A Three-Pronged Approach to Fight Cybercrimecyberconafrica.org/Presentation/Three-Pronged_Approach_to_Fight... · 4 countries 37 searches in 7 countries 39 servers seized in 13 countries

Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level

Philipp AmannHead of Strategy

Europol, EC3October 2017

A Three-Pronged Approach to Fight Cybercrime

@EC3Europol


Topics to Cover

Cybercrime Fighting Model

Europol’s EC3

Examples

Crime-as-a-Service Model

Europol Unclassified - Basic Protection level

Scenario

Multi-national corporation

2 CEOs, 1 CTO and 2 CFOs

Excellent customer service and support

Uptime and resilience some of the key competitive advantages

Range of high-profit services catering to a global market and audience








Some Terminology


Visible/Surface WebPublicly accessible searchable internet

Deep Web

Unindexed by traditional search engines with limited access

(databases, records, etc.)

Dark Web

Environment accessible only through specialised software and providing anonymity

(whistle-blowers, criminals, etc.)

4%

96%


Underground Economy



5 arrests in

4 countries37 searches in

7 countries

39 servers

seized in 13

countries

221 servers

taken offline

64 TLDs

800,000

domains in

26 countries

Victim

remediation in

189 countries

Awareness

raising and

prevention

Operation Avalanche - Nov 2016


Operation Avalanche

Delivery platform to launch mass global malware attacks and money mule recruiting campaigns

In business since 2009

App. 500 000 infected active devices worldwide/day

Network very resilient to technical takedowns (double fast flux)

Estimated losses hundreds of millions of euros worldwide


Operation Avalanche – Service Model

Do it yourself Malware as a Service Botnet as a Service Distribution as a

Service Crime as a Service

Collect and launder

money

Collect and launder

money

Collect and launder

money

Collect and launder

money

Collect and launder

money

Distribute malware Distribute malware Distribute malware Distribute malware Distribute malware

Infect target

machines

Infect target

machines

Infect target

machines

Infect target

machines

Infect target

machines

Develop and test

malware

Develop and test

malware

Develop and test

malware

Develop and test

malware

Develop and test

malware

Step managed by criminal Step managed and provided as a service to criminal


HEADQUARTER

The Hague, Netherlands

“Europol shall support and strengthen action by the competentauthorities of the Member States and their mutual cooperation inpreventing and combating serious crime affecting two or moreMember States, terrorism and forms of crime which affect a commoninterest covered by a Union policy”

(Europol Regulation)

Europol’s Mandate


Cooperation Agreements

28 EU Member States

Operational Agreements: Albania, Australia, Canada, Colombia, Eurojust, FormerYugoslav Republic of Macedonia, Moldova, Montenegro, Iceland, INTERPOL,Liechtenstein, Monaco, Norway, Serbia, Switzerland, Bosnia and Herzegovina,United States of America, Ukraine*

Strategic Agreements: CEPOL, ECB, ECDC, EMCDDA, ENISA, FRONTEX, OHIM, OLAF,Russia, UNODC, World Custom Organisation


Liaison Bureaux Network

Europol Liaison Officers in:• Interpol IGCI• Interpol IPSG• Washington DC


Europol Operational Units

EuropeanCounter

TerrorismCentre

EU IRU

EuropeanCybercrime

Centre

J-CAT

InformationHub

Serious Organised

Crime

EMSC

EuropolOperational Centre 24/7

HorizontalOperational

Support


EC3 – A Three-Pronged Approach

Europol EC3

January 2013

Transnational Payment Fraud Hi-Tech Crimes Child Sexual Exploitation

Cyber Threats and Trends Capacity Building Cybercrime Prevention

Digital Forensics Document Forensics


EUCTF

Evaluation SOCTAIOCTA

OperationalActions

StrategicPlans

EU Policy Cycle

EC3 Programme Board

EC3 Advisory Networks

Internet Security

Financial Services

Academic Advisory Network

Cybercrime Prevention Network

Communication Providers

Forensic Expert Forum

Multi-stakeholder Governance Model


Communication Providers

Financial Services

Advisory Groups at a Glance

Internet Security


High-Tech Crimes Payment FraudOnline Child Sexual Exploitation

Cross-Crimes Factors Facilitating Cybercrime

24/7 Permanent TaskforceOperating from EC3

Identificationof priorities

Investigativeopportunities

INVESTIGATION

Chairmanship: Germany Vice-Chairmanship: US FBI

Attachment Schemeswith Law Enforcement and

Private Sector

2.0

Joint Cybercrime Action Taskforce (J-CAT)


Threats to Information and

Devices

Threats to Communication

Who is Behind?

State-Sponsored/ Condoned or Competitors

(Cyber)Criminals and Organised Crime Groups

Insiders

Hacktivists

Types of Threats


IOCTA 2017 – Key Trends

Europol Unclassified – Basic Protection Level


Common Challenges in Combatting Cybercrime

MLA process Cross-border communication

and the exchange of information Public-private cooperation Internet of Things

Differences in legislation

Online investigations

Darknets Cloud-based

storage

Data retention Virtual currencies

Encryption CGN issues

LEA training

Loss of data

Loss of location

Legal framework

Public-private partnerships

International cooperation

Evolving threat landscape and the expertise

gap



Law Enforcement

PrivateSector

InternetGovernance

InstitutionalPartners

Academia

Law Enforcement

Key Partners



Profit per Attack

Volume of Attackers Volume of Victims

Prevention

Investigation

Law En

force

me

nt Fo

cus

Skill Ceiling


Coordinated LE Response to Criminality

03

02

01Cyber Patrol Action Week (June 2017)

Operations GraveSac (Hansa) and Bayonet (AlphaBay)(June-July 2017)

Operation Titanic (Elysium)(July 2017)

13%

68%

5%2% 5%

1% 1% 1%

2%

1%

1%

0%

AlphaBay

Fraud

Drugs & Chemicals

Guides and Tutorials

Counterfeit Items

Digital Products

Jewels & Gold

Weapons

Carded Items

Services

Other Listings

Software & Malware

Security & Hosting

200,000 users & 40,000 vendors 350,000 illicit commodities Transactions worth USD 1 billion

Hansa Users and Surge of New Members after

AlphaBay Takedown

Before: less than 1,000 vendors per day After: more than 8,000 650 SIENAs/37 countries on daily drug

shipments from Hansa in June-July

AlphaBay Takedown

over 87,000 members worldwide 14 suspects arrested (incl. operator of platform) 12 of them suspected of hands-on abuse


Operation Bayonet & GraveSac

Takedown the largest criminal Dark Web markets: AlphaBay & Hansa

Platforms offered significant amounts of illicit goods and services

3 admins arrested

Strategic assessment of impact to inform future operations (alternatives)

Innovative LEA strategy: covert control of Hansa for a month to gather intel


Global Airline Action Days (June 2017)


2nd International action on

e-commerce fraud

76 arrests 100 searches

20,000 illegal online transactions

E-merchants,payment industry

and logistics companies

Europol coordinating AT,

BE, BG, CO, HR, DK, EE,FI, FR, GR, IE, IT, HU, LV, NL, PL, PT, RO, SK, ES, SE, UK,

CA, USA, IS, GE

E-Commerce Action Week (Oct 2016)


Actions involving EC3, Eurojust, 16

countries, EBF, 106 banks

1,280 mules identified

259 arrested

95% transactions

related to cybercrime

European Money Mule Action (March & Nov 16)


@EC3Europol

11,000More than

followers

Active Users

4,000+

Onlinesub-communities

55+

Awareness Raising


Mobile Malware Prevention Campaign


To identify the origin of different objects,

part of CSEM

Tips can be done anonymously

20 objects were uploaded on the

dedicated webpage

More than 10,000 tips in a few days

Inspired by victims previously identified

based on objects

EC3’s Trace an Object Campaign


Videos in all EUlanguages

Two different scenarios

International awareness raising

campaign

Links to reporting mechanisms

Advice for victims

Prevention advice

Public report onthe phenomenon, key trends and response measures

Key findings from the report: Higher likelihood of female

victims in content-motivated cases

Predominantly male victims in profit-driven cases

Demand for other children to be included as well in the CSEM

“SayNo” to Online Child Sexual Coercion and Extortion


109Partners

Website available in

28 languages

54 free decryption

tools

>28 000 Devices

successfully decrypted

The 2017 SC Magazine Editor’s Cho-

ice Award

No More Ransom Initiative


Training Courseon Combating

the Sexual Exploitation of Children on the

Internet

Training Course onOpen SourceIT Forensics

Training Course on Payment Card

Fraud Forensics

EC3’s Cybercrime Training Courses


Internet Governance

ICANN - PSWG

• DNS Abuse Mitigation

• Privacy and Proxy Services

• Reform of WHOIS – Next Generation RDS

RIPE NCC• Improving the

accuracy of the RIPE Database to improve traceability of IP addresses

CGN• Expert network• Engagement with

industry• Engagement with

policy-makers


Main Takeaway Points

Evolving threat landscape and various challenges

Europol and EC3 – the EU’s ‘Uber’ of law enforcement

Cybercrime at scale requires a networked or ‘multi-pronged’ response

Industrialization of Cybercrime –Crime-as-a-Service model


Thank [email protected]

Follow us: @EC3Europol

Documents

A Three-Pronged Approach to Fight Cybercrimecyberconafrica.org/Presentation/Three-Pronged_Approach_to_Fight... · 4 countries 37 searches in 7 countries 39 servers seized in 13 countries