Police across Europe are highlighting the growing threat of teenagers and young adults using Trojans and DDoS attacks to commit theft and extortion after arresting 15 suspects in the UK and six other countries.
The arrests, made this week, include four people in Britain and 11 others in France, Italy, Norway, Estonia, Romania and Latvia, in an operation co-ordinated by the Europol law enforcement agency.
Europol said the 15 are “EU citizens, mainly teenagers and young adults, who are suspected of misusing remote access Trojans (RATs) to commit various types of cyber-crime, which can include theft of personal information, DDoS attacks and extortion”.
Raymond Ijsselstijn, senior analyst at Europol's European Cyber Crime Centre (EC3), told SCMagazineUK.com that those seized “include minors, below 18 years old - they are students, school pupils.” Other suspects are in their late teens, early 20s and late 20s, he said.
Ijsselstijn warned: “Young people grow up with the internet, they see RATs as a relatively harmless tool to hack their friends or former girlfriends, but it's a cyber-crime in itself and could be the starting point of their cyber-criminal career.
“They see how easy it is to take over someone's computer – the next step could be more serious cyber-crimes, such as taking over bank accounts, encrypting malware, DDoS-ing large companies.
“Young people should be aware that using RATs is not just something you do for fun.”
The police operation, led by France, aimed to identify individuals misusing RATs such as Blackshades, PoisonIvy and DarkComet and “to inform the general public about the threat posed by this type of malware”.
It involved EC3 supporting the seven national police forces involved by collating intelligence and providing analytical support.
EC3 head Troels Oerting said: “Today an alliance of EU law enforcement agencies joined forces to send a strong signal to the criminals using this toxic RAT malware and, at the same time, engage with the predominantly younger individuals involved, to discourage them from pursuing this criminal path.”
But the four UK arrests, made by the National Crime Agency, largely buck this trend. They include a 20-year-old man seized in Chatham, Kent, and two 33-year old men and a 30-year old woman all arrested in Leeds on Thursday.
UK police also executed a search warrant on a 19-year-old man from Liverpool who was brought in for voluntary questioning on Friday.
Ijsselstijn told SC: “The focus in the UK was on those who were a little more prominent in offering the RATs and easier to identify. There are many more young people out there who use those Trojans to carry out cyber-crimes. For now the UK focus was initially onthose four .”
Commenting on the case, Charlie McMurdie, former head of the Met Police Central e-crime Unit (PCeU) and now a senior crime adviser with PricewaterhouseCoopers (PwC) backed Europol's warnings.
She said PwC has seen clients suffering DDoS attacks backed by extortion claims, typically for tens of thousands of pounds.
McMurdie told SCMagazineUK.com that for the young hackers involved “if it wasn't for the internet they may not have got involved in criminality. They're normally fairly shy, quiet, the last people you would expect to see hauled up before the court for causing the collapse of businesses or extortion.
“But if you look at the chat forums, they're sharing intelligence and knowledge. Kids don't go out and play football; they're in the chat rooms and sharing their latest attack tools, their trophies of what they've done and how they've managed to do it.”
McMurdie said: “These youngsters don't appreciate that what they're doing is criminal and what the fallout from this may be. Certainly within PwC we're getting more and more clients with attacks on networks and the extortion demands coming into it.
“It is moving from just hacking into networks to demonstrate their skill set to actually attacking and stealing data or attacking networks with ‘why not make money out of it'.
“I know of companies that have experienced substantial attacks, extortion demands, data breaches. It's £10,000-£20,000 just to keep the business up and running, but some of these companies can't continue to suffer these losses that are taking place.”
PA Consulting cyber-security expert Stephen Bailey agreed that youth cyber-related crime is a worrying trend.
He told SCMagazineUK.com: “As tools such as RATs become more readily available, they are likely to be attractive to hardened criminals wanting access to data as well as to the younger generation, who are often motivated by curiosity or mischief.
“In our digitised world children are growing up to be more online-savvy at a much younger age. It is inevitable that they will push the boundaries of what is right and wrong in the connected world.
“The key to stopping them crossing that boundary is education, but it should be done in a way that provides them with the technical challenges they seek, for example teaching them how to code.
“As well as teaching them that it is wrong to physically steal from people in the ‘real world', we must ensure that they understand that the online world requires the same behaviours.”
Charlie McMurdie told SC: “Europol's doing fantastic stuff in actually collating the attacks from various countries, bringing the intelligence together and doing these collective arrests, to send this message out to hopefully make individuals think twice before they get on the keyboard and start to practise the tools of their trade.”
In May, the UK's NCCU and police partners carried out an operation against the Blackshades RAT malware, and a previous NCA operation targeted the GoZeus banking malware family.