IOCATA 2016

When it comes to online communication, cybercriminals are no different to any other internet users. They use the internet to contact each other, to carry out business and to socialise, often using everyday applications; they protect their data and their identities with the same means available to any private citizen. In this chapter we discuss the trends, tools and methods currently favoured by cybercriminals.

Criminal to criminal (C2C) communications img

Criminal to criminal (C2C) communications

Criminal forums within the deep web or Darknet remain a crucial environment for cybercriminals to communicate. They are a key component of the crime-as-a-service business model which underpins much of cybercrime, providing cybercriminals, entry-level and upwards, with access to the tools and services they need, and providing an environment where they can teach, learn, buy and sell, advertise and do business. Following the law enforcement take-down of the Darkode forum in July 2015148 - the most prolific English speaking criminal forum at the time - there do not appear to be any notable replacements.

Other web-based communication platforms such as chatrooms or open forums are still commonly used for C2C communications, as is ‘simple’ email. Secure, encrypted email is readily available. Some states still report the use of draft emails to communicate from accounts with shared access.

While forums may be suitable for initial contact, most subsequent communications continue using alternate, less public means. Here Jabber is a commonly used tool, and believed to be the preferred means of communication for the more technically competent cybercriminals. To a slightly lesser extent, IRC and ICQ are also used, whereas commercial ‘branded’ products are largely absent. More exotic means of communication such as the use of gaming consoles or even RATs are rare.

Essentially, cybercriminals will use whatever communication method they deem to be the most convenient and/or that which they perceive to be sufficiently secure.

  1. Europol Press Release, Cybercriminal Darkode Forum Taken Down Through Global Action, https://www.europol.europa.eu/content/cybercriminal-darkode-forum-taken-down-through-global-action, 2015 footnote 148
Criminal to victim (C2V) communications img

Criminal to victim (C2V) communications

Whereas a key requirement for C2C communication channels is security, the primary requirement for C2V communications is accessibility. This means the ability to contact potential victims en masse or to select a communication means readily available to a targeted victim.

Email remains the simplest and most convenient method for both approaches. Many phishing and malware (e.g. Dridex) campaigns are distributed via email spam in order to maximise their impact based on limited success rates. Similarly, emails can be handcrafted in order to maximise their effectiveness on specific victims targeted for social engineering.

Beyond email, a wide range of popular, publically available tools are used for C2V communications; tools such as Skype, (Facebook) Messenger, WhatsApp and Viber. All are easy to obtain and access by victims yet offer attackers a degree of security and anonymity. An already used means of communication may of course be the means of attack, if an attacker has carried out the appropriate research.

Anonymisation tools img

Anonymisation tools

The majority of reporting countries indicated that cybercriminals under investigation are using some form of IP anonymisation. The use of simple proxies was the most common tool, closely followed by the use of Tor and Virtual Private Networks (VPNs). The use of I2P has increased on previous years but is still only encountered in a low number of cases. Tor usage was reportedly more common in cyber-enabled crime rather than cyber-dependent crime which more often made use of either commercial or criminal (as-a-service) VPNs. It is likely that access to those VPNs, run by the more sophisticated criminal groups, is strictly controlled.

The use of encryption img

The use of encryption

While the use of encryption is highly useful to private citizens and industry in protecting their data, thereby denying it to criminals who desire it for criminal purposes, the use of encryption by criminals to similarly protect their data presents significant challenges for law enforcement across all areas of cybercrime and cyber-facilitated crime.

Twenty European countries, including 13 EU Member States, report the use of encrypting software (such as Truecrypt, Bitlocker, etc) by cybercriminals to protect their stored data. Moreover, the phenomenon is no longer restricted to desktop computers as increasingly third party or native encryption is available on mobile devices. The use of encryption deprives law enforcement of crucial evidential opportunities. Eight Member States specifically state that dealing with encryption is a major challenge to investigating cybercrime.

Additionally, almost half of Member States indicate that their investigations involve the use of some form of encrypted communications, typically Jabber, but also commercial applications such as WhatsApp and Viber. Many commercially available communication platforms now have encryption activated by default. This is increasingly done by way of end-to-end encryption (service level encryption, instead of a network layer encryption such as https), leading to situations where services are not interceptible.

Future threats and developments img

Future threats and developments

In terms of the tools and applications used by criminals to share, send, and store their data and communications, little has changed in the past year. Criminals continue to use whichever tools or applications they are familiar and comfortable with or which fit their intended purpose. What has changed is the growing movement and involvement of public and private bodies in debating the issue of encryption, and the desire for privacy and security versus the need for law enforcement to effectively investigate crime. While 2015/2016 has seen much discussion on the matter, no definitive answers have been proposed by either side, as indeed there is no simple solution at present.

There is a growing market for communication apps offering additional security features such as end-to-end encryption, and the possibility to permanently delete messages and traces. It is likely that these will be increasingly adopted by criminals (cyber- or otherwise) or that existing, commonly used applications will evolve to encompass these features. Some cybercriminals are counter-surveillance aware, using apps and other software to erase or detect the interception of their communications.

There are currently ongoing discussions on whether or not the courts can/should compel suspected offenders to disclose their encryption keys. This discussion varies from jurisdiction to jurisdiction but some countries have already integrated this policy in their legal systems (e.g. UK). Many topics have emerged149 from the discussion including the right of non-self-incrimination.

  1. CNET, DoJ: We Can Force You to Decrypt That Laptop, http://www.cnet.com/news/doj-we-can-force-you-to-decrypt-that-laptop/, 2011 footnote 149
Recommendations img

Recommendations

  • To counter the criminal use of encryption, law enforcement must ensure it has the training, tools and tactics it requires to obtain and handle digital evidence in situ using techniques such as live data forensics.
  • Law enforcement should continue to monitor trends in the use of applications and software by cybercriminals and maintain awareness of the different investigative opportunities and challenges that each provides.
  • It is essential for law enforcement to build and maintain relationships with academia and private industry as they may be able to assist or advise law enforcement where it lacks the technical capability to progress an investigation.