reported Year, http:// a case

116 117 GlobalAutomakers,www.reuters.com/article/2015/07/25/us-daimler-autonomousdriving- Vehicle-to-Vehicle Technology, https://www. globalautomakers.org/topic/vehicle-vehicle-technologyidUSKCN0PZ0KH20150725, 2015 FierceHealthIT, IoT to Fuel Revolution in Digital Healthcare, http://www. , 2015 118 fiercehealthit.com/story/iot-fuel-revolution-digital-healthcare/2015-07-01,http:// 2015 119 target/,WIRED, Hackers Can Disable a Sniper Rifle – Or Change Its Target, Trendwww.wired.com/2015/07/hackers-can-disable-sniper-rifleor-change- Micro, What Smart Device Makers Must Do to Drive the IoT Revolution, http://blog.trendmicro.com/what-smart-device-makers-must-do-to-drive- 2015 120 113 Elsevier, Fast Contraband Detection in Large Capacity Disk Drives, http:// 121 Inthe-iot-revolution/?linkId=15627100, the Cloud” Attacks that Use Popular File2015 Synchronisation Services, ISSUU, Predictive Policing: Taking a Chance for a Safer Future – http://issuu. Imperva, Imperva Hacker Intelligence Initiative uncovers New “Man www.dfrws.org/2015eu/proceedings/DFRWS-EU-2015-3.pdf, 2015 114 http://investors.imperva.com/phoenix.zhtml?c=247116&p=irol- com/rutgerrienks/docs/predictive_policing_rienks_uk, 2015 newsArticle&ID=2075878, 2015 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 55

¡¡ Access to data – including determining the location of and ¡¡ Access to data – centralised access, single point of contact for timely and lawful access to evidence, determining the relevant data requests, possibility for improved exchange of data; legislation, and technical challenges – for instance in relation to encryption; ¡¡ More opportunities for public-private partnerships and cooperation with private industry. ¡¡ Digital forensics and investigation – in relation to live data forensics and cloud forensics, but also in terms of keeping up Future threats and developments with the pace of technical development and the variety of new hardware and software components; encryption, attribution Rapid technological advancements and the increasing (inter) and the quantity of data were highlighted under this topic; connectivity of people and devices contribute to an ever-rising stream of data and further blur the lines between real life and ¡¡ cyberspace.

respondersTraining and and education forensics – specificallyexperts; in terms of establishing While this is making the protection of data and ensuring privacy and maintaining the necessary skills and expertise for first more challenging, it can also help address the new challenges ¡¡ Privacy and data protection issues linked to a lack of control and threats in cyberspace, for instance in the form of data-driven over data and the risk of data breaches, criminal abuse e.g. security or behaviour-based security122. in terms of hosting criminal infrastructures and new criminal opportunities due to a lack of security by design, a lack of protective action and a lack of awareness; 122 Techcrunch, Next-Gen Cybersecurity Is All About Behavior Recognition, behavior-recognition/ ¡¡ Cross-border/international cooperation issues linked to http://techcrunch.com/2015/08/23/next-gen-cybersecurity-is-all-about- , 2015 inadequate legislation and the mutual legal assistance treaty (MLAT) process.

Of the questionnaire responses received from EU law enforcement, three agencies indicated that they were CHALLENGES FOR LAW ENFORCEMENT organising or were planning on organising training programmes on the IoT and the Cloud. Three agencies Access to data Digital Forensics industry on this topic. One law enforcement agency and Investigation supportedspecified thatpreventive they were activities cooperating in this area. with private 21 Training and Education However, the feedback provided by law enforce- 19 Privacy, Data Protection, regard to the IoT and the Cloud: Criminal Abuse ment also identifies several opportunities with Cross-border/ ¡¡ Digital forensics and investigation – new International Cooperation investigative tools and techniques, new 12 sources and types of evidence, enhanced cross-matching and OSINT opportunities; 11 10 56 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

Data, particularly any personal data, is a commodity that is and Cybercriminals will continue to migrate their activities to the will continue to be highly sought-after by private companies to Cloud, often abusing legitimate services and combining different further improve the purchasing experience and the prediction techniques to hide their activities128,129. The dependencies of the of customer behaviour, but also for security purposes e.g. to IoT on Cloud services and storage will provide criminals with a implement two-factor authentication – as a key commodity and broadened range of possibilities to disrupt or manipulate smart enabler for cybercrime it is of equal interest to criminals. It is devices as well as to extract data130,131,132. therefore safe to assume that criminals will continue to target With criminals being able to potentially access and combine records containing different categories of personal data (e.g. different types and sources of data, one can expect more healthcarecompanies data)collecting as they data, can specifically be abused also in different companies ways that and hold for sophisticated types of attacks (e.g. social engineering) but also different types of crimes. new forms of existing crimes (e.g. extortion, ransomware). With novel approaches emerging to secure systems using e.g. The ever-increasing amount of data will increasingly require behavioural patterns133 to identify legitimate users, criminals tool support and automation, including machine learning may be forced to expand their data collection activities in order to be able to successfully mimic the behaviour of a user. enforcement and criminals alike and will present its own set of challengesand artificial for intelligenceinstance in terms approaches. of evidence This admissibility. will apply to law Common-mode failures or failures that result from a single fault in software or hardware components used in smart devices will The rising adoption of the IoT and the Cloud continues to continue to present a mayor cybersecurity risk to the IoT134,135. create new attack vectors and increases the attack surface for cybercrime123,124. Considering our increasing dependency on connected and smart devices, emerging and future attack scenarios may encompass physical or mental harm, either intentionally or unintentionally. Possible scenarios range from hacked smart cars and hacked medical devices125,126 to hacked In the Cloud” Attacks that Use Popular File Synchronisation Services, 128 Imperva, Imperva Hacker Intelligence Initiative uncovers New “Man weaponised drones127. http://investors.imperva.com/phoenix.zhtml?c=247116&p=irol- newsArticle&ID=2075878, 2015 129 stealthy.htmlFireeye, Hammertoss: Stealthy Tactics Define a Russian Cyber Threat Group, HCI,https://www.fireeye.com/blog/threat-research/2015/07/hammertoss_ Why Hackers Love Healthcare Organizations, http://www.healthcare- informatics.com/article/why-hackers-love-healthcare-organizations, 2015 131130 DARKReading, Spiderbot, Spiderbot, Does Whatever A Hacker Thought, http://www.darkreading.com/partner-perspectives/intel/spiderbot-, 2015

123 ENISA, Threat Landscape for Smart Home and Media Convergence, http:// 132 DARKReading, Vulnerable From Below: Attacking Hypervisors Using www.enisa.europa.eu/activities/risk-management/evolving-threat- Firmwarespiderbot-does-whatever-a-hacker-thought/a/d-id/1321850 And Hardware, http://www.darkreading.com/partner-,2015 environment/enisa-thematic-landscapes/threat-landscape-for-smart-home- perspectives/intel/vulnerable-from-below-attacking-hypervisors-using- and-media-convergence 133 Techcrunch, Next-Gen Cybersecurity Is All about Behavior Recognition, Applications, , 2015 firmware-and-hardware/a/d-id/1321834, 2015 124 SchneierNet Security, on Security, Average HackingFinancial Drug Services Pumps, Company https://www.schneier.com/blog/ Uses 1,004 Cloud behavior-recognition/ http://www.net-security.org/secworld.php?id=18793, 2015 http://techcrunch.com/2015/08/23/next-gen-cybersecurity-is-all-about- 125 MIT Technology Review, Security Experts Hack Teleoperated Surgical Robot, http://www.darkreading.com/vulnerabilities---threats/chrysler-, 2015 archives/2015/06/hacking_drug_pu.html, 2015 134 DARKReading, Chrysler Recalls 1.4 Million Vehicles After Jeep Hacking Demo, 126 teleoperated-surgical-robot/ Arstechnica,2015 Researchers Reveal Electronic Car Lock Hack After 2-Year 127 Gizmodo,http://www.technologyreview.com/view/537001/security-experts-hack- Police in India Will Use Weaponized Pepper Spray Drones on Injunctionrecalls-14-million-vehicles-after-jeep-hacking-demo-/d/d-id/1321463 by Volkswagen, , 2015 Protesters, http://gizmodo.com/police-in-india-will-use-weaponized- 135 researchers-reveal-electronic-car-lock-hack-after-2-year-injunction-by- volkswagen/ http://arstechnica.com/security/2015/08/

pepper-spray-drones-1696511132, 2015 , 2015 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 57

THE GEOGRAPHICAL DISTRIBUTION OF

Recommendations CYBERCRIME

¡¡ There is a need to inform law enforcement on a broad basis Using the United Nation geoscheme , the following is a brief about Big Data and the challenges and opportunities that 138 come with it. enforcement activity impacting on various regions globally, summary of significant industry-reported threats and law ¡¡ With the increasing adoption of the IoT and Cloud computing and services, law enforcement needs to invest in developing AFRICAbased on 2014-2015 data. and maintaining the necessary skills, knowledge and technical capability to investigate IoT- and Cloud-related crimes. grow with blended cyber-attacks of increasing sophistication ¡¡ Existing initiatives aimed at improving the security of originatingAfrica’s significance from this in region.the cybercrime Indicators community suggest continuesthat African to smart devices should be promoted and used to encourage companies to consider security and privacy as part of the services available as-a-service on underground marketplaces as design process136. theircybercriminals European counterparts are benefiting. from the same products and 139 ¡¡ Security-by-design and privacy-by-design should be the guiding principles when developing smart devices and when terms of the location of offenders or infrastructure related to collecting and processing data. This includes the need to only cybercrimeNigeria features. as a top 10 country for EU law enforcement in collect the minimum amount of data necessary, automatically 140 protect personal data by using proactive security measures used for phishing are of African origin (.CF, .ZA, .GA and .ML) althoughFurthermore, with fourthe exception out of the of five .ZA top (South TLDs Africa) (top-level these domains) domains ¡¡ Basedand means on existing to make work individuals undertaken less inidentifiable. this area for instance by ENISA137, policy makers should continue to work on effective, based company . were repurposed141 in 2013 and are now owned by a Netherlands- THE AMERICAS efficient and balanced legislation and regulations. North America maintains its lead in terms of hosting malicious content and the proportion of global victims resident in that and 142 region. In 2014 the United States hosted between 20% UN Statistics Division, ,

138 Trend Micro, Piercing thehttp://unstats.un.org/unsd/methods/m49/m49.htm Hawkeye: Nigerian Cybercriminals Using a Simple Keylogger2015 to Prey on SMBs Worldwide, http://www.trendmicro.com/vinfo/ 139 us/security/news/cybercrime-and-digital-threats/hawkeye-nigerian- cybercriminals-used-simple-keylogger-to-prey-on-smbs Auto Alliance, Automakers Announce Initiative To Further Enhance Cyber-Security In Autos, http://www.autoalliance.org/index. http://internetidentity.com/wp-, 2015 136 140 2015 IOCTA Survey , 137 ENISA, Threat Landscape for Smart Home and Media Convergence, http:// 141 APWG, Global Phishing Report 2H 2014, www.enisa.europa.eu/activities/risk-management/evolving-threat-cfm?objectid=8D04F310-2A45-11E5-9002000C296BA163, 2015 content/uploads/2015/05/APWG_Global_Phishing_Report_2H_2014.pdfhttp://blog.trendmicro.com/ environment/enisa-thematic-landscapes/threat-landscape-for-smart-home- 2015 and-media-convergence 142 losses-amplified-need-for-cyber-attack-preparedness/Trend Micro, 2014 Annual Security Roundup, trendlabs-security-intelligence/2014-annual-security-roundup-magnified- , 2015 , 2015 58 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

ASIA 143 and almost 40% of the world’s command-and-control servers.. 144 The Like the US, China continues to feature heavily in Internet security USA also hosts over 45% of the world’s phishing145,146 domains industry threat reporting. In addition, almost half of EU Member remainsThe United one States of the is world’s home to top a comparativelyspam producers high proportion of States had investigations where criminal infrastructures or of all bots offenders appeared to be located in China. Some sources identify 147 148 . global bots, harbouring between 16% and 20% Along with India 154 worldwide. In addition, in 2014 almost one third of PoS malware listsChina of ascountries the source hosting155 of over botnet 30% C&C of infrastructure global network. China attacks also and over 40% of all ransomware detections were in the USA. maintains one of the and highest South malware Korea, infection China features rates156 globally in top 10 infrastructures or suspected offenders were located in the and is subsequently home to one of the highest proportions 157of 20 EU Member States had investigations where criminal global bots . India, Indonesia, Malaysia, Taiwan and Japan also from the use of skimmed payment cards in the USA, though this 158 . United States and over 70% of SEPA countries reported losses 159,160 technology . host significant bot populations should decrease149 over time as the US finally adopts chip and PIN both a victim and source of cybercrime, featuring as a source of South America featured less in both industry reporting and EU spamJapan would and, inappear some to reports, have an having increasingly the second significant highest role global as detection161 rate for ransomware . Japan is also one of the top three countries in Asia where EU162 law enforcement investigation spamlaw enforcement. Poor digital investigations hygiene inis still2014 an although issue with both many Colombia South Americanand Argentina150,151 countries remain (Ecuador, in the Guatemala, top 10 countries Bolivia, Peru, for sending Brazil) South Korea and the Philippines are the most prominent of having high malware infection rates . Brazil is also often seen countrieshas identified in East perpetrators and South-East or Asia criminal out of infrastructure. which gangs running Japan, as a key player in malware related to 152PoS and ATM terminals and commercial sexual extortion campaigns are noted to operate. skimming devices . 153 Several Asian countries feature as top sources of spam, in South America (Brazil) is also often seen as a key player in particular Vietnam and to a lesser extent India and malware related to PoS, ATM terminals – and skimming devices. 163,164 165 http://www.symantec.com/ http://www.mcafee.com/nl/ 154 Symantec, 2015 Internet Security Threat Report,http://blog.trendmicro.com/ 143 McAfee Labs, Threat Reports May 2015, http://www.symantec.com/ security_response/publications/threatreport.jsp, 2015 resources/reports/rp-quarterly-threat-q1-2015.pdf , 2015 155 losses-amplified-need-for-cyber-attack-preparedness/Trend Micro, 2014 Annual Security Roundup, 144 Symantec, 2015 Internet Security Threat Report,http://blog.trendmicro.com/ trendlabs-security-intelligence/2014-annual-security-roundup-magnified-http://www.mcafee.com/nl/ security_response/publications/threatreport.jsp, 2015 , 2015 145 losses-amplified-need-for-cyber-attack-preparedness/Trend Micro, 2014 Annual Security Roundup, 156 McAfee Labs, Threat Reports May http://www.pandasecurity.com/2015, trendlabs-security-intelligence/2014-annual-security-roundup-magnified-http://blog.trendmicro.com/ resources/reports/rp-quarterly-threat-q1-2015.pdf , 2015 , 2015 157 Panda Labs, Annual Report 2014, http://www.symantec.com/ 146 losses-amplified-need-for-cyber-attack-preparedness/Trend Micro, 2014 Annual Security Roundup, mediacenter/src/uploads/2015/02/Pandalabs2014-DEF2-en.pdf, 2015 trendlabs-security-intelligence/2014-annual-security-roundup-magnified-http://www.symantec.com/ 158 Symantec, 2015 Internet Security Threat Report, http://www.symantec.com/ , 2015 security_response/publications/threatreport.jsp, 2015 147 Symantec, 2015 Internet Security Threat Report,http://blog.trendmicro.com/ 159 Symantec, 2015 Internet Security Threat Report,http://blog.trendmicro.com/ security_response/publications/threatreport.jsp, 2015 security_response/publications/threatreport.jsp, 2015 148 losses-amplified-need-for-cyber-attack-preparedness/Trend Micro, 2014 Annual Security Roundup, 160 losses-amplified-need-for-cyber-attack-preparedness/Trend Micro, 2014 Annual Security Roundup, trendlabs-security-intelligence/2014-annual-security-roundup-magnified-https://www.european-atm- trendlabs-security-intelligence/2014-annual-security-roundup-magnified-http://www.mcafee.com/nl/ , 2015 , 2015 149 EAST, European Fraud Update 02/2015, http://blog.trendmicro.com/ 161 McAfee Labs, Threat Reports May 2015, http://blog.trendmicro.com/ security.eu/east-publishes-european-fraud-update-2-2015/, 2015 resources/reports/rp-quarterly-threat-q1-2015.pdf, 2015 150 losses-amplified-need-for-cyber-attack-preparedness/Trend Micro, 2014 Annual Security Roundup, 162 losses-amplified-need-for-cyber-attack-preparedness/Trend Micro, 2014 Annual Security Roundup, trendlabs-security-intelligence/2014-annual-security-roundup-magnified-http://www.symantec.com/ trendlabs-security-intelligence/2014-annual-security-roundup-magnified-http://blog.trendmicro.com/ , 2015 , 2015 151 Symantec, 2015 Internet Security http://www.pandasecurity.com/Threat Report, 163 losses-amplified-need-for-cyber-attack-preparedness/Trend Micro, 2014 Annual Security Roundup, security_response/publications/threatreport.jsp, 2015 trendlabs-security-intelligence/2014-annual-security-roundup-magnified-http://www.symantec.com/ 152 Panda Labs, Annual Report 2014, http://blog.trendmicro.com/ , 2015 mediacenter/src/uploads/2015/02/Pandalabs2014-DEF2-en.pdf, 2015 164 Symantec, 2015 Internet Security Threat Report, http://www.symantec.com/ 153 losses-amplified-need-for-cyber-attack-preparedness/Trend Micro, 2014 Annual Security Roundup, security_response/publications/threatreport.jsp, 2015 trendlabs-security-intelligence/2014-annual-security-roundup-magnified- 165 Symantec, 2015 Internet Security Threat Report, , 2015 security_response/publications/threatreport.jsp, 2015 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 59

China . China also features again as a top jurisdiction within Many European regions – especially in Western Europe – Asia for166 hosting phishing domains, along with Hong Kong . feature some of the lowest global malware infection rates. The Although they are not noted for hosting phishing domains, the167 Scandinavian countries and Finland typically have the lowest country code top-level domains (ccTLDs) for both Thailand and rates . Pakistan are commonly used in phishing attacks . 174,175 168 Within the EU, France, Germany, Italy and to a lesser extent the UK click on the largest number of malicious URLs. This undoubtedly members report losses arising from the use of skimmed cards. contributes to these states having the highest malware infection The Asia-Pacific region is also the territory where most SEPA rates and the highest proportions of bots found within the EU. were in this region, with Indonesia most commonly reported, This is partly to be expected, however, given that these four andFive then out ofto a the lesser top extent six countries the Philippines, where losses South wereKorea, identified Vietnam jurisdictions have the highest populations in the EU. and Malaysia . 169 In terms of EU law enforcement activity, approximately one half EUROPE the Netherlands, Germany, Russia or the United Kingdom in the The fast and reliable ICT infrastructure found in much of Europe, courseof EU Memberof their investigations. States identified Moreover, infrastructure approximately or suspects one third in particularly Western Europe, is exploited by cybercriminals found links to Austria, Belgium, Bulgaria, the Czech Republic, to host malicious content and launch attacks on targets both France, Hungary, Italy, Latvia, Poland, Romania, Spain or Ukraine. of global malicious URLs (i.e. online resources that contain OCEANIA redirectsinside and to outside exploits of orEurope. host exploits The EU themselves).hosts approximately Of these 13% the

Germany, the UK and Portugal make up much of the remainder. tables related to cybercrime including global bot populations, Germany,Netherlands the accounts UK, the Netherlands, for the most France significant and Russia proportion also feature while ransomwareAustralia retains detections a presence and in a as number a source of industryof network top attacks 10 league177. Other than this, Oceanic176 countries do not feature prominently in domains globally . Italy, Germany, the Netherlands, Russia cybercrime reporting or in EU law enforcement investigations. andas significant Spain are also hosts170,171 some for of both the C&Ctop sources infrastructure for global and spam phishing172,173. However, the ccTLD for the Micronesian island of Palau features as the TLD with the second highest proportion of its domains used for phishing; being heavily abused by Chinese phishers . 178

http://blog.trendmicro.com/

166 losses-amplified-need-for-cyber-attack-preparedness/Trend Micro, 2014 Annual Security Roundup, trendlabs-security-intelligence/2014-annual-security-roundup-magnified-http://www.symantec.com/ , 2015 167 Symantec, 2015 Internet Security Threat http://internetidentity.com/wp- Report, security_response/publications/threatreport.jsp, 2015 , 168 APWG, Global Phishing Report 2H 2014, http://www.pandasecurity.com/ content/uploads/2015/05/APWG_Global_Phishing_Report_2H_2014.pdfhttps://www.european-atm- 2015 174 Panda Labs, Annualhttp://download.microsoft.com/download/7/1/ Report 2014, 169 EAST, European Fraud Update 02/2015, http://blog.trendmicro.com/ mediacenter/src/uploads/2015/02/Pandalabs2014-DEF2-en.pdf, 2015 security.eu/east-publishes-european-fraud-update-2-2015/, 2015 175 Microsoft SIR v18, 170 losses-amplified-need-for-cyber-attack-preparedness/Trend Micro, 2014 Annual Security Roundup, A/71ABB4EC-E255-4DAF-9496-A46D67D875CD/Microsoft_Security_http://blog.trendmicro.com/ 171 trendlabs-security-intelligence/2014-annual-security-roundup-magnified-http://www.symantec.com/ Intelligence_Report_Volume_18_English.pdf, 2015 , 2015 176 losses-amplified-need-for-cyber-attack-preparedness/Trend Micro, 2014 Annual Security Roundup, 172 Symantec, 2015 Internet Security Threat Report,http://blog.trendmicro.com/ 177 trendlabs-security-intelligence/2014-annual-security-roundup-magnified-http://www.symantec.com/ security_response/publications/threatreport.jsp, 2015 , 2015 losses-amplified-need-for-cyber-attack-preparedness/Trend Micro, 2014 Annual Security Roundup, Symantec, 2015 Internet Security Threat http://internetidentity.com/wp- Report, 173 trendlabs-security-intelligence/2014-annual-security-roundup-magnified-http://www.symantec.com/ security_response/publications/threatreport.jsp, 2015 , , 2015 178 APWG, Global Phishing Report 2H 2014, Symantec, 2015 Internet Security Threat Report, content/uploads/2015/05/APWG_Global_Phishing_Report_2H_2014.pdf security_response/publications/threatreport.jsp, 2015 2015 60 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

CYBERCRIME HEAT MAP

The heat map below highlights the countries and jurisdictions and/or infrastructure. This data relates to both cyber- dependentwhere EU cybercrimecrime and cyber-enabled investigations fraud have and identified does not offenders include investigations into online child sexual abuse.

With the exception of investigations that led to the US, UK and Germany, fewer than one third of investigations led to an MLAT alternaterequest being means submitted of data sharing, to the country the responsibility identified as of the requesting location orof anproviding offender assistance or criminal falling infrastructure. to another jurisdiction Whether this (including reflects the one in question) as part of a coordinated multi-jurisdictional is unclear. operation, or simply a lack of confidence in the MLAT system THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 61 62 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

GENERAL OBSERVATIONS

Cybercrime is becoming more aggressive and confronta- tional. The evolution of cybercrime reported in this document several EU Member States and non-EU cooperation partners, co- shows that there is a shift from hidden, stealthy interventions by locatedJ-CAT is aat standing Europol operational headquarters team and of cybercomplemented liaison officers with from EC3 highly competent hackers towards direct, confrontational con- staff. It is tasked to conduct, as a team, the most important and tact between the criminal and the victim, where the victim is put complex cybercrime investigations, in close cooperation and coordination with the cybercrime divisions of the seconding demands. This is seen in cases of extortion with DDoS attacks, in theunder deployment considerable of ransomware, pressure to complyand in sextortion. with the perpetrator’s It is also ex- pected in relation to breaches of sensitive personal data, such as States. It serves as an impressive example of efficient and dating sites. The psychological impact on victims is much stron- Theeffective effect global of the cooperation positive results in fighting is witnessed cybercrime. in an even stronger ger due to the brutal confrontational manner in which the victim willingness of partners from law enforcement, the private is coerced. It can be likened to the difference between a burglary sector and academia to contribute and cooperate. This report where the victim detects afterwards that things have been stolen, mentions the changes in reporting data breaches and working versus an armed robbery where the victim is forced to hand over with law enforcement by victimised companies. The same personal belongings to the criminal. The shift of crime type also suggests a change of perpetrator responsible for such crimes. law enforcement the need for a truly international orientation The traditional, technically skilled hacker is unlikely to match hasapplies also tobecome victims more in the obvious. financial sector and e-commerce. For of any technical competence. The aggressive confrontation of victimsthe profile is rather for the the types trademark of extortion of traditional that require crime muscles groups instead and and were handled in the best way possible considering the organised crime gangs that are apparently increasingly turning constraints.Despite these These successes, included: the known difficulties remained

¡¡ the lack of judicial cooperation possibilities with several to the profitable business of cybercrime. Law enforcement has convincingly demonstrated its countries outside the EU (Eastern European States, including competence in dealing with cybercrime. It has achieved great Russia and countries in Southeast Asia); successes in the past 12 months, yet it is fair to state that none of those would have been possible without close cooperation ¡¡ and collaboration with international law enforcement partners with private sector parties. For investigations, the use of and private industry. Such levels of engagement are not simply theinefficient JIT framework information has proven exchange helpful processes, in the sense in particular that the advantageous, they are paramount. Fighting cybercrime is a MLAT procedures are not required between the co-signatory shared responsibility and one that cannot be shouldered by law countries; enforcement alone. ¡¡ unclear or unaligned legal frameworks within the EU, in An important factor is the alignment of operational activities at particular in regard to the application of various coercive EU level as part of the EMPACT policy cycle. This has contributed measures, undercover work, data retention, online detection, substantially to the better focussing of law enforcement attention lawful interception, decryption, operational involvement and to jointly investigate and arrest key targets. of private sector partners in takedowns and the (lack of) regulation of virtual currencies. The newly established Joint Cybercrime Action Taskforce (J-CAT) was involved in several of the operations outlined in this The impact of investigations can be increased by well- considered tactics. In order to effectively tackle cybercrime, it is assessment and contributed significantly to the successes. This THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 63

worth considering taking a revised approach. For example, while Moreover, cybercrime investigations are often complex and resource intensive. Law enforcement therefore must be affecting EU citizens may seem the obvious response, there granted the latitude it requires in order to conduct long-term, istargeting no shortage those of developing skilled coders the current,willing and high-profile able to take malware their comprehensive investigations for maximum impact without place. Therefore although such a course of action may result in undue pressure to obtain rapid results or arrests. convictions, it may ultimately have limited long-term impact on the cybercrime community. However, many law enforcement agencies are restricted, and in some cases legally required, to criminals, however. Investment in prevention and protection investigate such cases which demand both time and resources. initiativesThe fight against is also cybercrime essential andmust can encompass guard against more than many catching facets of cybercrime at once. Every well-educated and informed child, Law enforcement therefore requires the both the capacity and consumer or organisation is one easy prey less. There will never legal authority to tackle the underlying array of cybercriminals be an end to criminality; therefore a more prudent response is who have enabled that crime to happen and perhaps continue surely to build a solid defensive foundation. to do so. Crime-as-a-service acts as a multiplier for many facets of cybercrime. Services such as bulletproof hosting, spam, illegal Further considerations to assess the best tactics for tackling currency exchanges, money mules and counter anti-virus may cybercrime can look at the relationships between attackers and not be the direct subject of a criminal complaint yet may have their targets in terms of technical complexity of attacks, the level been crucial to those offences being committed. Many of these services support a wide range of criminality from malware These have been schematised in the following Cybercrime development to CSE, and often involve a greater human and trust Trichotomy:of protection and the value of the criminal profits per attack. component, making them harder to replace. Similarly, disrupting shared criminal infrastructure can impact on multiple OCGs at once, increasing their costs and effort to operate.

CYBERCRIME INVESTIGATION TRICHOTOMY Profit per Attack

Security / Protection / Awareness

Skill Ceiling

Skill / Trust / Innovation

Volume of Attackers Volume of Victims FOCUS ENFORCEMENT LAW PREVENTION 64 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

skills of the offender can be rather low as long as the vulnerable representations of the volume of attackers by their technical human factor can be successfully addressed to commit the scam The above diagram is a simplified model which aligns in a way that circumvents the technical protection. volume of potential victims by their asset value/security/ awarenesscapability againstlevels. The the model potential generalises profits to of some an attackdegree andas there the are likely to be many exceptions. law enforcement response should be. In the lower part of the diagram,The figure which also suggests represents what the the two most broad appropriate populations and effective of both The red pyramid characterises cybercriminals. Here we recognise cybercriminals and victims, a strategy focussed on prevention a broad base of attackers with a low technical capability who can and protection would be most effective. Such a strategy is more buy access to the skills and tools they lack (crime-as-a-service). suited for reaching larger target audiences and could be effective At this level there is little or no innovation and only existing tools in either preventing novice cybercriminals from becoming and methods are used. As skill levels increase, so do the levels of further engaged in cybercrime, and in raising awareness of online innovation and with it the trust requirements for cybercriminals security amongst potential victims. Progressing up the diagram, to work increasingly collaboratively. Finally at the top of the prevention strategies will become less effective as cybercriminals pyramid there resides the smaller group of highly-skilled are likely to be more steadfast in their activities and potential individuals that exist within tight circles of trust and where the victims require less education and personal investment in online true potential for innovation lies. This pyramid also highlights security. A suitable law enforcement response therefore must the skill ceiling from where cybercriminals can no longer include increasingly traditional investigative measures. buy progression but must evolve and develop their own skills and specialisations. Cyber security is lagging behind. Although solutions for many of the exploited vulnerabilities are available, the delay The blue pyramid represents victims (citizens/organisations/ in implementing the remedies or even the absence thereof businesses). Here it is assumed that there is again a broader contributes to the ease with which malware can be re-sold and base of victims who lack the technical competence or security re-used successfully, even by technically unskilled criminals. An increased awareness of the importance and preventive impact smaller number of potential victims who have achieved a high of sound digital hygiene should be envisioned. Also the lack of levelawareness of security required and toare sufficiently therefore harder protect to themselves target. It is and also a security orientation in the design of new devices that in one way protectionassumed that therefore the value also ofincreases. the victim’s assets at risk increases towards the top and that the victim’s willingness to invest in a general rule it is assumed that the more sophisticated the technicalThe green competence pyramid represents of the attacker potential is, and profits the more per valuable attack. the As

Thevulnerable diagram assets can be of readthe victim horizontally are, the across higher the the three profit categories. will be. The high number of attackers with low technical skills are likely to only be able to target the victims with poor security awareness. sophisticated and organised attackers are able to pursue higher- valueSuch attacks targets arewho likely typically to be have less profitable.greater security Conversely, in place. the more

Interestingly, the model also shows why CEO fraud can be perceived as an exception to the rule. Whilst the technical security in place for high-value targets may be high, the technical THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 65

or another operate in connection with the Internet, has a major with the operators running the major global nodes? The local ISP? impact on cybercrime. The vulnerabilities of these have already Or is the Tor Project eventually responsible? Is it maybe a shared responsibility? More importantly, what are these entities doing to prevent the Tor network from being abused by criminals to mask theturned industry, these theso-called introduction ‘smart ofdevices’ minimum into security important requirements facilitators their identities while exploiting the anonymity for their online shouldof botnet be attacks. considered In the by absence the legislator. of proficient Similar self-regulation measures in the by criminal activities? What policies do those entities enforce to automobile industry have had a huge positive effect on the safety safeguard the virtues of Tor for genuine freedom of speech? What of cars. For the various partners in law enforcement, the private measures are they taking to discharge themselves responsibly of sector, the Internet security industry, NGOs and education, there their respective obligations to contribute to a safe Internet? And if is the continued obligation to create awareness on developing cyber security risks so that citizens and businesses can protect for the damage caused and liable for the losses suffered? their IT assets and communication devices properly. they don’t take any measures, can they then be held accountable The right to privacy is gaining ground at the expense of the There is an increasing eagerness to transfer the losses right to protection. This is seen in the context of data retention resulting from cybercrime. In regard to payment fraud it of Internet communications and was especially highlighted in was mentioned previously that EMV technology on payment recent discussions on encryption. The revelations on electronic cards is expected to be introduced in the USA in autumn this mass surveillance seem to have shifted the balance towards year. Interestingly, this EMV implementation is linked to the transfer of liability for fraud-related losses from card issuers to possibility to interfere with their privacy. The result is that law maximising the individual’s protection against any governmental development and sales of insurance products to mitigate the citizens against the intrusion of their privacy against hacking, riskmerchants. of cybercrime With cybercrime-inflicted are likely to grow furtherdamages in onthe the future. rise, Thethe theftenforcement of sensitive services personal have data increasing and other difficulties types of cybercrime, to protect because any trace or evidence of such criminal activities are that the height of the insurance fee may become dependent on probably not retained and if retained, are increasingly more thepositive security influence precautions that could taken. derive As such, from the that cost development of cybercrime is will eventually end up as an expense to be balanced against as if these rights are confused here, and therefore it is worth the investment in cyber security. By whom that expense will be citingdifficult Article to access 12 of due the to Universal sophisticated Declaration encryption. of Human It may appearRights, borne is a different, more complicated question for which the which should serve as the basis for the legal principle: answer will heavily depend on the willingness of the legislator to tie liability to responsibility. Are the manufacturers of ‘smart No one shall be subjected to arbitrary interference with his privacy, family, home criminals? Does the legislator want those manufacturers to take or correspondence, nor to attacks upon his liabilitydevices’ for liable failing for to damages include security resulting into from the easy equation breaches of their by honour and reputation. Everyone has the product development? right to the protection of the law against such interference or attacks. Responsibility should also be considered in relation to data processing. And especially in this respect there are several The essential difference between hackers intruding the privacy questions pending: for instance, who is responsible for facilitating of citizens to commit crimes, versus law enforcement having competences to gain lawful access to the communication data known to facilitate trade in weapons, drugs, payment credentials and the content of communications of that hacker in relation andnetwork counterfeit traffic to documents, and from .onion and theaddresses, exchange in particularof child abusethose to that crime, is the word arbitrary in the cited Article. It is up material? Is this ICANN? They claim they never issued any .onion to the legislator to ensure that conditions and modalities under extensions. Is this the IETF then, whose architecture of the which law enforcement can be explicitly authorised to intrude Internet still supports the processing of domain names that were systematically observed and audited. However, excluding law and do not process any data. Or does the responsibility then lie enforcementthe privacy offrom suspects gaining are access clearly under defined any and circumstance, confined, and de not officially issued? But they just deal with the technical design 66 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

jure or de facto, will neither help to protect the privacy of citizens nor hold in the long run. traditional high-volume crimes, like burglaries and shoplifting, tech-savvy criminals, and profits are still attractive. Now, where The speed at which society and crime ‘cyberise’ exceed modern types of simple high-volume crimes, like the use of are dealt with in the first instance by local police services, the the speed at which law enforcement can adapt. The overall stolen payment credentials for online shopping, are often too development in which the society becomes increasingly complicated for the local police to deal with. Often, they also lack dependent on the Internet has many implications for policing, the geographical relation to the area to make it relevant for the both in terms of opportunities and challenges. Collecting local constabulary. Hence, the cyber-related high-volume crimes evidence in relation to a murder is likely to involve forms also end up with the more specialised cyber divisions that are of digital evidence. Mobile devices, CCTV footage, board computers, cloud storage, online purchases and virtual currencies can all contribute to establishing the whereabouts, Thenot resourced third development to deal with worth this considering influx. in this context is that the abuse of technology to mask and hide crimes, including obfuscation and encryption, becomes so easy for the non-tech- chancescontacts ofand solving financial crimes, transactions also those of that the are victim not thatrelated may to lead any savvy criminals, that advanced forensic skills and tools need to formto finding of cybercrime. the killer. Knowing It will, however, the possibilities put increasing will increase pressure the be developed constantly so that law enforcement can stay in on the computer forensic capabilities to keep up with the the race. increasing workload. These considerations call for continued prioritisation of training In addition, there is a continuous shift from traditional crimes to and resourcing of cyber capabilities at all levels of policing, both cybercrime, especially since CaaS makes it easy to access for non- technically and in staff quantities. THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 67

APPENDICES A1. THE ENCRYPTION DEBATE

It is axiomatic that if criminals have a means of communicating, governments wish there to be a means by which only targeted which law enforcement agencies cannot understand, then it is a serious impediment to both detection and investigation. The main focus for the debate around this topic has been the Thiscriminals’ sentiment communications was perhaps can best be deciphered, summed up under by aappropriate statement use of encryption by criminals: encryption that is so powerful madeoversight by the such UK as Prime the needMinister, for theDavid issuing Cameron: of specific warrants. that it is impractical to decipher any communications using these techniques. It is understandable that governments are “Do we want to allow a means of communica- expressing concern about their ability to both protect people tion between two people which even in extre- from criminal and extremist behaviour, and to bring those mis with a signed warrant from the home sec- responsible to justice. retary personally that we cannot read?

The most simplistic approach to the situation is to make the My answer to that question is no, we must not. The first duty of any government is to keep our of electronic interactions. This is based upon the argument that country and our people safe.” onlyuse ofcriminals encryption would illegal wish for anythingto use encryption. other than The a specific corollary set is that law-abiding citizens have no need (or desire) to secure Whilst this is a sentiment with which many, if not most, would their communications, and that the desire for privacy is not an agree, the problem is in the detail of how this is implemented. acceptable end in itself. However, most appear to now accept that The possible means of achieving such a situation have been may be misused at some future point. Governments change and when several countries were attempting to deal with encryption theis logic reason is flawed. for the Data initial collected action by may mass not surveillance, be that for ifwhich retained, the whilstdiscussed introducing many times legislation and were towell cover rehearsed investigatory in the late powers. 1990s The reasons these mechanisms were rejected then remain valid today. In summary they are: Especiallydata is subsequently in the wake used, of in the addition information to any ‘missionleaked by creep’. Edward Snowden, and the associated allegations of mass surveillance, OUTLAW ENCRYPTION FOR GENERAL USE: there is greater concern among the wider population about privacy from government, as well as perhaps from the private This is a technology that governments can no longer control. sector: this is illustrated by the Eurobarometer data. It is argued Unlike weapons of mass destruction, there is no large that privacy is a fundamental human right, as stated in Article 12 infrastructure needed to produce and distribute encryption of the UN Universal Declaration of Human Rights: technology. The technology is already widely and freely available. Trying to put it under control now would be No one shall be subjected to arbitrary impractical. In any event, even if legislation were passed in interference with his privacy, family, home all EU Member States to outlaw encryption, and the wider or correspondence, nor to attacks upon his population abided by this, it would not stop criminals using honour and reputation. Everyone has the the technology. It would have the unfortunate effect of making right to the protection of the law against such those who abide by any such law more vulnerable to the very interference or attacks. criminals who it is designed to handicap. This is exacerbated by the fact that if the EU Member States were to pass such a Many governments agree, but point out that this is a right to law, there is no guarantee that other countries would do the same. As organised crime is often committed across borders, it privacy. Rather than a desire for arbitrary surveillance, some would be another dimension in which to frustrate the detection be protected from “arbitrary” interference with a person’s 68 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

and prosecution of criminals, not least via arguments about the propriety of mutual legal assistance. using, say, TrueCrypt. However, increasing use is being madeencrypted of communications email using, say, services PGP or thatan encrypted can be both file Trying to restrict the distribution of encryption software is end-to-end encrypted, and are ephemeral. As a direct impractical. Even if one could prevent it leaving a country once response to the concerns raised by the allegations of mass produced there is nothing to stop the ideas travelling and being surveillance by the US and UK governments, companies re-implemented in another country. We saw exactly this happen with international users have sought to reassure them with PGP when the US government attempted to control its by constructing systems where even the service provider distribution outside of the US: it was simply reincarnated as PGP cannot decrypt the communications as they pass through International. their infrastructure: the key is known to no-one except the participants of the interaction. It may be possible to enforce a blanket ban on encryption. If all the Internet service providers established technology to detect and 2. The practicalities of ensuring that all encrypted communications are using a key that has been placed in communications into, out of, or within a country. However, escrow are, to all intents and purposes, insurmountable. attemptingblock encrypted to differentiate traffic it would between be impractical legitimate useto use of encryption encrypted It would only be when the authorities come to attempt to and that being used by criminals would be a non-trivial task, decrypt some criminal communications that they would discover that they did not have access to the key after all. It would also be relatively easy to circumvent by using virtual If this were to work, an infrastructure would need to be privateand likely networks, to be flawed Tor, or unless some all similar providers mechanism. did exactly the same. developed that enabled only those communications for which a key was in escrow, and to block all others. We do It also does not address the problem of using steganography. It not believe this is possible. is perfectly possible for criminals, again using widely and freely available technology, to disguise communications, and to encrypt 3. Recent history has taught us that connected databases are those communications. Likewise the use of dead letter box style prime targets for hackers. There is a real danger that any email accounts and similar covert means of communication datastore could be compromised by hackers, which would would go undetected. lay anyone who has placed their keys in escrow open to abuse by criminals. The massive breaches on the US In the modern world we are increasingly dependent upon the Internet yet it was never designed to be a secure network. others, demonstrate that both government and private Layering encryption on top of the Internet is currently the trustedOffice of third Personnel parties Management are not immune and DigiNotar,from compromise, amongst with devastating results to trust in government as well as authenticity of our Internet based interactions. practical consequences for some individuals thus harmed. only practical means of ensuring confidentiality, integrity and There is also the very real danger of intentional misuse KEY ESCROW: internally or simple incompetence leading to a breach.

It was mooted early on in the debate that anyone using encryption The cross-border nature of modern organised crime means that a law enforcement agency in one country may need to a government agency or possibly a trusted third party. If an 4. apply to another government to retrieve a key. This would authorisedshould be obliged agency to then file a needed copy of totheir decrypt encryption communications key with either the require international agreement. Whilst this is entirely possible amongst the EU Member States, and possibly with this approach: key could be retrieved. There are several significant problems see how this might work across less friendly borders. 1. between other like-minded governments, it is difficult to the encryption key is changed for every new interaction. ThisModern is obviously encryption not typically the case employs for something ‘forward such secrecy’: as THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 69

WEAKENED ENCRYPTION: OBLIGATION TO DISCLOSE:

Many have suggested that only encryption which law enforcement This appears to be the only practical method of handling encryption where the keys are held by individual users. Rather that this might be through the use of, for example, a weakened like refusing to take a breath test to see if you are over the drink algorithm,agencies can restricted ‘crack’ shouldkey lengths be allowed. or the inclusion It has been of a back suggested door. driving alcohol limits, it is possible to make it an offence to All of these have the same issues: if you weaken encryption for disclose an encryption key that allows law enforcement agencies your enemies, you do so for your friends. It no longer takes vast to examine encrypted data. This has the advantage of enabling computing facilities to break weakened encryption, nor would a criminal to be prosecuted if he reveals his encrypted data or refuses to do so.

Theit take security a determined community group has of criminals been imploring long to findusers a back to ensure door. Internationally there are some courts that have been asked to they use the latest encryption and extend their key lengths, consider such an action as tantamount to self-incrimination. precisely because the arms race between encryption and the ability of computing power to break it is continuous. Organised as part of criminal investigations. However, on the whole it has been seen by the courts as justified best technologists in the world so it would naïve to assume that Unfortunately, this tends to be effective only when data remains governmentscriminals have would access enjoy to significant any form financesof advantage and somein breaking of the deliberately weakened encryption. especially if they are system generated, it can be practically impossibleon the suspect/criminal’s to recover these. computer. This is then If the compounded keys are transient, by the fact that the communication itself may be transient and not to introduce the Clipper chip, which had a backdoor. It was recorded, i.e. even if they key could be recovered, there is nothing This approach was typified when the US government attempted to decrypt unless it has been captured through surveillance and been rendered impractical for all of the reasons discussed above. recorded by the law enforcement agencies. announced in 1993 and was totally defunct by 1996 as it had The use of weakened encryption has a long-term impact as well. As mentioned above, this situation is complicated by the A recent vulnerability in Transport Layer Security (TLS) was re-architecting of communications services for the likes of discovered where hackers were able, in some implementations, to WhatsApp, iMessage, Facebook and Facetime, and the email services provided by Google and Yahoo, by enabling end-to-end which was breakable by modern computers. Once such encryption. weakenedforce an encrypted encryption link enters to use anthe older wider ‘export’ environment, grade encryption in order to maintain compatibility, especially backward compatibility, If there were a practical place where encryption could be it has to be always possible to request that an interaction uses tackled, it would be through achieving agreement with these the weaker form of encryption: there will always be someone service providers to implement security architectures that did who is still using it and the way in which these interactions are not enable end-to-end encryption; if the communications were established (between those who may not have communicated encrypted from each participant to the service provider but before) means that the initial dialogue moves to the lowest be possible for law enforcement agencies to present a suitable disclosed, the applications that use them are very complex and warrantpotentially to readreadable the communications. on the service providers’ systems, it would common denominator. Whilst these flaws are blocked off when upon legacy weakened encryption. It would appear to compound The issue that service providers have expressed is that their theit is issuealmost by inevitable reintroducing that newlyfurther weakened such flaws encryption. will emerge based to know which law enforcement agencies they should cooperate with.users Theare companiesinternationally providing based, these and servicesthey would are predominantlyfind it difficult US based and their users have expressed concern that the US and its allies would be able to use such an architecture to conduct 70 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

A2. AN UPDATE ON CYBER LEGISLATION mass surveillance. Similarly a US based company might be placed in an invidious position if law enforcement agencies from unfriendly countries made such requests, perhaps for politically law.The Without 2014 IOCTA criminal emphasised legislation thatthe hands it is of essential law enforcement for law motivated surveillance. agenciesenforcement are bound to closely – and observe without developments adequate procedural in the law, field the of prosecution of high-tech offenders can be close to impossible. It was this dilemma that resulted in the introduction of end-to-

UPDATE 1: EU CYBERCRIME LEGISLATIVE Theend encryptiondebate currently in the underwayfirst place. is one that quite rightly is being FRAMEWORKS held in public. Whilst most would agree with the sentiments Since the publication of the last IOCTA, the European Union communications, the dilemma is the negative impact of the ways has not introduced a new legislative framework to harmonise of wanting their law enforcers to have access to criminals’ of data is missing from the debate: the scale of the problem. Whatin which is currently this would not be in achieved.the public However, domain is one the significant degree to which piece EUthe Directive cybercrime on legislationAttacks against of the Information Member States.Systems However,. Article 4 criminal detection and investigation is being hampered by the September 2015 is an important date with regard to179 the 2013 use of encryption by criminals. and administrative procedures in line with the requirements of16 thatrequires Directive Member by thatStates date. to bring With their regards legislation, to criminalisation, regulations It would seem that if a proper public debate is to be forthcoming, if legislators are to be trusted in what they wish to place into Convention on Cybercrime, which was implemented by most law, and if decisions on what inevitably will be compromises in EUthe DirectiveMember doesStates; not therefore go beyond the the chances 2001 Council of an ofEU-wide Europe security and privacy are to be evidence based, it is important that transposition of the Directive are high. not all members of the public. EC3 will be asking Member States ifthe they problem will cooperate is quantified in providing in a way thatthe data earns to the enable trust the of mostnature if UPDATE 2: COUNCIL OF EUROPE CONVENTION of the problem (current and future potential) to be established. ON CYBERCRIME

By August 2015, the number of ratifications/accessions to the Europe.2001 Council Outside of Europeof Europe, Convention Australia, on Canada, Cybercrime the Dominican increased Republic,to 47 countries, Japan, including Mauritius, eight Panama, non-members Sri Lanka of and the the Council United of

ongoingStates are process listed with as an non-Member average of more States than that three ratified countries the joiningConvention. per year. The Someratification of the offastest the Convention growing and worldwide most relevant is an economies outside of Europe, such as the BRIC countries (Brazil, Russia, India and China), with which European law

179 Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 71

enforcement agencies frequently deal, have not yet been invited to accede to the Convention. Involvement of those Member State in its national law. Despite different national approachesand prosecution within of the serious transposition crime, asprocess defined of the by Directive, each EU law enforcement cooperation. especially with regard to the duration of retention, it was an countries would be a significant advantage for international interesting legal harmonisation foundation.

UPDATE 3: DATA BREACHES declared the Directive invalid . The Court concluded that the Data breaches remain a major challenge and are certainly one retentionHowever, ofon data 8 April as required 2014, the by181 Europeanthe Directive Court may of be Justice considered (ECJ) of the fastest moving forms of what is widely seen as criminal to be appropriate for attaining the objective pursued, but the wide-ranging and particularly serious interference of the were obtained by attackers. CareFirst, Kaspersky Lab, Premera BlueCross,activities. During Harvard the University first half andof 2015, the US millions Government of data were records just circumscribed to ensure that that interference is actually limited a few prominent victims of this type of attack. Unchanged since toDirective what is with strictly the necessary. fundamental In this rights respect, at issue the is Directive not sufficiently did not comply with the principle of proportionality. As a consequence, this type of offence – one that includes the criminalisation the Member States are no longer bound by the Directive. National ofthe trading 2014 IOCTA, compromised a strong, identities harmonised – is legalstill approachabsent in towardsEurope. provisions implementing the Directive are nonetheless not

among EU national data retention provisions. The reactions of identityNeither thetheft 2001 and theCouncil related of Europetransfer Convention of identities. on Consequently, Cybercrime, Memberautomatically States invalid, have variedwhich leadvery to much very significantfrom one another. discrepancies Some thenor theprosecution existing EU of legislativesuch activities approaches depends specifically on the existence criminalise of States have annulled their transposing legislation (e.g. Austria, national legislation. Belgium, Slovakia and Slovenia), some have not changed their legislation since the ECJ ruling (e.g. Ireland, Spain and Sweden) and some, such as the United Kingdom, have reacted drastically UPDATE 4: INVALIDATION OF DATA RETENTION by enacting a new legislation providing for a new legal basis for DIRECTIVE data retention by service providers . 182 Generally, Member States are waiting for the EU to adopt a new law enforcement agencies, especially when it comes to the Directive. However, it is currently uncertain whether and when Access to traffic and location data is of great relevance for the European Union will adopt a new legal instrument on this of legislation with regard to the process of retaining such data issue. It is clearly unlikely to happen very soon. identification of perpetrators. The basis of the harmonisation. It contained an obligation for the providers of publicly180 wasavailable for some electronic years communications the 2006 EU Data services Retention or of Directive the public investigations is defended by law enforcement agencies and prosecutors.The usefulness It is of true traffic that dataaccessing and locationdata after data the forcommission criminal location data and the related data necessary to identify the of the offence, when it was not retained originally by service subscribercommunications or user networks for the purpose to store of data, investigation, i.e. traffic detection data and

providers, ECJ, Digital may Rights be Ireland more and difficult Seitlinger or and impossible Others case, Joinedif the Cases data was

180 withDirective the provision 2006/24/EC of publicly of the European available electronicParliament communications and of the Council services of 15 181 March 2006 on the retention of data generated or processed in connection C-293/12 and C-594/12, 8 April 2014 182 Court,The Data The Retention Queen v. Theand SecretaryInvestigation of State Act for(2014) the Home was declared Department invalid. on or of public communication networks and amending directive 2002/58/EC, 17 July 2015 by the High Court of Justice Queen’s Bench Division, Divisional OJ L105. 72 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

A3. COMPUTER CRIME, FOLLOWED BY CYBERCRIME FOLLOWED BY …. ROBOT AND AI CRIME? AN OUTLOOK INTO CRIMINAL OFFENCES RELATED TO ARTIFICIAL INTELLIGENCE

and the increasingly rapid advances in and application of It is currently difficult to say if the ongoing process of automation opportunity for law enforcement – the underlying problem from artificial intelligence (AI) present more of a challenge or an deleted in the meantime. Indeed, law enforcement agencies underline that the effectiveness of their work relies increasingly a crime development perspective was already briefly addressed on the availability of data that is already collected, retained and in the 2014 IOCTA. made available by the service providers in a lawful manner. 183 – if In particular, investigations related to serious crime typically Artificialit is possible intelligence to overcome and Big legitimate Data analysis concerns have therelated potential to data to require a more long-term approach as they may be longer than provideprotection significant and fundamental input to thehuman work rights. of law However, enforcement as with all the average time of any other criminal investigation. new developments, there is potential for abuse as is evident, for instance, in the increasing number of targeted attacks against The magnitude of the impact of the ECJ ruling on investigations automated systems, such as modern, computer-controlled cannot be understated as the detection and investigation of factories.184 cyber-enabled and cyber-facilitated crime relies extensively example of the capability of such attacks.185 Taking into account on the collection and analysis of telecommunications data. that AI is ultimately Stuxnet awas complex certainly automated only the system, first widely the threats discussed are At least seven Member States stated that their data retention applicable to AI systems as well. Therefore the current situation regime provides for up to six months of retention. Member can be aptly described as a combination of both opportunity and States expressed that the inability to access case-relevant challenge. cybercrime investigations, leading to unsuccessful investigations In addition to the need to address the recent challenges of intelecommunications areas such as computer data has intrusion, affected hacking a significant and child part abuse.of recent automation and AI it would be worthwhile to look a few years ahead with a view to trying to predict the impact of realistic As criminals are increasingly using the Internet and/or and more mainstream AI applications on the work of law technologies at their disposal, data retention is certainly an enforcement186 interesting means to gather information on typically Internet- immense potential for new services and innovative products. related crime such as computer intrusion, hacking and child . Artificial intelligence is an area that offers pornography online.

In addition to the retention period and from a more practical 183 Cardenas/Amin/Lin/Huang/Huang/Sastry,Alzou’bi/Alshibly/Ma’aitah, Artifical Intelligence Attacks in Law Against Enforcement, Process ControllA Systems:Review, International Risk Assessment, Journal Detection, of Advanced and InformationResponse Technology, Vol. 4, No. 4 perspective, service providers often take a dysfunctionally long 184 time to satisfy the request. Five Member States reported that a Natanz Enrichment Plant?, Institute for Science and International Security, typical waiting period was more than one month. In addition, 185 Albright/Brannan/Walrond, Did Stuxnet Take Out 1.000 Centrifuges at the there is little standardisation in the format of the response. Some The22.12.2010; Suxnet Computer Broad/Markoff/Sanger, Worm: Harbinger Israeli of anTest Emerging on Worm Warfare Called CrucialCapability, in States indicated that data may not be provided in electronic Iran Nuclear Delay, The New York Times, 15.01.2011; Kerr/Rollins/Theohary, format, which leads to a waste of resources spent on the collation For2010; a discussion Timmerman, on theComputer application Worm of Shuts AI in theDown context Iranian of theCentrifuge objectives Plant, and interpretation of hard copy data. Newsmax, 29.11.2010 186 autonomous weapons systems, and purposes of the Geneva Convention, specifically in relation to lethal http://www.unog.ch/80256EE600585943/ THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 73

The success of AI-based systems in beating humans at playing responses. However, this topic is far away from being visionary video games by applying deep learning and deep reinforcement as the integration of computer and network technology in cars learning underlines, in a very illustrative way, the progress of this 187. The fact that the AI system was able to quickly pick up the this issue to the attention of a wider public194 rules of the game without being taught in advance attracted a lot continuestried to stop at the high publication speed. Already of research back onin how2002 to Forbes hack anti-theft brought field 188. Other visible systems195. And Wired reported about potential. In 2013 and Volkswagenreal attacks 196. This is of course not limited to smart cars testsattention with even self-driving outside thecars scientific189 or the community successful Turing test in but applies to smart devices in general. signs of the integration of AI are for example Google’s successful in 2014 and in 2015 history190. What may sound like a nightmare vision to some The practical relevance of these developments for law is2014, hope which for major was seenprogress as ain major road breakthroughsafety to others. in Similar computer to enforcement is primarily related to the ability to prevent such crimes and to have the forensic capabilities to investigate them. The advantage is that these attacks are covered by up-to-date ‘airbags’ and ‘Collision Prevention Assist’, self-driving vehicles legal systems. With regard to the potential impact there are sixcould years lead of to the a project,decrease more in traffic than aaccident-related million miles of injuries self-driving and certainly differences between hacking a desktop computer and carsfatalities. had Google’sbeen involved monthly in report12 minor for Mayaccidents 2015 indicates– none of that, them in a computer system in a car – however, from a legal point of view, caused by a self-driving car191. both are quite similar.

It would be naive to believe that these developments will not Therefore it might be worth looking ahead to the developments have an impact on society by introducing a number of potential that we could expect in the coming years. One issue that could challenges. For example, some statistics indicate that ‘truck become a true challenge for law enforcement is the involvement of AI-based machines in the commission of crime. Machines are United States.192 Recent reports predicting that self-driving already widely used to automate production processes197. This trucksdriver’ are remains only two the mostyears commonaway could job have in 29 a outtruly of disruptive 50 of the has also led to automation-related accidents and incidents, a impact on this market193. car manufacture company in Germany, which stimulated a public When thinking about law enforcement implications, the debaterecent 198example being the case of a worker ‘killed’ by a robot in a

. Unfortunately this is not the first 199time. And, that as somebody old, is the discussion Mnih/Kavukcuoglu/Silver/Rusu/Veness/Bellemare/Graves/Riedmiller/ about ‘hacked’ cars might be one of the obvious debatelost his about life due legal to anda malfunction ethical implications. of a robot – the first reported Fidjeland/Ostrovaski/Petersen/Beattie/Sadik/Antonoglou/King/Kumaran/ incidents were filed more than 30 years ago 187 Wierstra/Legg/Hassabis, Human-level control through deep reinforcement But the relevance of the debate might quickly change. While

learning, Natur, 2015 188 KMPG,McMillan, Self-driving Google’s AICars: is now The smartNext Revolution, enough to playhttps://www.kpmg.com/US/ Atari like the Pros, Wired en/IssuesAndInsights/ArticlesPublications/Documents/self-driving-cars-Magazine, 2015 Volkswagen sues UK university after it hacked sports cars, The Telegraph, 189 next-revolution.pdf 194 Fahey, How to Hack Your Car, Forbes, 7.8.2002 University of Reading, Turing Test Success Marks Milestone in Computing 195 Greenberg, Hackers could take control of your car. This device can stop them, History, , 2012 30.7.2013 190 aspx 196 http://www.reading.ac.uk/news-and-events/releases/PR583836. Singh/Sellappan/Kumaradhas,Wired 22.7.2014; Greenberg, Hackers Evolution remotely of Industrial kill a jeep Robots on the and highway their – Balance, 2014 Sheet Solutions, Weekly Relative Value, http://www. Applications,with me in it, InternationalWired, 21.7.2015 Journal of Emerging Technology and Advanced 191 Google Self-Driving Car Project, Monthly Report, May 2015 197 192 Prigg, Self-Driving trucks are just two years away says Daimler as it is setbalancesheetsolutions.org/stored/pdf/WRV062915.pdf to get go-ahead for trials on German roads within months,, 2015 Daily Mail, Engineering, Vol. 3, Issue 5, 2013 193 198 Robot kills worker at Volkswagen plant in Germany, The Guardian, 2.7.2015 199 Dennet, When HAL Kills, Who’s to Blame? Computer Ethics, in Stork, Hal’s 27.07.2015 Legacy: 2001’s Computer as Dream and Reality, 1997 74 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015

the malfunction of a machine can rather easily be handled as an ¡¡ The third element that will need to be further discussed accident that does not require intensive criminal investigations, is mens rea the increasing use of AI could be a game changer. While a liability and the differentiation between action and omission, concluding discussion would go well beyond the scope of mens rea is ora fundamental the ‘guilty mind’. element Just of like criminal general law aspects202. It ofis this Appendix, four main issues of relevance to the debate ultimately the concurrence of intelligence and violation203. that this is already of practical relevance today can be easily certainly not the traditional understanding of mens rea. The demonstratedshould be briefly by mentioned.the following Before example doing200 so,: an however, AI-based the self-fact applicationThe question of istraditional if this includes criminal artificial law provisions intelligence. to Thiscrimes is driving car is driving along a narrow road with concrete bollards involving AI could therefore go along with unique challenges on both sides. All of a sudden a child jumps right on the street. In response, the AI system may identify several different options. AI or if it is favourable or even essential to apply one legal Without any action or even by performing an emergency stop frameworkand raises the to AIquestion and non if AI-basewe need criminal a specific activities. legal regime for the car would hit the child and may seriously injure or even kill ¡¡ Finally what will be the consequences and penalties that will decide to make a right or left turn. The crash into the concrete be applied? Imprisonment will most likely not be a suitable bollardsher/him. couldTo avoid seriously the collision injure theor evencar’s killAI systemthe passenger. may instead The option. The challenge is not new; within the debate about same or similar situations have been discussed in criminal law criminal liability of legal persons, similar challenges were for decades – with the difference being that it is a human being

discussed. But in this context even applying fines and financial ¡who¡ takes the decision in those conflict situations. Thispenalties brief overview goes along underlines with unique some challenges204. of the challenges for law Who will be made responsible? The hardware production enforcement that might be worth observing already at this early company?The first question The AI software arising is company? the general The question implementer? of liability. This stage. It certainly includes rather philosophical questions like: question, which has been discussed in literature to some Do we expect AI to act better than humans? But ultimately it also extent201, will require further attention, especially with regard includes questions related to the core work of law enforcement: to the required capacities to analyse the underlying reasoning The application of law and enforcement. process – which can be challenging taking into account the complexity of the systems and algorithms.

¡¡ But the challenge for law enforcement is going beyond this. The story about AI beating humans in video games by learning the rules of the game without pre-programming them shows that one essential component of AI is that that the system is going beyond what was programmed. Therefore the differentiation between action and omission will become even more relevant in the future. Not having implemented measures to restrict possible action of AI-based systems could in the future be the focus of law enforcement investigations against manufacturers of such systems. And it might even be

to differing ethical and legal systems. necessary to customise their ‘ethical and legal value system’ Hall 202 ALlewelyn/Edwards, recent report by the Mens RAND rea Corporation in statutory providesoffences, an1955 interesting overview 203 of how, General emerging Principles and future of Criminal Internet Law, technologies 2005 can strengthen the work of 204 law enforcement and the judiciary. In relation to smart or driverless cars, the driverless-car-decide-who-lives-or-dies-in-an-accident- report suggest developing policies, procedures and technical interfaces that 200 Bloomberg,http://www.bloomberg.com/news/articles/2015-06-25/should-a- Should a Driverless Car Decide Who Lives or Dies?, http://www. take into account law enforcement requirements.

201 who-lives-or-dies-in-an-accident- bloomberg.com/news/articles/2015-06-25/should-a-driverless-car-decide- http://www.rand.org/content/dam/rand/pubs/research_reports/RR900/ , 2015 RR928/RAND_RR928.pdf PHOTO CREDITS

Pictures © Shutterstock, 2015, Page 51: © ChameleonsEye / Shutterstock.com

2015 — 76 pp. — 21 × 29.7 cm

ISBN 978-92-95200-65-4 ISSN 2363-1627 DOI 10.2813/03524 Eisenhowerlaan 73 Website: www.europol.europa.eu 2517 KK The Hague Facebook: www.facebook.com/Europol The Netherlands Twitter: @Europol_EU @EC3Europol PO Box 90850 YouTube: www.youtube.com/EUROPOLtube 2509 LW The Hague

The Netherlands QL-AL-15-001-EN-N