The global COVID-19 pandemic that hit every corner of the world forced us to reimagine our societies and reinvent the way we work and live. The Europol IOCTA 2020 cybercrime report takes a look at this evolving threat landscape.
Although this crisis showed us how criminals actively take advantage of society at its most vulnerable, this opportunistic behavior should not overshadow the overall threat landscape. In many cases, COVID-19 has enhanced existing problems.
Europol IOCTA 2020
Social engineering and phishing remain an effective threat to enable other types of cybercrime. Criminals use innovative methods to increase the volume and sophistication of their attacks, and inexperienced cybercriminals can carry out phishing campaigns more easily through crime as-a-service.
Criminals quickly exploited the pandemic to attack vulnerable people; phishing, online scams and the spread of fake news became an ideal strategy for cybercriminals seeking to sell items they claim will prevent or cure COVID-19.
Encryption continues to be a clear feature of an increasing number of services and tools. One of the principal challenges for law enforcement is how to access and gather relevant data for criminal investigations.
The value of being able to access data of criminal communication on an encrypted network is perhaps the most effective illustration of how encrypted data can provide law enforcement with crucial leads beyond the area of cybercrime.
Malware reigns supreme
Ransomware attacks have become more sophisticated, targeting specific organizations in the public and private sector through victim reconnaissance. While the pandemic has triggered an increase in cybercrime, ransomware attacks were targeting the healthcare industry long before the crisis.
Moreover, criminals have included another layer to their ransomware attacks by threatening to auction off the comprised data, increasing the pressure on the victims to pay the ransom.
Advanced forms of malware are a top threat in the EU: criminals have transformed some traditional banking Trojans into modular malware to cover more PC digital fingerprints, which are later sold for different needs.
Child sexual abuse material continues to increase
The main threats related to online child abuse exploitation have remained stable in recent years, however detection of online child sexual abuse material saw a sharp spike at the peak of the COVID-19 crisis.
Offenders keep using a number of ways to hide this horrifying crime, such as P2P networks, social networking platforms and using encrypted communications applications.
Dark web communities and forums are meeting places where participation is structured with affiliation rules to promote individuals based on their contribution to the community, which they do by recording and posting their abuse of children, encouraging others to do the same.
Livestream of child abuse continues to increase, becoming even more popular than usual during the COVID-19 crisis when travel restrictions prevented offenders from physically abusing children. In some cases, video chat applications in payment systems are used which becomes one of the key challenges for law enforcement as this material is not recorded.
Payment fraud: SIM swapping a new trend
SIM swapping, which allows perpetrators to take over accounts, is one of the new trends. As a type of account takeover, SIM swapping provides criminals access to sensitive user accounts.
Criminals fraudulently swap or port victims’ SIMs to one in the criminals’ possession in order to intercept the one-time password step of the authentication process.
Criminal abuse of the dark web
In 2019 and early 2020 there was a high level of volatility on the dark web. The lifecycle of dark web market places has shortened and there is no clear dominant market that has risen over the past year.
Tor remains the preferred infrastructure, however criminals have started to use other privacy-focused, decentralized marketplace platforms to sell their illegal goods. Although this is not a new phenomenon, these sorts of platforms have started to increase over the last year.
OpenBazaar is noteworthy, as certain threats have emerged on the platform over the past year such as COVID-19-related items during the pandemic.
VP for Promoting our European Way of Life, Margaritis Schinas, who is leading the European Commission’s work on the European Security Union, said: “Cybercrime is a hard reality. While the digital transformation of our societies evolves, so does cybercrime which is becoming more present and sophisticated.
“We will spare no efforts to further enhance our cybersecurity and step up law enforcement capabilities to fight against these evolving threats.”
EU Commissioner for Home Affairs, Ylva Johansson, said: “The Coronavirus Pandemic has slowed many aspects of our normal lives. But it has unfortunately accelerated online criminal activity. Organised Crime exploits the vulnerable, be it the newly unemployed, exposed businesses, or, worst of all, children.
Cybercrime is evolving since criminals have been quick to seize opportunities to exploit the pandemic by adapting their tactics and engaging in new criminal activities.
Cybercriminals seeking to exploit emerging opportunities
Cybercriminals have been among the most adept at exploiting the pandemic. The threat from cybercrime activities during the crisis is dynamic and has the potential to increase further.
With a record number of potential victims staying at home and using online services across the EU, the ways for cybercriminals seeking to exploit emerging opportunities and vulnerabilities have multiplied.
Europol has been monitoring the impact of the COVID-19 pandemic on the cybercrime landscape since the beginning and has published an updated threat assessment of potential further developments in this crime area.
Among the forms of cybercrime analysed in the report are:
- The dark web
- Disinformation and interference campaigns.
“This pandemic brings out the best but unfortunately also the worst in humanity. With a huge number of people teleworking from home, often with outdated security systems, cybercriminals prey on the opportunity to take advantage of this surreal situation and focus even more on cybercriminal activities,” said Europol Executive Director, Catherine De Bolle.
“With this report we want to warn individuals, companies, public institutions and other organizations about these criminal activities. I would also like to draw special attention to the most vulnerable among those victims; I am very concerned about the rise of child sexual abuse online.”
- The impact of the COVID-19 pandemic on cybercrime has been the most visible and striking compared to other criminal activities.
- Criminals active in the domain of cybercrime have been able to adapt quickly and capitalize on the anxieties and fears of their victims.
- Phishing and ransomware campaigns are being launched to exploit the current crisis and are expected to continue to increase in scope and scale.
- Activity around the distribution of child sexual exploitation material online appears to be on the increase, based on a number of indicators.
- Both criminal organizations, states and state-backed actors seek to exploit the public health crisis to advance geopolitical interests.
PCs still running when Windows 7 reaches end of life on the 14th of January will be significantly more at risk of ransomware, Veritas Technologies has warned. According to experts, 26% of PCs are expected to still be running the Microsoft software after support for patches and bug fixes end.
The vulnerability to ransomware of PCs running unsupported software was demonstrated by WannaCry. Despite supported PCs being pushed patches for the cryptoworm, Europol estimated that 200,000 devices in 150 countries, running older, unsupported, software became infected by WannaCry. Although just $130,000 was paid in ransoms, the impact to business is understood to have run into the billions of dollars due to lost productivity and lost data.
Microsoft ended mainstream support of Windows 7 in 2015, giving users five years to ready themselves for the software to reach end of life.
Businesses running Windows 7 should prepare themselves in order to avoid the impact that vulnerability to ransomware could have on their organizations. Here are five tips that could help navigate this challenge:
Educate employees – The biggest risk is to data that employees save to unprotected locations. Ensure that users are following best practices for where to save data so that it can be secured and consider running a simulation. Saving valued data to centralized servers, data centers or to the cloud can help reduce risk.
Evaluate risk by understanding your data – For enterprises, insight software solutions can help to identify where key data lives and ensure that it complies with company policies and industry regulations. This is critical not only to identify the challenges but also to prioritize the recovery process.
Consider a software upgrade – This isn’t going to be practical for large enterprises in the time available, but it could well be part of a longer-term strategy. For SMEs, the most sensible solution might be simply to upgrade to an operating system that has ongoing support.
Run patches whilst you can – According to the Ponemon Institute, 60% of respondents who experienced data breaches did so despite a patch to prevent breaches being available to them. Businesses should at least make sure that they are as up-to-date as they can be whilst they can. Users will also be able to buy “ESUs” from Microsoft to access patches during their migration to newer software.
Ensure that data is backed up – Ransomware relies on the idea that paying a ransom is going to be the only/cheapest way to regain access to your data, yet research shows that less than half of those that pay up are actually able to recover their data from cyber criminals. Veritas advocates the “3-2-1 rule”, where data owners have three copies of their data, two of which are on different storage media and one is air gapped in an offsite location. With an air-gapped data backup solution, businesses have the much safer, and more reliable option, of simply restoring their data.
“WannaCry was a clear example of the dangers that businesses can face when they are using software that has reached end of life. In January 2020, a quarter of all PCs are going to fall into this category so it’s vital that the organizations that rely on Windows 7 are aware of the risks and what they need to mitigate them,” said Ian Wood, Senior Director, EMEA Cloud & Governance Business Practice, Veritas.
“This type of ransomware attack tends to have a disproportionate effect on organizations that can afford ransoms least – for example, we saw high-profile attacks on public sector bodies in 2017. So, it’s critical for those running Windows 7 to act now and put plans in place to ensure that they are able to protect themselves. Organizations need to understand their data and make sure that information is being stored in the right place where it can be protected and made available when needed,” Wood concluded.
The U.S. Justice Department this month offered a $5 million bounty for information leading to the arrest and conviction of a Russian man indicted for allegedly orchestrating a vast, international cybercrime network that called itself “Evil Corp” and stole roughly $100 million from businesses and consumers. As it happens, for several years KrebsOnSecurity closely monitored the day-to-day communications and activities of the accused and his accomplices. What follows is an insider’s look at the back-end operations of this gang.
The $5 million reward is being offered for 32 year-old Maksim V. Yakubets, who the government says went by the nicknames “aqua,” and “aquamo,” among others. The feds allege Aqua led an elite cybercrime ring with at least 16 others who used advanced, custom-made strains of malware known as “JabberZeus” and “Bugat” (a.k.a. “Dridex“) to steal banking credentials from employees at hundreds of small- to mid-sized companies in the United States and Europe.
From 2009 to the present, Aqua’s primary role in the conspiracy was recruiting and managing a continuous supply of unwitting or complicit accomplices to help Evil Corp. launder money stolen from their victims and transfer funds to members of the conspiracy based in Russia, Ukraine and other parts of Eastern Europe. These accomplices, known as “money mules,” are typically recruited via work-at-home job solicitations sent out by email and to people who have submitted their resumes to job search Web sites.
Money mule recruiters tend to target people looking for part-time, remote employment, and the jobs usually involve little work other than receiving and forwarding bank transfers. People who bite on these offers sometimes receive small commissions for each successful transfer, but just as often end up getting stiffed out of a promised payday, and/or receiving a visit or threatening letter from law enforcement agencies that track such crime (more on that in a moment).
HITCHED TO A MULE
KrebsOnSecurity first encountered Aqua’s work in 2008 as a reporter for The Washington Post. A source said they’d stumbled upon a way to intercept and read the daily online chats between Aqua and several other mule recruiters and malware purveyors who were stealing hundreds of thousands of dollars weekly from hacked businesses.
The source also discovered a pattern in the naming convention and appearance of several money mule recruitment Web sites being operated by Aqua. People who responded to recruitment messages were invited to create an account at one of these sites, enter personal and bank account data (mules were told they would be processing payments for their employer’s “programmers” based in Eastern Europe) and then log in each day to check for new messages.
Each mule was given busy work or menial tasks for a few days or weeks prior to being asked to handle money transfers. I believe this was an effort to weed out unreliable money mules. After all, those who showed up late for work tended to cost the crooks a lot of money, as the victim’s bank would usually try to reverse any transfers that hadn’t already been withdrawn by the mules.
When it came time to transfer stolen funds, the recruiters would send a message through the mule site saying something like: “Good morning [mule name here]. Our client — XYZ Corp. — is sending you some money today. Please visit your bank now and withdraw this payment in cash, and then wire the funds in equal payments — minus your commission — to these three individuals in Eastern Europe.”
Only, in every case the company mentioned as the “client” was in fact a small business whose payroll accounts they’d already hacked into.
Here’s where it got interesting. Each of these mule recruitment sites had the same security weakness: Anyone could register, and after logging in any user could view messages sent to and from all other users simply by changing a number in the browser’s address bar. As a result, it was trivial to automate the retrieval of messages sent to every money mule registered across dozens of these fake company sites.
So, each day for several years my morning routine went as follows: Make a pot of coffee; shuffle over to the computer and view the messages Aqua and his co-conspirators had sent to their money mules over the previous 12-24 hours; look up the victim company names in Google; pick up the phone to warn each that they were in the process of being robbed by the Russian Cyber Mob.
My spiel on all of these calls was more or less the same: “You probably have no idea who I am, but here’s all my contact info and what I do. Your payroll accounts have been hacked, and you’re about to lose a great deal of money. You should contact your bank immediately and have them put a hold on any pending transfers before it’s too late. Feel free to call me back afterwards if you want more information about how I know all this, but for now please just call or visit your bank.”
In many instances, my call would come in just minutes or hours before an unauthorized payroll batch was processed by the victim company’s bank, and some of those notifications prevented what otherwise would have been enormous losses — often several times the amount of the organization’s normal weekly payroll. At some point I stopped counting how many tens of thousands of dollars those calls saved victims, but over several years it was probably in the millions.
Just as often, the victim company would suspect that I was somehow involved in the robbery, and soon after alerting them I would receive a call from an FBI agent or from a police officer in the victim’s hometown. Those were always interesting conversations. Needless to say, the victims that spun their wheels chasing after me usually suffered far more substantial financial losses (mainly because they delayed calling their financial institution until it was too late).
Collectively, these notifications to Evil Corp.’s victims led to dozens of stories over several years about small businesses battling their financial institutions to recover their losses. I don’t believe I ever wrote about a single victim that wasn’t okay with my calling attention to their plight and to the sophistication of the threat facing other companies.
LOW FRIENDS IN HIGH PLACES
According to the U.S. Justice Department, Yakubets/Aqua served as leader of Evil Corp. and was responsible for managing and supervising the group’s cybercrime activities in deploying and using the Jabberzeus and Dridex banking malware. The DOJ notes that prior to serving in this leadership role for Evil Corp, Yakubets was also directly associated with Evgeniy “Slavik” Bogachev, a previously designated Russian cybercriminal responsible for the distribution of the Zeus, Jabber Zeus, and GameOver Zeus malware schemes who currently has a $3 million FBI bounty on his head.
As noted in previous stories here, during times of conflict with Russia’s neighbors, Slavik was known to retool his crime machines to search for classified information on victim systems in regions of the world that were of strategic interest to the Russian government – particularly in Turkey and Ukraine.
“Cybercriminals are recruited to Russia’s national cause through a mix of coercion, payments and appeals to patriotic sentiment,” reads a 2017 story from The Register on security firm Cybereason’s analysis of the Russian cybercrime scene. “Russia’s use of private contractors also has other benefits in helping to decrease overall operational costs, mitigating the risk of detection and gaining technical expertise that they cannot recruit directly into the government. Combining a cyber-militia with official state-sponsored hacking teams has created the most technically advanced and bold cybercriminal community in the world.”
This is interesting because the U.S. Treasury Department says Yukabets as of 2017 was working for the Russian FSB, one of Russia’s leading intelligence organizations.
“As of April 2018, Yakubets was in the process of obtaining a license to work with Russian classified information from the FSB,” notes a statement from the Treasury.
The Treasury Department’s role in this action is key because it means the United States has now imposed economic sanctions on Yukabets and 16 accused associates, effectively freezing all property and interests of these persons (subject to U.S. jurisdiction) and making it a crime to transact with these individuals.
The Justice Department’s criminal complaint against Yukabets (PDF) mentions several intercepted chat communications between Aqua and his alleged associates in which they puzzle over why KrebsOnSecurity seemed to know so much about their internal operations and victims. In the following chat conversations (translated from Russian), Aqua and others discuss a story I wrote for The Washington Post in 2009 about their theft of hundreds of thousands of dollars from the payroll accounts of Bullitt County, Ky:
tank: [Are you] there?
tank: This is still about me.
tank: Originator: BULLITT COUNTY FISCAL Company: Bullitt County Fiscal Court
tank: He is the account from which we cashed.
tank: Today someone else send this news.
tank: I’m reading and thinking: Let me take a look at history. For some reason this name is familiar.
tank: I’m on line and I’ll look. Ah, here is this shit.
indep: How are you?
tank: Did you get my announcements?
indep: Well, I congratulate [you].
indep: This is just fuck when they write about you in the news.
tank: Whose [What]?
indep: Too much publicity is not needed.
tank: Well, so nobody knows who they are talking about.
tank: Well, nevertheless, they were writing about us.
aqua: So because of whom did they lock Western Union for Ukraine?
aqua: Tough shit.
tank: *************Originator: BULLITT COUNTY FISCAL Company: Bullitt
County Fiscal Court
aqua: This is the court system.
aqua: This is why they fucked [nailed?] several drops.
tank: Yes, indeed.
aqua: Well, fuck. Hackers: It’s true they stole a lot of money.
At roughly the same time, one of Aqua’s crew had a chat with Slavik, who used the nickname “lucky12345” at the time:
tank: Are you there?
tank: This is what they damn wrote about me.
tank: I’ll take a quick look at history
tank: Originator: BULLITT COUNTY FISCAL Company: Bullitt County Fiscal Court
tank: Well, you got [it] from that cash-in.
lucky12345: From 200K?
tank: Well, they are not the right amounts and the cash out from that account was shitty.
tank: Levak was written there.
tank: Because now the entire USA knows about Zeus.
lucky12345: It’s fucked.
On Dec. 13, 2009, one of the Jabberzeus gang’s money mule recruiters –- a crook who used the pseudonym “Jim Rogers” — somehow learned about something I hadn’t shared beyond a few trusted friends at that point: That The Washington Post had eliminated my job in the process of merging the newspaper’s Web site (where I worked at the time) with the dead tree edition. The following is an exchange between Jim Rogers and the above-quoted “tank”:
jim_rogers: There is a rumor that our favorite (Brian) didn’t get his contract extension at Washington Post. We are giddily awaiting confirmation Good news expected exactly by the New Year! Besides us no one reads his column
tank: Mr. Fucking Brian Fucking Kerbs!
In March 2010, Aqua would divulge in an encrypted chat that his crew was working directly with the Zeus author (Slavik/Lucky12345), but that they found him abrasive and difficult to tolerate:
dimka: I read about the king of seas, was it your handy work?
aqua: what are you talking about? show me
aqua: yes, we are using it right now
aqua: its developer sits with us on the system
dimka: it’s a popular thing
aqua: but, he, fucker, annoyed the hell out of everyone, doesn’t want to write bypass of interactives (scans) and trojan penetration 35-40%, bitch
aqua: yeah, shit
aqua: we need better
aqua: http://voices.washingtonpost.com/securityfix read it 🙂 here you find almost everything about us 🙂
dimka: I think everything will be slightly different, if you think so
aqua: we, in this system, the big dog, the rest on the system are doing small crap
Later that month, Aqua bemoaned even more publicity about their work, pointing to a KrebsOnSecurity story about a sophisticated attack in which their malware not only intercepted a one-time password needed to log in to the victim’s bank account, but even modified the bank’s own Web site as displayed in the victim’s browser to point to a phony customer support number.
Ironically, the fake bank phone number was what tipped off the victim company employee. In this instance, the victim’s bank — Fifth Third Bank (referred to as “53” in the chat below) was able to claw back the money stolen by Aqua’s money mules, but not funds that were taken via fraudulent international wire transfers. The cybercriminals in this chat also complain they will need a newly-obfuscated version of their malware due to public exposure:
aqua: tomorrow, everything should work.
aqua: fuck, we need to find more socks for spam.
aqua: okay, so tomorrow Petro [another conspirator who went by the nickname Petr0vich] will give us a [new] .exe
jim_rogers: this one doesn’t work
jim_rogers: here it’s written about my transfer from 53. How I made a number of wires like it said there. And a woman burnt the deal because of a fake phone number.
In tandem with the indictments against Evil Corp, the Justice Department joined with officials from Europol to execute a law enforcement action and public awareness campaign to combat money mule activity.
“More than 90% of money mule transactions identified through the European Money Mule Actions are linked to cybercrime,” Europol wrote in a statement about the action. “The illegal money often comes from criminal activities like phishing, malware attacks, online auction fraud, e-commerce fraud, business e-mail compromise (BEC) and CEO fraud, romance scams, holiday fraud (booking fraud) and many others.”
The DOJ said U.S. law enforcement disrupted mule networks that spanned from Hawaii to Florida and from Alaska to Maine. Actions were taken to halt the conduct of over 600 domestic money mules, including 30 individuals who were criminally charged for their roles in receiving victim payments and providing the fraud proceeds to accomplices.
It’s good to see more public education about the damage that money mules inflict, because without them most of these criminal schemes simply fall apart. Aside from helping to launder funds from banking trojan victims, money mules often are instrumental in fleecing elderly people taken in by various online confidence scams.
It’s also great to see the U.S. government finally wielding its most powerful weapon against cybercriminals based in Russia and other safe havens for such activity: Economic sanctions that severely restrict cybercriminals’ access to ill-gotten gains and the ability to launder the proceeds of their crimes by investing in overseas assets.
DOJ press conference remarks on Yakubets
FBI charges announced in malware conspiracy
2019 indictment of Yakubets, Turashev. et al.
2010 Criminal complaint vs. Yukabets, et. al.
FBI “wanted” alert on Igor “Enki” Turashev
US-CERT alert on Dridex
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn what security issues and critical threats will impact consumer data this year. Also, learn about a malicious Adobe app targeting macOS systems.
Trend Micro reports that there are certain security issues which will specifically impact consumer data, including phishing and fraud attacks.
Linksys and Trend Micro have partnered to deliver a security solution for home networks to give families an added layer of digital projection.
Trend Micro contributed to a new Europol report detailing guidelines on logical ATM attacks, in support of ongoing efforts by both law enforcement and the financial industry to stop ATM abuse.
Since the European Union’s General Data Protection Regulation (GDPR) came into effect in May last year, EU organizations have reported almost 60,000 data breaches, but so far fewer than 100 fines have been issued by regulators.
Trend Micro found a malicious app posing as Adobe Zii (a tool used to crack Adobe products) targeting macOS systems to mine cryptocurrency and steal credit card information.
As auto makers roll out more sophisticated features, the upgrades are also making cars more vulnerable to cyberattacks, according to a new report from the Ponemon Institute.
A massive data dump involving more than two billion user credentials was reported earlier this year. The ramifications of this dump is just the beginning for many of those whose data are included.
A new report from blockchain investigation company Chainalysis reveals that just two criminal groups are responsible for around 60% of all cryptocurrency stolen from exchanges.
For the first time, EU authorities have announced plans to recall a product from the European market because of a data privacy issue. The product is Safe-KID-One, a children’s smartwatch produced by German electronics vendor ENOX.
Do you agree phishing and fraud attacks will be the main threats impacting consumer data in 2019? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Consumer Data and Malware appeared first on .