Internet Organised Crime Threat Assessment (IOCTA 2017\)

The 2017 Internet Organised Crime Threat Assessment(IOCTA) reports how cybercrime continues to grow and evolve. While many aspects of cybercrime are firmlyestablished, other areas of cybercrime have witnesseda striking upsurge in activity, including attacks on an unprecedentedscale, as cybercrime continues to take new forms andnew directions. A handful of cyber-attacks have caused widespreadpublic concern but only represented a small sample ofthe wide array of cyber threats now faced. Because of the similar tools and techniques used, it is sometimesdifficult to attribute cyber-attacks to particular groups, for example, financially motivated cybercriminals and AdvancedPersistent Threat (APT) groups. Some of the reportedcyber-attacks from mid-2017 illustrate this trend. For genuine financially motivated attacks, extortion remains a common tactic, with ransomware and Distributed Denial of Service (DDoS) attacks remaining priorities for EU law enforcement. Ransomware attacks have eclipsed most other global cybercrimethreats, with the first half of 2017 witnessing ransomwareattacks on a scale previously unseen following theemergence of self-propagating 'ransomworms', as observedin the WannaCry and Petya/NotPetya cases. Moreover, whileinformation-stealing malware such as banking Trojans remaina key threat, they often have a limited target profile. Ransomwarehas widened the range of potential malware victims, impacting victims indiscriminately across multiple industriesin both the private and public sectors, and highlighting howconnectivity and poor digital hygiene and security practicescan allow such a threat to quickly spread and expand the attackvector. The extent of this threat becomes more apparent when consideringattacks on critical infrastructure. Previous reportshave focused on worst-case scenarios, such as attacks on systems in power plants and heavy industry. However, it is clearthat a greater variety of critical infrastructures are more vulnerableto 'every-day' cyber-attacks, highlighting the need fora coordinated EU law enforcement and cross-sector response to major cyber-attacks on critical infrastructure. Law enforcement and industry action has led to a decline inthe use of exploit kits. This has resulted in a shift towards alternativemalware delivery methods, including spam botnetsand social engineering. Along with technical attacks, social engineeringtechniques have become an essential tactic for thecommission of many, often complex, cyber-dependent and cyber-facilitated crimes, including payment fraud and online childsexual exploitation. The success of such attacks is demonstrated by the trend oflarge-scale data breaches. In a 12-month period, breaches relatingto the disclosure of over 2 billion records were reported, all impacting EU citizens to some degree. Previous reports have highlighted the potential for the abuseof insecure Internet of Things (IoT) devices. By the end of 2016we had witnessed the first massive attack originating from suchdevices, as the Mirai malware transformed around 150 000routers and CCTV cameras into a DDoS botnet. This botnet wasresponsible for a number of high profile attacks, including one severely disrupting internet infrastructure on the west coast of the United States (US). The vast majority of child sexual exploitation material (CSEM) is still produced by hands-on offenders. Adding to this, however, is an increasing volume of self-generated explicit material (SGEM), which is either produced innocently, or as a result ofthe sexual coercion and extortion of minors. Offenders are increasinglyusing the Darknet to store and share material, and toform closed communities. Card-not-present (CNP) fraud continues to dominate fraudrelated to non-cash payments, impacting heavily on the retailsector. Airline ticket fraud continues to have significant impactacross the EU and facilitates a wide range of other crime types, from drug trafficking to illegal immigration. Card-present (CP) fraud accounts for a much smaller portion of non-cash paymentfraud, yet the number of reported cases has reachedrecord numbers. The US and Southeast Asia are still key locationsfor cashing-out compromised EU cards. The number ofcriminal groups specialising in direct, complex attacks on ATMs and banks is also increasing, resulting in dramatic losses for thevictims. A growing amount of illicit trade now has an online component, meaning that cybercrime investigative capabilities are increasinglyin demand in all serious organised crime investigations. Dark net markets remain a key crosscutting enabler for othercrime areas, providing access to, amongst other things, compromisedfinancial data to commit various types of paymentfraud, firearms, counterfeit documents to facilitate fraud, traffickingin human beings, and illegal immigration. Compared tomore established Dark net market commodities, such as drugs, the availability of cybercrime tools and services on the Darknetappears to be growing more rapidly. Cryptocurrencies continue to be exploited by cybercriminals, with Bitcoin being the currency of choice in criminal markets, and as payment for cyber-related extortion attempts, such asfrom ransomware or a DDoS attack. However, other cryptocurrenciessuch as Monero, Ethereum and Zcash are gaining popularitywithin the digital underground. Law enforcement is witnessing a transition into the use of secureapps and other services by criminals across all crime areas. The majority of the apps used are the everyday brand namespopular with the general population. A combination of legislative and technical factors, which denylaw enforcement access to timely and accurate electronic communicationsdata and digital forensic opportunities, such aslack of data retention, the implementation of Carrier-Grade Network Address Translation (CGN), and criminal abuse of encryption, are leading to a loss of both investigative leads andthe ability to effectively attribute and prosecute online criminalactivity. Such issues require a coordinated and harmonised effortby law enforcement, policy makers, legislators, academia, civil society and training providers to effectively tackle them. Despite the constant growth and evolution of cybercrime, jointcross-border law enforcement actions in cooperation with theprivate sector and other relevant EU and international partnersagainst the key cyber threats have resulted in some significantsuccesses, supported by effective prevention and disruptionactivities. It is clear that continued, close cooperation with the private sector is essential to combat cybercrime in an agile, pro-activeand coordinated manner with a comprehensive and up-to-dateinformation posture at its heart. This report also highlights how adequate training of the public and employees to recognize and react appropriately to social engineering would have a significant impact on a wide range of cyber-attacks.