The biggest cybercrime threats of 2019 include ransomware, DDoS attacks and online ‘child sexual exploitation material’ (CSEM), according to Europol’s 6th annual Internet Organised Crime Threat Assessment (IOCTA) which was presented this week at the Europol-INTERPOL Cybercrime Conference at Europol’s headquarters.
Cybercrime would be maturing and becoming bolder, shifting its focus to larger and more profitable targets. Distributed Denial of Service (DDoS) was one of the most prominent threats reported to Europol. Many banks report that DDoS attacks remain a significant problem, resulting in the interruption of online bank services, creating more of a public impact rather than direct financial damage.
Ransomware remains the top cybercrime threat in 2019. Even though law enforcement has witnessed a decline in the overall volume of ransomware attacks, those that do take place are more targeted, more profitable and cause greater economic damage. As long as ransomware provides relatively easy income for cybercriminals and continues to cause significant damage and financial losses, it is likely to remain the top cybercrime threat, according to Europol in their report.
– read more below the image –
The amount of material detected online by law enforcement and the private sector continues to increase. This increase puts considerable strain on law enforcement resources. One development that could be of concern for online child sexual exploitation is the ongoing improvements of deepfakes. Deepfake technology is an Artificial Intelligence (AI)-based technique that places images or videos over another video.
The amount of online child sexual exploitation material (CSEM) would be staggering and continue to increase, according to Europol.
The vast majority of online CSEM is detected on image host websites on the open web, with the Netherlands continuing to be the main hosting country. Offenders keep using a number of ways to disguise online CSEM, making it more complicated for law enforcement authorities to detect such images and videos. Although online distribution of CSEM continues to take place via a variety of platforms, peer-to-peer sharing would remain among the most popular way among perpetrators to share CSEM. This includes both one-on-one communication and larger groups.
However, dedicated bulletin boards on the ‘Darknet’ are increasingly popular among offenders as a channel for the distribution of CSEM. This is especially the case for offenders with niche interests, including CSEM with infants and non-verbal children and demeaning material depicting torture and severe cruelty against children. More generally, in many cases offenders use encryption and install software to cover their IP address and prevent identification, such as Virtual Private Networks (VPNs) and TOR. The dark web would remain a key online enabler for trade in an extensive, much wider range of criminal products and services and a priority threat for law enforcement.
Coordinated action with the private sector and the deployment of new technology, including Artificial Intelligence, could help reduce the production and distribution of online CSEM, facilitate investigations and assist with the processing of the massive data volumes associated with CSEM cases, according to Europol.
– read more below the image –
While ransomware remains the top threat in this report, the overall volume of ransomware attacks has declined as attackers focus on fewer, but more profitable targets, and greater economic damage. Phishing and vulnerable RDPs are the key primary malware infection vectors.
Both European law enforcement and Europol’s private sector partners confirm a diminishing number of ransomware attacks targeting individual citizens, and more attacks specifically engineered towards individual private and public sectors entities. This is also a likely explanation for the apparent decline in the overall volume of attacks.
While targeting specific companies is potentially more labor-intensive and technically challenging, it would also mean that attackers are able to pitch the ransom for decrypting the victim’s files based on the victim’s perceived ability to pay. For example, there are cases where a company’s encrypted files have been ransomed for over EUR 1 million.
DDoS attacks were one of the most prominent threats reported to Europol by its private sector partners. The most commonly identified DDoS targets in 2019 were financial institutions, and public sector entities such as police or local governments. Other targets included the likes of travel agents, Internet infrastructure, and services related to online gaming.
Interestingly, not only ‘legitimate’ enterprises are targets for DDoS attacks. Anyone familiar with any Darknet market listing service, such as the now defunct DeepDotWeb, will know that markets are typically listed with an ‘uptime’, with the primary reasons for downtimes being DDoS attacks.
Hidden services are more vulnerable to DDoS attacks due to traits associated with the Tor browser itself. In early 2019, the three largest Darknet markets were all under intense and prolonged DDoS attacks, with the moderators of Dream Market allegedly being extorted for $400,000 (EUR 356,000), showing that anyone vulnerable to such attacks and with the means to pay is fair game to a DDoS extortionist.
Other Cybercrime Threats
- Smart cities – The most visible ransomware attacks in 2019 were those against local governments, specifically in the United States. Whether this trend will also become a threat to EU Member States is something to be seen, but experiences in the US are a warning.
- Attacks on critical infrastructure – Law enforcement appears to have become involved in a much wider variety of investigations into online attacks on critical infrastructures, including attacks on the energy, transport, water supply, and health sectors. Attacks on these infrastructures by financially motivated criminals remain unlikely, as such attacks draw the attention of multiple authorities and as such pose a disproportionate risk.
- The Darknet is becoming more fragmented: there are increases in single-vendor shops and smaller fragmented markets on Tor, including those catering for specific languages. Some organised crime groups are also fragmenting their business over a range of online monikers and marketplaces, therefore presenting further challenges for law enforcement.
- Blockchain marketplaces – in addition to circumventing law enforcement, criminal developers are also motivated by the need to increase trust with their customer base on Tor, both in terms of anonymity but also by reducing the risk of exit scams. An example of such a market is Black Dog, scheduled for launch in August 2019. It claims to be the ‘first-ever truly decentralized crypto market’ and depends on the Ethereum blockchain to facilitate transactions.
- Business email compromise – data returns to the discussion of business email compromise, which is a crucial priority reported by both Member States and the private industry. While this crime is not new, it is evolving. This scam exploits the way corporations do business, taking advantage of segregated corporate structures, and internal gaps in payment verification processes.
Data is at the center of these crime scenes. Cybercriminals target data for their crimes, so data security and consumer awareness are paramount for organizations, stresses Europol.
“Cybercriminals are becoming bolder than ever and so should we in our common European response,” said Dimitris Avramopoulos, European Commissioner for Migration, Home Affairs and Citizenship. “I am glad to see that Europe’s efforts to tackle large-scale cyber-attacks across borders are bringing results. But I am distraught by the fact that child sexual abuse material continues to thrive online. We all need to step up our efforts at all levels, because cybersecurity isn’t just the task of national law enforcement. It is a responsibility for all of us towards our citizens.”
The full annual Internet Organised Crime Threat Assessment (IOCTA) by Europol can be viewed here. (8 MB PDF download).