Crime-as-a-service gathers pace in digital age

News by John Walker

Europol's latest report into criminal behaviour shows the emergence of cyber-crime-as-a-service in virtual undergrounds.

Europol's ‘Exploring Tomorrow's Crimes Today' report tackles the changing landscape of criminal activities in the connected world, noting the increasing leverage of the virtual criminal underground who facilitate project managed criminal entrepreneurs with, what is now referred to as CaaS (Crime-as-a-Service).

In this new imaginative age of the evolving criminal mind, we are encountering sophisticated cutting-edge criminal solutions, underpinning the operability of cyber-crime, which in turn may be further used to support traditional crimes, such as people and drug trafficking, paedophilia and child exploitation, the counterfeiting of goods, and even terrorism.

Rob Wainwright, director of Europol, commented in the report that: "Organised crime is dynamic and adaptable and law enforcement authorities across the EU are challenged to keep pace with the changing nature of this substantial and significant threat. This report - the first of its kind for Europol - will enable us to look ahead and better allocate resources, plan operational activities and engage with policy - and law-makers to prevent certain types of crimes from emerging".

The report clearly outlines areas drawn from the digital age which are valuable resources to assist the new age criminal.  In particular they highlight the anywhere-anytime anonymity provided by remote internet connectivity, the exploitation of big data and personal data to facilitate identify and financial crimes, through to money laundering, all of which can, and do maximise the returns beyond any criminal forages in the physical or traditional world.

The Europol report also picks up on the potential use of virtual currencies which accommodate the internet-connected cyber-criminal with the addition of flexible-friend funding options which may be utilised to transfer, trade, and manipulate, again under the anonymity of a world without any robust cross-border controls. However, when it comes to the use of virtualised currencies to launder money, or to facilitate some illicit activities, there are many other tried-and tested resources which have been in use for years in the profile of on-line betting agencies which may also be leveraged to accommodate undercover discreet services – these are long standing challenges for law enforcement.

It is noteworthy that this Europol report is the first credible source to indicate the use of fraud scams with information gathered from online intrusion and reconnaissance – referring to the modern day employment of Open Source Intelligence (OSINT) which is today widely used by hackers and criminal gangs to maximise the success rates of their criminal missions.

Peter Wood, CEO of First Base Technologies LLP told today: “Crime-as-a-Service is a natural outcome of the way we now use cloud services, and distributed computing. After all, criminals have business plans and strategies just like legitimate organisations, and it's inevitable that they will evolve latest technologies to reduce cost, reduce risk, and maximise their return on crime-vestment. The problem is that the defenders continue to think like defenders, and seldom consider outside-the-box threat modelling, and they don't always understand the criminal modus operandi. Those on the legal side of this battle-ground need to invest in some serious up-front analysis and planning before we once again knee-jerk into buying the latest security products. Silver bullets still don't work!” 

Imran Ulghar, a security architect with Cofely GDF, commented to SC: “I am aware of a recent event in which a large energy organisation came under attack and suffered a compromise of its assets. The employed threat actor was one of the most conventional methods – phishing. What was the difference? It was targeted against a specific financial department of the organisation - going where the money was. The most astonishing aspect of this event is that it entered the most protected segment of the network completely un-detected, and then executed its payload to spread across the compromised segment of the network. The threat would never have been detected if it were not for an unknown transaction of a large sum exceeding £100k which triggered an alarm in their processing systems and the transaction was halted. The most disturbing aspect of this case was the slow implementation of incident response, the lack of organisation-wide communication, and pro-active monitoring of the network. Lack of such basic functions in any business tend to bring down even the largest organisation through traditional threats.” 

In this always-on world of cross-border international interconnectivity, the use of social media, linked to the acceptable exfiltration of data by commercial organisations, it must be anticipated that the serious criminal fraternity will use this new opportunistic landscape of logical-gold to mine and target vulnerable individuals such as senior citizens, and of course organisations, to enhance their operations, and felonious returns.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews