Almost any idiot with malicious intentions can jump into the cybercrime arena thanks to 'Crime-as-a-Service' tools that lower the entry barriers into cybercrime; wannabe cyber-criminals who lack technical expertise can simply buy the tools and skills needed. In fact, “Crime-as-a-Service business models” and anonymization have helped many traditional organized crime groups move to cybercrime, according to the 2014 Internet Organized Crime Threat Assessment (iOCTA) published today. It’s easy to do and difficult to be busted since “criminals in cyberspace do not need to be close to the crime scene, they might never even travel to the target country, and can attack a large number of victims globally with minimum effort and risk by hiding their identity.”
Law enforcement was advised to beef up its visible online presence and to learn Russian in order to better investigate organized crime groups. But that’s just a couple of many investigation recommendations in the 2014 iOCTA summary (pdf).
Let’s kick the acronyms out of the way. The 92-page report (pdf) came out of the European Police Office, known as Europol. More specifically, the report that talks about increased commercialization of cybercrime was published by Europol’s European Cybercrime Center (EC3). It also looks at the latest trends, future risks, emerging threats and recommendations for law enforcement and policy makers in the EU. Granted, the report provides an “analysis of the latest trends and the current impact of cybercrime within the EU,” but geographical boundaries mean little when it comes to cybercrime; attacks can affect people in the US or anywhere else in the world.
As part of the report’s “forward-looking assessment and analysis of future risks and emerging threats,” it states, “Current and future developments such as Big and Fast Data, the Internet of Everything, wearable devices, augmented reality, cloud computing, artificial intelligence and the transition to IPv6 will provide additional attack vectors and an increased attack surface for criminals.” Another section dealing with “cybernetic crime evolution” talks about exploiting software in cyber-physical systems such as houses, cars, and smart cities that are designed without security in mind.
Abuse of anonymization
The 2014 iOCTA report does not demonize Tor by name; in fact it calls anonymization techniques “perfectly legitimate tools for citizens to protect their privacy.” Yet under a heading of “abuse of anonymization,” it discusses darknets and other high-anonymity environments that host hidden services and marketplaces for crimes such as “drug trade, selling stolen goods, weapons, compromised credit card details, forged documents, fake IDs and the trafficking of human beings.” Sickeningly, it also mentions an increase in “livestreaming of on-demand abuse of children” which “present new challenges for law enforcement.”
Anonymization could be done via proxies or VPN services, but the report seems to circle back to Tor without ever mentioning it; hidden services might be sold on an underground forum or hosted elsewhere on hidden Wiki, which a person needs Tor to access. At any rate, it claims that privacy networks used on the digital underground attract cybercrooks. That may be true, but it's also the dreaded slippery slope.
“A number of legitimate features of the Internet are being exploited by cyber-criminals such as anonymization, encryption and virtual currencies.” The report warns that anonymous payment mechanisms like crypto-currencies may evolve into niche currencies “tailored towards illicit activity and providing greater security and true anonymity.” Bitcoin, Dogecoin and Litecoin are referenced under “financial obscurity” and “ever increasing ways for criminals to launder money online.”
Will ‘virtual shoplifters’ evolve into cyber-criminals?
Under “psychological obsolescence,” the report suggests that “the disruptive impact of technology on youth development is likely to produce a cultural shift which may leave present psychological, social and cultural norms behind, including respect for property rights, privacy, national security, and the authority of law enforcement.”
Regarding “a generation inured by the consumption of illegally downloadable music, videos, software and games,” the report asks, “What sort of criminal activities may this generation of ‘virtual shoplifters’ progress to?” That question is before considering more serious threats like the “developmental effects on those spending large amounts of time in deep web contexts, those exposed to age-inappropriate sexual content online, or those vulnerable to radicalization online by cyber terrorist interests.”
Of course the cybercrime report also mentions social engineering used to infect users and cyber propaganda spread through social media platforms, but under a heading of “ubiquitous victimology,” it warns that the public needs to be made aware that “no matter where they are or what they are doing, they may be at risk of serious organized crime. This is because of the increase in mobile and wearable technologies, which may not have the same level of security features as laptop or desktop devices.”
Proposed solutions include awareness campaigns about cyber threats, such as “highlighting the importance of ‘digital hygiene,’ endpoint security and security by design.” Under “cyberpsychological insight” law enforcement and policy makers are advised to “develop digital deterrents targeting cyber-criminals and digital outreach protocols supporting victims.”
Law enforcement is told to “target malware developers for apprehension and prosecution” and to focus “on the top identified criminal forums and marketplaces and on targeting individuals with the highest reputations on these platforms. Given the present predominant use of the Russian language, many law enforcement services will need to increase or adapt their language capabilities.”
The report encourages law enforcement to invest in “capacity building” and acquire “skills, expertise, knowledge and tools to perform cybercrime investigations, Big Data analysis and Internet of Everything (IoE) related digital forensics.” It adds that training should include everyone from first responders to cybercrime investigation team leaders.
Because “cybercrime investigations and electronic evidence often span multiple jurisdictions,” the threat assessment report suggests better transnational partnerships, the “pooling of intelligence” as well as "improved monitoring, reporting and sharing of cybercrime related data.”
Europe tends to have much stronger laws upholding the fundamental rights of privacy and the protection of personal data. While “the debate on a good balance between security and privacy” is important to Europol, it needs legislation and “tools to effectively prevent and combat serious online crime and terrorism.”
The appendix stresses that European law enforcement, especially Europol, “do not engage in any form of mass surveillance as discussed in the context of the Snowden revelations.” Yet the increasing cybercrime threat “calls for an open discussion on what law enforcement should be allowed to do online and where the boundaries need to be drawn.”
The 2014 iOCTA was described as “EC3's flagship strategic product” and will help set priorities “for the Operational Action Plan for 2015 in the three cybercrime sub-areas: cyber-attacks, online child sexual exploitation and payment fraud.” The findings will be discussed at the INTERPOL-Europol Cybercrime Conference, which begins on October 1 in Singapore.