What Can Cybercrime Threats Against EU States Teach Us About Cybersecurity?

Europol’s European Cybercrime Centre (EC3) recently published the “2016 Internet Organised Crime Threat Assessment (IOCTA)”. https://www.europol.europa.eu/iocta/2016/threat-areas.html

The report provides an overview of the latest trends and current impact of cybercrime within Europe and the EU, of significant to both private and public sectors. The following post presents the highlights from the report. Please note that the report covers additional crime issues such as child pornography and policy and legislation issues, which are not discussed here.

Malware - Ransomware continues to be number one

The report highlights ransomware and information-stealing malware as the two most significant concerns for EU law enforcement (with ransomware as the top threat).

It goes on to discuss that the number of cryptoware variants has multiplied, and have effectively hit all EU countries to varying degrees. Whilst each variant has its own unique properties, many are adopting similar anonymization strategies, such as using Tor or I2P for communication, and business models offering free test file decryptions. Ransom payment is almost exclusively in Bitcoins. It is probable that 2016 will see further diversification in the range of cryptoware available, with only a select few likely to surive into 2017.

Data Breaches - Concerning more than money

It appears that industries such as hospitality and retail account for a significant percentage of breaches, as the data from these sources is highly valued by financially-motivated criminals. Financial credentials and intellectual property are not the only desirable data, however; 2015 saw the healthcare industry heavily targeted by attackers.

Moreover, the breaches of Ashley Madison and AdultFriendFinder in early 2015 appear to have triggered a trend in targeting online services catering to ‘consenting adults’, with further breaches occurring in 2016. Criminals targeting these services can gain not only financial data to aid financial fraud, but also potentially compromising sensitive customer data which can be used for extortion.

Data breaches were not limited to legal sites - interestingly, a number of services available on the criminal underground were also breached, disclosing credentials and other attributable data used by cybercriminals during their online activity. The identity of the perpetrators of these attacks is unknown, and have provided law enforcement with a wealth of invaluable information, regardless of the source - be it a ‘white hat’, rival criminal or cyber-vigilante.

Criminal Finances Online - It’s all about Bitcoin, for now...

Like any economy, the digital underground relies on transfering funds in exchange for goods or services. This can involve paying for tools needed to commit a crime, or those that enable the distribution and storage of the proceeds of crime.

When making payments to other cybercriminals, payments must be secure and anonymous as possible. Darknet markets, for example, almost exclusively use Bitcoin, where the payment mechanism is incorporated into the market structure. In 2014, it was reported that some small online criminal communities had developed their own in-house currencies. This phenomenon has since not been expanded, perhaps due to the availability of alternate currencies. Law enforcement is currently focused on Bitcoin, which is not lost on the criminal community. It is therefore logical to assume that some smaller criminal communities may be abusing lesser-known cryptocurrencies in order to stay under the radar.

Despite previous indications that the blockchain could be abused for criminal purposes, such as storing child abuse images or malware code, there is little evidence of this currently taking place. As entrepreneurial cybercriminals become more familiar with blockchain technology and its potential, it is likely that we will see more creative uses of its capabilities.

Criminal Communications Online - Darknet and underground forums are key, but secure apps are gaining popularity

When it comes to online communication, cybercriminals are no different to other internet users: they use the internet to contact each other, conduct business and socialise. Criminal forums within the deep web or Darknet remain crucial for cybercriminals to communicate, and are a key component of the crime-as-a-service business model. This underpins much of cybercrime, providing cybercriminals, entry-level and upwards, with access to the tools and services they need, in addition to providing an environment where they can teach, learn, buy and sell, advertise and conduct business.

Other web-based communication platforms, such as chatrooms or open forums, are still commonly used for C2C communications - “simple” email. Secure, encrypted email is readily available. While forums may be suitable for initial contact, most subsequent communications continue via alternate, less public means. Jabber is a commonly used tool, and believed to be the preferred means of communication for the more technically competent cybercriminals. To a slightly lesser extent, IRC and ICQ are also used, whereas more commercial products are largely absent.

Additionally, criminals are increasingly using anonymization and encryption tools and techniques. There is a growing market for communication apps offering additional security features, such as end-to-end encryption and the possibility to permanently delete messages and traces. It is likely that these, such as Telegram, will be increasingly adopted by criminals, cyber or otherwise.

Whilst possibility of a wholesale movement from Tor to other networks such as I2P, was reported, (https://www.europol.europa.eu/iocta/2016/darknets.html)

this has not occurred. Tor remains a clear preference, perhaps due to the simplicity of its use, or conversely the technical challenges of moving to I2P. We can, however, still expect to see the improvement of existing networks, such as Riffle which is under development by MIT, and the development of new networks.


The long-standing Crime-as-a-Service model underpinning cybercrime continues to provide tools and services across the entire spectrum of cyber criminality, from entry-level to top-tier players, and to other seekers, such as parties with other motivations, like terrorism. The boundaries between cybercriminals, Advanced Persistent Threat (APT) style actors and other groups continue to blur. Whilst the extent to which extremist groups currently use cyber techniques to conduct attacks appears to be limited, the availability of cybercrime tools and services and illicit commodities, such as firearms on the Darknet, provide ample opportunity for this situation to change.

It should be noted that the majority of reported attacks are neither sophisticated nor advanced. Whilst it is true that in some areas cybercriminals demonstrate a high degree of sophistication in the tools, tactics and processes they employ, many forms of attack are successful due to a lack of digital hygiene, security by design and of user awareness. Nevertheless, a variety of new and innovative modi operandi have been discovered, combining existing approaches, exploiting new technology and identifying new targets. This means that constant monitoring, intelligence collection and analysis of the cyebrcrime underworld is required to allow both enterprises and governments to mitigate future threats.

This post was written by Alon Arvatz, IntSighst CPO.

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.