This article focuses on the positive changes and increased collaboration in society’s fight against cybercrime in recent years. Significant progress has been made in many areas, among many groups, and this deserves to be recognized and highlighted. We often forget how far we have come and how things were a few short years ago. There is a tendency to concentrate on those areas that still need work and improvement, current and newly emerging threats, and other areas were we still face challenges. However, observing various changes and collaboration over the past five to ten years produces a stark picture of success. This positive picture of progress should provide encouragement, renewed energy, and enthusiasm to continue pressing forward in our quest to reduce cyber criminal activity. These changes are making the online world a safer place for everyone.
This article is written primarily from the perspective of a digital forensic investigator at global financial institution. Large banks are constantly working to fight financially motivated cyber criminals targeting their staff, clients, and IT infrastructure. These are some observations of positive change across the finance sector, law enforcement, the tech industry, academia, and the general public. Also included are some thoughts on how criminals themselves have changed, adapted, and evolved.
Cybercrime a Decade Ago
To put this positive change in to better perspective, it is helpful to look back five or ten years ago, and reflect on how things were. A decade ago the Russian Business Network (RBN) was the infamous bullet-proof hoster where many criminal gangs could safely host their illegal activities. The WSNPoem banking trojan (the precursor to Zeus) targeted dozens of banks across Europe, with a high rate of success. For many European banks, this was the first time they had experienced a complex targeted online banking trojan. It was a shock to the finance industry as a whole. At this point in time there was little sharing of threat intelligence between banks or law enforcement. Sharing information with other banks was still viewed as helping the competition, a view that is fully obsolete today. At that time, engaging with law enforcement was strictly formal, and typically only done when a victim of a crime was filing a criminal complaint. This wave of cybercrime activity in 2007 and 2008 starting with WSNPoem/Zeus and shortly followed by the more advanced Sinowal/Torpig banking trojan, was completely unexpected and thrust a number of changes into motion. It was an awkward coming of age for many European banks at that time. But significant change has happened since then, with very positive results. There are many other examples of criminal activity that triggered change, but these were significant seminal events that started a general change in mindset across the European banking industry and elsewhere.
Cyber Incidents, an Evolving Scene
Organisations experience many different incident types. Policy violations are incidents internal to an organization, and typically involve with HR and management. Legal and regulatory incidents typically involve legal and compliance departments. Intellectual Property(IP) teams may exist to manage brand and IP abuse, Criminal incidents may involve local or federal law enforcement. Incidents requiring evidence collection need formal digital forensic processes, there may be mandatory reporting to regulatory bodies, or other suspicious activity reports (SARs) that need to be submitted to authorities.
On the cyber criminal front, there are different types of crimes affecting organizations to different degrees. Some criminal activity is targeting everyone and anyone, and affects all industries. For example hacktivism, spam waves, virus outbreaks, vulnerability exploitation (heartbleed, default passwords for IoT devices, etc.), and more recently the evolution of ransomware attacks. These attacks are opportunistic and affect anyone from private individuals to large companies. In addition to these broad and common attacks, each industry also has their own specific pain points, criminal activity that affects them more than other industries.
For example, the finance industry suffers more than others from online banking trojans and phishing attacks. The entertainment industry (movies, music) has an increased focus on copyright violations, online file sharing, and piracy. Marketing and advertising firms are dealing more with click fraud and malvertising. Companies with research departments like pharmaceuticals or engineering firms have more concerns with intellectual property theft and industrial espionage. Each industry is faced with particular criminal activity tailored to their business, which may need to be addressed in different ways.
The view of ”Cyber” incidents is beginning to change and taking a broader definition. A decade ago, cyber incidents were considered an IT problem, and IT departments were tasked to manage them. Today cyber incidents have evolved beyond IT and are increasingly managed by other risk and security functions in larger organizations. These incidents are no longer simply malware, denial of service to systems, or intrusions. Incidents today involve attacks against business processes and application logic, social engineering for fraud or data theft, brand infringement and intellectual property abuse, social media and crowd sourced activity causing reputation damage, and cyber bullying/harassment/stalking of targeting individuals. The scope of cyber incidents is no longer limited IT infrastructure and today involves many non-IT teams across the organization.
The incident location has changed significantly as well. Incidents today are multi-jurisdictional. Consider an attacker in country A, using a relay/proxy in country B, targeting an organization in country C through their outsourcing partner in country D, and finally exfiltrating data to criminal infrastructure in country E. Here five different countries are involved, five legal jurisdictions, potentially five different law enforcement agencies, who will need to interact with multiple private sector firms. This is a common scenario with cyber criminal activity today, increasing the complexity of resolution and investigation.
Another change is the shift in IT infrastructure. This includes outsourcing, a multitude of solutions provided ”as a service” (SAAS/PAAS/IAAS/etc), virtual machines, and cloud computing. On the client side this shift is happening in the form of ”Bring Your Own Device” (BYOD), mobile computing, and Virtual Desktop Interfaces (VDI). The ownership, operation, control, and location of these technologies is spread out across multiple parties and geographies. This is in stark contrast to simple centralized in-house IT infrastructure of the past. This introduction has provided some background and set the scene for the rest of this article. Now we can focus on the positive changes observed in various areas such as the tech industry, finance industry, law enforcement and government, the public, and even the criminals themselves.
Tech Industry Changes
A significant number of positive changes have happened with ISPs and Hosting providers (Hosters). They have become much more approachable and cooperative regarding criminal activity. Often a phone call to a hotline or email to an abuse email address will result in a fast takedown of phishing sites, drive-by malware, or fraudulent email accounts. ISPs and Hosters don’t want this criminal activity on their infrastructure and actively shut it down when notified. A decade ago, having a Hoster shut down a phishing site often took several weeks, usually proceeding after an exchange of letters between lawyers. Today takedowns and removals often happen within hours of notification. In some cases, providers even offer victim organizations additional information about the attacks to aid investigations.
Tech companies have become more proactive against crime. There are more collaborative investigations and takedowns together with law enforcement. Eu- ropol EC3 is a prime example, with numerous botnet takedowns executed together with Microsoft and other tech companies in recent years. These voluntary acts of collaboration did not happen as easily in the past. Over a decade ago, cooperation between law enforcement and tech companies was more often a formal interaction with warrants and legal demands for cooperation. Today there is a very positive spirit of cooperation between the tech industry and authorities.
Tech companies are also more proactive with detecting and eradicating malicious activity in their own infrastructure. They are identifying and removing malware and rogue apps from app stores, actively stopping fraud, phishing, and spam, and providing warning messages for users. In the past, hosting companies generally left these risks and responsibilities to the customer.
Tech companies are taking more responsibility for the security of their products today. Platforms are becoming more locked down by default. There is a trend towards more carefully controlled app-store models for software distribution. They have improved updating and patching of software and devices. Security updates are released faster and install easier, often via automated back- ground updates without any user involvement. Contrast this with the past, when operating system and software vendors expected users to keep their own systems secure and required separate downloading and manual installation of patches and security updates.
Internet service providers also taking more responsibility for the security and health of their own networks and services. They are actively detecting and filtering DDoS attacks against clients. They are implementing standards such as BCP38 which reduce the possibility of IP spoofing. Hosting companies are detecting malicious activity and taking action. For example logins from stolen credentials are being detected by various means such as device finger printing, geo-location, user history, etc. Email providers are beginning to implement further standards such as DMARC to prevent email spoofing.
Finance Industry Changes
Banks have also made a number of positive changes in behavior to combat cyber criminal activity in the payments and funds transfer area. When crime is financially motivated and criminals need to move money, banks will be (ab)used to facilitate money transfer and ’cashout’. However, this has become more difficult over the past decade.
Financial Institutions are sharing more threat intelligence information between themselves, with law enforcement, and even with tech industry partners. A number of information sharing communities exist today where banks can interact with their peers and discuss threats. Many operate at a regional level with banks from a particular country meeting on a regular basis to exchange information. There are also many international information sharing groups for the finance industry. Banks still need to be conscious of what they can legally share within their regulatory framework, but this has been examined closely and, where needed, regulators and legislators are being encouraged to make changes.
Many of the current intelligence sharing groups started out of necessity, or grew out of early industry crisis meetings that evolved into regular events. The focus of the sharing was to protect customers, help banks detect and stop fraudulent activity, and to help law enforcement obtain the evidence they needed for successful arrest and prosecution of criminals. It is interesting to note that many of the well established intelligence sharing groups in the finance industry have celebrated 10-year anniversaries recently. This correlates with the unexpected wave of banking trojan activity that suddenly appeared almost exactly a decade ago.
Other positive changes across the finance industry have helped to reduce the success of criminal activity. There has been a trend away from password based authentication towards two factor authentication (2FA). Many banks require additional cryptographic signing of unusual payments which have a higher risk of being fraudulent. Banks are now detecting technical anomalies indicative of infected clients or payment anomalies indicative of fraud, and reaching out to those clients to inform them. A decade ago, banks did not consider this to be within their scope of responsibility.
Another trend is the shift toward mobile banking apps. Using locked down mobile devices in combination with custom written banking applications make ebanking attacks more difficult. The current trend towards biometric authentication and leveraging secure hardware elements built into modern mobiles will increase the level of difficulty in the future.
Among banking staff, there is an increased awareness and understanding of criminal activity. Client relationship managers are more vigilant and suspicious of activity that doesn’t look right. They are challenging their clients when suspicious payments are requested (suspected Business Email Compromise, or BEC), and confirming payment requests that have been received through less secure channels.
Finally, banks are investing more in security overall. They are developing analytical systems, anomaly detection systems, and other defense mechanisms to protect themselves and their clients. They are also creating dedicated teams to manage cyber criminal risk, and engaging with insurance companies to add cyber criminal incidents to insurance portfolios.
Government and Law Enforcement Changes
A number of positive changes have been happening with government and law enforcement agencies. Cross border and cross jurisdiction collaboration has improved. Within countries, local law enforcement are reaching out to other agencies within the country and cooperating with improved efficiency. Internationally, federal law enforcement agencies have found new ways to collaborate on investigations involving the Internet. Agencies are not relying solely on formal processes like MLATs to exchange intelligence information. An excellent example of international law enforcement collaboration is the Europol EC3 J- CAT initiative which brings a number of law enforcement agencies together in a single location with the purpose of investigating trans-national cyber crimes. There has also been significant change in the engagement with the private sector. Government and law enforcement are working more to share information and collaborate with private sector organizations. A good example is the INTERPOL cooperation with Anti-Virus vendors, inviting them to work on-site at the INTERPOL Global Complex for Innovation (IGCI) in Singapore.
Law enforcement agencies have made significant progress to understand the latest technology based crime. Not simply traditional disk forensics anymore, today’s law enforcement investigators have a better understanding of botnets, malware, phishing, and other technologically complex criminal activity. This has been a significant learning advancement over the past decade which improved their ability to investigate incidents.
Law enforcement have also gained a better understanding of the IT operations of private sector industries. They have a better understanding of what information is available, either as intelligence or evidence, that companies can provide to support investigations. They know what questions to ask, what data to request, and who to approach for support. They have a better understanding of what technical capabilities are available within the private sector, and how those capabilities can be leveraged to fight crime.
A very key component is the success of making arrests. More cyber-crime related arrests are being made now than at any other point during the history of the Internet. The publicity generated from arresting cyber-criminals has a strong deterring effect. People participating in cyber criminal activity perceive a higher risk of getting caught and convicted. Public awareness of successful arrests helps to reduce the number of criminals (and potential criminals) willing to take the risks of conducting such activity. Compare this to a decade ago, when the general perception of the risk of getting caught for Internet based crime was near zero.
The increase in public private partnerships (PPPs) has been a significant positive change in the past decade. The rise of Governmental CERTs, like MELANI in Switzerland, has increased. These CERTs are dedicated to assisting private sector industries with cyber related issues. Some countries have even created dedicated ”FinCerts” or Financial CERTs which focus on finance sector issues. These public-private interfaces facilitate intelligence sharing and collaboration.
Changes with the Public
The general public has also made positive progress in the past decade. People are more aware of the risks online than they were in the past, and are more suspicious of unusual activity. Online fraud, social engineering, theft, and impersonation are better understood by the public today. There is better recognition of phishing sites, spam mails, and scams.
Overall, there is more concern and interest in security and privacy. The public expects companies and suppliers to protect their personal data. The public is (slowly) taking more steps to protect their own privacy online, managing the security of their electronic devices, and teaching children about the risks of posting information and interacting online.
Another major change in public behavior over the past few years has been the shift in technology platforms. This has had an effect on the amount of crime using technical exploitation of operating systems. The migration away from old and legacy systems, like the Windows XP platform, to more secure versions of Windows has increased the difficulty of deploying malware (there is still malware today, but writing it is not as easy as it once was). There has also been a significant move towards mobile devices (tablets and phones) which tend to be more locked down than general purpose operating systems. This has made a difference in the volume and frequency of malware infections compared to a decade ago.
The media coverage of issues has also changed. Information about malicious attacks and new risks are being more actively and prominently published by the media. Banks, Governmental CERTs, law enforcement, and industry, can easily approach the media or issue warnings to the press, and the information will reach the public. In addition, social media channels greatly speed up the dissemination of important threat information for the public.
Changes with Criminals
The criminals themselves have also been changing. They have become more industrialized, forming an organized underground economy. Criminals are specializing in different individual services such as recruiting money mules, distributing malware, maintaining botnets, etc. They sell these services to other criminals. The technical expertise needed is decreasing as criminals move to a ”Crime as a Service” model, where cyber-criminal activity is easier to execute, and support from the seller is provided.
The complexity and cost to develop and deploy malware and other technical exploitation has been increasing in recent years. This is creating more interest in social engineering, which is simpler and just as effective. Consider the recent wave of BEC and CEO impersonation fraud attacks targeting businesses, or fake technical support phone calls (vishing) attacks that are targeting the public.
There is also an increased leveraging of stolen data circulating in the darkweb or on data leak sites. This data contains passwords of people which can be used to gain unauthorized access to various accounts. This may include access to email, online stores, social media sites, bank accounts, and other user accounts. Access to these accounts can be useful to collect information for social engineering purposes, fraud, or other criminal motivation. People often use the same password for multiple accounts, so if one password is stolen from a site, all other accounts can be accessed. If email accounts are compromised, it also makes it easier to request password resets for other accounts.
Criminals are also leveraging new technologies for money laundering and anonymization. The use of bitcoin is becoming a popular method of payment, especially with ransomeware, extortion, and DD4BC (DDoS for BitCoin) attacks. The ability to use bitcoin tumblers and other laundering techniques makes it more difficult for investigators to follow the money. Newer banking trojans are using the TOR network to host their command and control servers (Retefe for example). The use of TOR, not only for anonymizing client access, but also for server destinations, increases the difficulty of investigation and disruption.
Changes with Academia
Academia has also made a number of changes over the past decade which have had a positive effect on reducing cybercrime. New Bachelor and Master programs with a focus on security, digital forensics, and cybercrime investigation have been introduced. Research programs and PhD projects are bringing innovative methods and ideas into the community. These may evolve into spinoff companies or products which can help law enforcement or other organizations to combat cybercrime. Academic institutions across Europe are engaging with industry to find part-time professors and lecturers who can bring their current experience into the classroom to teach students. Some universities (UCD in Ireland for example) are providing onsite training and education to law enforcement agencies.
There is an increased desire to improve the level of collaboration between academia and the finance industry. There are a number of mutual benefits for banks and academics to study and understand cybercriminal activity together in a research context. In January 2018 the Berner Fachhochschule organized a workshop called ”Bankademia” to bring together researchers from academia and security staff from various European banks. The goal of the workshop was to discuss potential research collaboration between the two sectors.
Keeping an Eye on the Future
The positive changes outlined above have helped to slow down (and even reduce) the growth of cyber-criminal activity in many areas. Many banks have seen a decline in ebanking trojans and phishing attacks in recent years. This decrease in activity compared to 5-10 years ago is due to the combination of changes described in this article.
However, we cannot let these positive changes make us complacent in our fight against crime. Criminals are creative and always finding new ways to commit crimes. The global crime fighting community needs to evolve together with the criminals to keep society safe.
The amount of criminal activity can often seem overwhelming and sometimes it feels like we are losing the battle. But if we remember how things were a decade ago, we can clearly see how far we have come. A lot of amazing work and progress has been made, and it has had a very positive effect on reducing crime in society. We need to keep injecting new and positive changes into our work. It makes a difference.