Profits generated by some of the successful organised crime groups (OCGs) rival those of multinational corporations.
European Union Serious and Organised Crime Threat Assessment (SOCTA) have issued a report called ‘Crime in the age of technology 2017’ which is a comprehensive study of serious and organised crime in the EU.
The report highlights that profits generated by some of the successful organised crime groups (OCGs), of which 5000 operating on an international level are currently under investigation, rival those of multinational corporations.
The internet of things and the connectivity of devices within businesses and homes, including phones and appliances, remain vulnerable to intrusion. Criminals are already deploying techniques to compromise these devices in order to gain personal and financial information, together with confidential data on business transactions.
Cyber-dependent crime, using a computer, computer networks or other form of ICT, is underpinned by a Crime-as-a-Service (CaaS) model which provides easy access tools and services which enable cyber crimes to be carried out.
Cryptoware (ransomware using encryption) is significant threat to the EU, targeting not only citizens but increasingly public and private sector organisations alike.
Network intrusions for the purpose of illegally acquiring data have a significant impact globally, resulting in the loss of intellectual property and the compromise of mass amounts of data which can be used for further criminality including fraud and extortion.
Profits generated by cyber crimes are being used to fund other serious crimes such as drug-trafficking. The use of cyber crime itself can be an enabler to launder money from illegal activities into the legitimate economy.
What form do these cyber crimes take?
There are various methods used, but current threats include:
- Malware and ID Theft infecting machines with malicious software (malware) to steal user data such as credit card numbers, login credentials and personal information for subsequent use by criminals in fraud.
- Cryptoware – encrypting victims user generated files, denying them access unless the victim pays a fee to have their files decrypted.
- Network attack – unlawful access to or disclosure of private data or intellectual property, hundreds of millions of records are being compromised globally each year.
- Payment order fraud – using fraudulent transfer orders to defraud private and public sector organisations. This involves reliance on social engineering techniques and malware to carry these out.
- Payment Card fraud – compromised card data is readily available and easy to obtain on forums, marketplaces and automated card shops in the deep web and Darknet.
- Online sexual exploitation – child sexual exploitation material is increasingly produced for financial gain and distributed through the Darknet. Offenders use coercion and sexual extortion to obtain further abuse material for financial gain or to get access to the victim.
Avalanche Network – a platform for launching mass malware attacks
A successful global effort, which took more than 4 years of investigation, by 30 countries, saw an international criminal infrastructure platform known as ‘Avalanche’ dismantled. This had been used as a delivery platform to launch and manage mass global malware attacks. The monetary losses associated with malware attacks carried out over the Avalanche network are estimated to be in the hundreds of millions of euros worldwide.
Payment Card Fraud
Payment card fraud is an issue across the Europe, but has moved more towards the frauds carried out when the card was not present.
A Card-Present (CP) fraud requires the offender to present a physical card at an ATM, Point of Sale (POS) or other terminal. The cards are either lost or stolen genuine cards, or counterfeit cards. These frauds are becoming more difficut to carry out as the card industry is increasingly introducing processes and controls aimed at reducing them.
The increasing Card-Not-Present (CNP) frauds make up 68% of card fraud and require the offender to make fraudulent purchases online or by telephone using credit card payment information (i.e. name of card holder, billing address, card number, expiry date, and security code). Throughout the EU there has been an increase in this type of fraud called ‘carding’ particularly across the purchase of physical goods (typically high value items the offender will resell), airline tickets, car rentals and accommodation.
CNP has increased because of the availability of compromised card data from data breaches, information stealing, malware and phishing. Payment methods such as uploading card data to smartphone services allow offenders to make ‘in app’ or ‘on site’ payments to apps which they control.
Read the report heresocta2017_0
How can you help keep your data safe?
Implementing the government backed Cyber Essentials scheme and meeting Payment Card Industry Data Security Standards (PCI DSS) requirements will help to protect your data and keep it out of the hands of criminals.