Europol Issues Internet Organized Crime Threat Assessment

Jonathan J. Rusch

On October 9, the European Union Agency for Law Enforcement Cooperation (Europol) issued its Internet Organised Crime Threat Assessment (IOCTA) for 2019.  The IOCTA contains six categories of findings:

  • Cyber-Dependent Crime
    • With regard to cyber-dependent crime, which Europol defies as “any crime that can only be committed using computers, computer networks or other forms of information communication technology (ICT),” ransomware remains the principal threat. Even though “the overall volume of ransomware attacks has declined as attackers focus on fewer but more profitable targets and greater economic damage,” the number of victims “is still high.”
    • “Phishing and vulnerable remote desktop protocols (RDPs) are the key primary malware infection vectors.” The IOCTA noted that according to some reports, as many as 65 percent of groups “rely on spear-phishing as their primary infection vector.”
    • “Data remains a key target, commodity and enabler for cybercrime.” The IOCTA observed that data compromise “represents the second-most prominent cyber-threat [after ransomware] tackled by European cybercrime investigators.”
    • After the increase in destructive ransomware, “there is a growing concern within organisations over attacks of sabotage.”
    • “Continuous efforts are needed to further synergise the network and information security sector and the cyber law enforcement authorities to improve the overall cyber resilience and cybersecurity.”
  • Child Sexual Exploitation Online
    • The amount of CSEM that law enforcement and the private sector has detected “continues to increase, putting considerable strain on law enforcement resources.” The IOCTA stated that at least 18 EU Member States received referrals from the United States through Europol, and that all Member States received referrals from Canada through Europol.
    • “The online solicitation of children for sexual purposes remains a serious threat with a largely unchanged modus operandi.” Sexual offenders “generally use the open web . . . using a variety of social media services.”
    • Self-generated explicit material (SGEM) – also known as “sexting” — “is more and more common, driven by growing access of minors to high quality smartphones and a lack of awareness of the risks.” The IOCTA stated that “[a]lthough sexual coercion and extortion of minors also happens for financial gain, in the majority of cases the aim is to obtain new CSEM.”
    • Commercial CSE remains limited, but the “notable exception” of live distant child abuse.
  • Payment Fraud
    • Card Not Present (CNP) fraud “continues to be the main priority within payment fraud and continues to be a facilitator for other forms of illegal activity.” Fraud relating to the purchase of physical goods is the leading type of CNP fraud, but “CNP is increasingly moving into other sectors such as travel (hotels, car rentals, etc.) postal services, giftcards, etc.”
    • Card “skimming”, as the second priority for investigators, continues to evolve, as criminals “continuously adap[t] to new security measures.” The IOCTA added the remarkable observation that “[t]he ongoing threat of skimming is the direct result of the fact that not all payment terminals and ATMs in Europe contain the necessary anti-skimming measures.”
    • “Jackpotting” attacks – also known as “black-box attacks,” which are designed to cash out ATMs – “is the most widespread type of logical ATM attack” and “are becoming more accessible and successful.”
  • The Criminal Abuse of the “Dark Web”
    • The “dark web” – defined as “encrypted online content that is not indexed by conventional search engines” – “remains the key online enabler for trade in an extensive range of criminal products and services and a priority threat for law enforcement.”
    • Recent coordinated law enforcement activities, together with extensive Distributed Denial of Service (DDoS) attacks, “have generated distrust in The onion router (Tor) environment.” At the same time, while “there is evidence that administrators are now exploring alternatives,” it appears that “the user-friendliness, existing market variety and customer-base on Tor makes a full migration to new platforms unlikely just yet.”
    • Europol observed “increases in single-vendor shops and smaller fragmented markets on Tor,” including those catering to specific languages. “Some organised crime groups (OCGs) are also fragmenting their business over a range of online monikers and marketplaces, therefore presenting further challenges for law enforcement.”
    • “Encrypted communication applications enhance single-vendor trade on the dark web, helping direct users to services and enabling closed communications. Although there is no evidence of a full business migration, there is a risk the group functions could become increasingly used to support illicit trade.”
  • The Convergence of Cyber and Terrorism
    • The broad array of online service providers (OSPs) that terrorist groups exploit “presents a significant challenge for disruption efforts.” As the IOCTA put it, “the sheer number of OSPs exploited for terrorist purposes presents a challenge for disruption efforts. These include forums, file-sharing sites, pastebins, video streaming/sharing sites, URL shortening services, blogs, messaging/broadcast applications, news websites, live streaming platforms, social media sites and various services supporting the creation and hosting of websites (including [domain name] registries and registrars).”
    • “Terrorist groups are often early adopters of new technologies, exploiting emerging platforms for their online communication and distribution strategies.”
    • “With sufficient planning and support from sympathetic online communities, terrorist attacks can rapidly turn viral, before OSPs and law enforcement can respond.”
  • Cross-Cutting Crime Factors
    • “Phishing remains an important tool in the arsenal of cybercriminals for both cyberdependent crime and non-cash payment fraud (NCPF).” The IOCTA characterized phishing as “a core attack method for all cybercrime.”
    • “While cryptocurrencies continue to facilitate cybercrime, hackers and fraudsters now routinely target crypto-assets and enterprises.” Crypto investigations, according to the IOCTA, “ are now a core part of daily business for law enforcement. As a result, investigators require training to ensure they have the appropriate skills to handle such investigations.”

The IOCTA also provides numerous recommendations for each of those categories, including:

  • Cyber-Dependent Crime
    • Because “(s)uccessfully tackling major crime-as-a-service providers can have a clear and lasting impact,” law enforcement “should continue focusing its concerted efforts into tackling such service providers.
    • Enhanced cooperation and improved data sharing between law enforcement, computer security incident response teams (CSIRTs), and private partners “will be the key to tackling complex cyberattacks, and allow the private sector to take the necessary preventative security measures to protect themselves and their customers.”
    • “In response to major cross-border cyberattacks, all cooperation channels should be explored, including Europol’s and Eurojust’s support capabilities as well as legal instruments designed for closer cross-border cooperation (such as Joint investigation Teams (JITs) and spontaneous exchange of information) in order to share resources and coordinate.”
    • Collaboration between the network and information security sector and cyber law enforcement authorities should be further enhanced, by involving those law enforcement authorities “latter in cyber resilience-related activities such as cyber simulation exercises.”
    • “Low-level cybercrimes such as website defacement should be seen as an opportunity for law enforcement to intervene in the criminal career path of young, developing cybercriminals.”
  • CSEO
    • “Coordinated action with the private sector and the deployment of new technology, including Artificial Intelligence, could help reduce the production and distribution of online CSEM, facilitate investigations, and assist with the processing of the massive data volumes associated with CSEM cases.”
    • “A structural educational campaign across Europe to deliver a consistent high-quality message aimed at children about online risks is of the utmost importance to reduce the risks derived from SGEM such as sexual coercion and extortion.”
    • Because “much CSEM, particularly that arising from LDCA, originates from developing countries, it is essential that EU law enforcement continues to cooperate with, and support the investigations of, law enforcement in these jurisdictions.”
    • “Fighting CSE is a joint effort between law enforcement and the private sector and a common platform is needed to coordinate efforts and prevent a fragmented approach and duplicated efforts.”
    • In order to prevent child sex offenders from traveling to third countries to abuse children sexually, European Union (EU) law enforcement “should make use of passenger name record (PNR) data accessible through the Travel Intelligence team within Europol.”
  • Payment Fraud
    • Public-private sector cooperation – both between and within the sectors – “is crucial to come to fruitful results.” On this point, the IOCTA stated that “speedy and more direct access to and exchange of information from the private sector is essential for Europol and its partners.”
    • Organisations must ensure they train their employees and make their customers aware of how they can detect social engineering and other scams.”
  • The Criminal Abuse of the “Dark Web”
    • More coordinated investigation and prevention actions targeting the phenomenon are required, demonstrating the ability of law enforcement and deterring users from illicit activity on the dark web.”
    • The ability to maintain an accurate real-time information position is necessary to enable law enforcement efforts to tackle the dark web. The capability needs to enable the identification, categorisation, collection and advanced analytical processing, including machine learning and AI.”
    • “An EU-wide framework is required to enable judicial authorities to take the first steps to attribute a case to a country where no initial link is apparent due to anonymity issues, thereby preventing any country from assuming jurisdiction initiating an investigation.”
    • Improved coordination and standardisation of undercover online investigations are required to de-conflict dark web investigations and address the disparity in capabilities across the EU.”
  • The Convergence of Cyber and Terrorism
    • “Limiting the ability of terrorists to carry out transnational attacks by disrupting their flow of propaganda and attributing online terrorism-related offences requires continued and heightened counterterrorism cooperation and information sharing across law enforcement authorities, as well as with the private sector.”
    • “Any effective measure to counter terrorist groups’ online propaganda and recruitment operations entails addressing the whole range of abused OSPs, especially start-ups and smaller platforms with limited capacity for response.”
    • “Cross-platform collaboration and a multi-stakeholder crisis response protocol on terrorist content online would be essential to crisis management [is] the aftermath of a terrorist attack.”
    • “A better understanding of new and emerging technologies is a priority for law enforcement practitioners. Upcoming policy debates and legislative developments should take into account the features of these technologies in order to devise an effective strategy to prevent further abuse.”
  • Cross-Cutting Crime Factors
    • “Law enforcement and the judiciary must continue to develop, share and propagate knowledge on how to recognise, track, trace, seize and recover cryptocurrency assets.”
    • “Law enforcement must continue to build trust-based relationships with cryptocurrency-related businesses, academia, and other relevant private sector entities, to more effectively tackle issues posed by cryptocurrencies during investigations.”
    • Despite the gradual implementation of the Fifth Anti-Money Laundering Directive across the EU, “investigators should be vigilant concerning emerging cryptocurrency conversion and cash-out opportunities and share any new information with Europol.”

N.B.:  Information-security teams and law enforcement cybercrime teams should closely review the IOCTA, as it draws on an extensive range of data from structured surveys and feedback sessions involving 26 Member States and European third-party members, as well as other EU government entities, as well as open-source research and private-sector input.  For their part, EU leadership should closely review the IOCTA recommendations, with a view to enhancing Europol’s roles in intelligence-sharing and public-private collaboration to combat cybercrime.

Published by Jonathan J. Rusch

I'm a lawyer and consultant interested in corporate- and individual-compliance issues, and an inveterate part-time law professor; a former federal prosecutor, regulator, and anti-bribery and corruption compliance head at a global financial institution; and a (very minor) shareholder in Williams Grand Prix Engineering.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s