What Can Cybercrime Threats Against EU states Teach Us?

We Read the 70 Page 2016 Internet Organized Crime Threat Assessment Report So You Don’t Have To.

Europol’s European Cybercrime Centre (EC3) published the 2016 Internet Organized Crime Threat Assessment (IOCTA).

This report provides an update on the latest trends and the current impact of cybercrime within Europe and the EU. It’s an extremely professional report, which should be read by decision makers from the private and public sectors. Sadly, it’s also about 70 pages long, so that’s not very likely to happen. We’ve read the report and pulled the main insights around cyber threats for your benefit. Please note that the report also covers additional areas such as child pornography and terrorism, which we’ve not included in this post. We do recommend reading it though here.


The report highlights ransomware and information-stealing malware as the two most dominant concerns for EU law enforcement (with ransomware being the top threat).

The report mentions that the number of cryptoware variants has multiplied, and they have effectively hit all EU countries to varying degrees. Whereas each variant has its own unique properties, many are adopting similar anonymization strategies such as using Tor or I2P for communication, and business models offering free test file decryptions to demonstrate their intentions. Ransom payment is almost exclusively in Bitcoins. In addition to ransomware, the report points that information-stealing malware, or Trojans, is also a prominent threat, although the evolution of these threats is somewhat less dynamic, with a handful of often persistent “consumer favorites” dominating the markets.
The cryptoware scene is currently where the most flux exists, with a myriad of new variants identified in the security industry and media in the past year. Many of these, such as Cerber, CryptXXX and Locky, appear to be gaining momentum. It is therefore a safe bet that 2016 will see further diversification in the range of cryptoware available, with likely only a select few surviving into 2017.


Phishing has developed into one of the most widespread attack vectors and can either be used on its own or as a preliminary step to a further attack. EU Member States reported an increased number of investigations related to phishing as well as the number of targeted, spear phishing attacks is increasing. Such attacks, which generally target higher value targets, are perhaps more likely to be reported to law enforcement.

The quality of phishing messages and websites is also increasing. It is not always possible for an intended victim to rely on poor grammar, spelling and punctuation, or simply poor drafting, as an indication that a particular message may be fraudulent. To complement the theft of login credentials, phishing may also be used as an effective way to bypass two-factor authentication.

As the quality and authenticity of phishing tools and services continues to increase, we can expect the increase in targeted spear phishing attacks to continue. As existing and emerging social networks and social apps grow, we can expect criminals to take advantage of these platforms that efficiently combine both the stage upon which they can socially engineer their victims and deliver them malware through internal messaging mechanisms.

SCADA and ICS – through everyday malware and zero-day attacks

Attacks on SCADA (supervisory control and data acquisition) and ICS (industrial control systems) are perceived as sophisticated attacks, but the report reveals that these are manifested in similar manner to “ordinary” cyber attacks—through spear phishing and malware.

After incidents such as Stuxnet, it is not surprising that critical infrastructure facilities can be infected with viruses, which are generally harmless unless the infrastructure is the specific target. In 2015, law enforcement across Europe reported a number of malware infections within air-gapped control system networks, combined with the exploitation of zero-day, or unpatched vulnerabilities in control system devices and software.

Surprisingly, as with other network attacks, spear phishing is a common ICS attack vector, providing targeted entry into an organization’s system.

The use of the supply chain as an attack vector is increasing, where the attackers target third-party vendors or partners, targeting the weakest link, and moving laterally to the actual target. This is also a common use of the traditional USB stick infection.

And one word on prevention….

When it comes to addressing high volume crimes, investing resources in prevention activities may be more effective than an investigation of individual incidents. In addition to raising awareness and providing crime prevention advice, the campaigns should always advise the public on how to report such crimes.

So while this report is directed to various nations, we find that this certainly holds true for enterprises as they fight the battle against malware.


About the Author:

Michelle Handelman is Head of Marketing at ReSec.