On October 5, EUROPOL released IOCTA 2020, the latest annual edition of the Internet Organised Crime Threat Assessment. Every year, the report provides a great assessment of how the bad guys are making their money. I particularly like it because it’s not written by vendors, but by the cops.

Bad actors have better tricks

One theme emerges throughout the report. The crooks are getting smarter. They’re spending the time on their large targets to do it right, with highly specific social engineering. Also, malefactors with certain specialties, such as gaining access to networks, are forming strategic development alliances with other specialists, such as experts on lateral movement and exfiltration.

The cooperation isn’t only for offense, either. Groups are cooperating to make the Dark Web more secret and more resilient to attacks by law enforcement.

The crooks are even engaging in PR! The Maze ransomware group, for example, released a statement on their website claiming that they would “spare” healthcare organizations during the pandemic.

Ransomware still rules

Ransomware remains the most dominant threat, but innovation is the word here, too. The new tactic of exfiltrating information and threatening to release it, rather than just making it inaccessible, has gained hold. So, also, is a focus on third-party providers in supply chains. It turns out supply chains, too, are only as strong as their weakest link. Hold up a third-party, and the big company goes down, too.

Social engineering’s starring role

Social Engineering continues to be the favorite method to facilitate other kinds of cybercrime. In addition to social engineering’s more familiar forms, smishing, the sending of fraudulent texts, is rising in popularity. Bank smishing is a popular attack. The text asks a bank customer to verify or update an account, but the link leads to a fake website and the phone number leads to a social engineer pretending to be the legitimate company.

SIM-swap City

The nasty technique climbing the charts quickest in 2019, was, drumroll please, SIM swapping! While it’s not as big as ransomware or malware, it’s rising fast. One SIM-swapping group in Spain stole more than 3 million euros. The gang struck more than 100 times, with thefts between €6,000 and €137,000.

Getting that much money meant doing more than making a few purchases on Apple Pay. The typical SIM swap was used to defeat two-factor authentication, get into customer’s bank accounts and empty them.

I wrote a post last week on my SIM getting swapped, where I made some helpful suggestions about what to do. Here are a few more from EUROPOL:

• Update your passwords regularly.
• When possible, do not associate your phone number with sensitive online accounts.
• Set up your own PIN to restrict access to the SIM card, and share it with nobody

One more I’d like to add is to never use a debit card online. The amount of loss you can experience from credit card fraud is limited to $50, but if the bad guys get into your bank account, they can take it all.

Privacy: A double-edged sword

Every year, EUROPOL has something to say about the trade-off between privacy and cybercrime. Nobody loves privacy more than a criminal. One year, the complaint was about how GDPR was slowing investigations. This year, the threats are encryption, as used, for example, by purveyors of child sexual exploitation; privacy enhancing wallets and coins to make following the money harder; and continuing challenges in getting victims to report crimes.

Money, money, money

Another theme visible throughout the report is commercialization. We now have CaaS. That’s Crime as a Service. You can team up with other criminals, or just hire them as subcontractors. Data and tools continue to be widely available on the Dark Web. But perhaps the most dismaying example is that Child Sexual Abuse Material, which used mainly to be exchanged among, ahem, hobbyists, is now increasingly being sold. It’s a growing industry.

AI goes rogue

Finally, it’s possible that artificial intelligence will become a successful criminal before it becomes self-aware. EUROPOL points out, “As ‘AI-as-a-Service’ becomes more widespread, it lowers the entry barrier to criminal activities by reducing the skills and technical expertise needed to employ it. This further exacerbates the potential for AI to be abused by criminals and become a driver of crime. Concrete scenarios include AI malware, AI-supported social engineering, AI-based password guessing, AI-aided reconnaissance or AI-facilitated content creation, to mention a few.”