9 min read
Cybercrime: Virtual Threats, Real-World Impacts
AML RightSource : March 11, 2021
In the old days, to rob a bank, the robbers would have had to go into the bank to hold it up and make off with the bags full of cash. Today, they can rob a bank from the other end of the world without even leaving their house and run an even lower risk of getting caught. The continued evolution of technology, as well as finance, has led to increases in cybercrime which only seems to be accelerating in scale and scope.
Cyberattacks today transcend attempts to extort money from just individuals, they even transcend to targeting corporations and are now a growing threat to national and global security. Using ever increasing sophistication and speed, cybercriminals are targeting everyone from bank customers to government agencies.
The scale at which individuals can be targeted using sophistication, combined with obfuscation techniques, means that the victims can be many and offer a low risk-high reward outcome for the perpetrators. In a major mobile banking fraud operation conducted by a professional and organised crime group, millions of dollars were stolen from financial institutions in the US and Europe within days, in a series of attacks before being discovered. IBM’s mobile security research team found that the group used over 20 emulators to ‘spoof’ over 16,000 compromised mobile banking devices and customer credentials, where the scale of the operation was said to be one never seen before.
Emulators of mobile devices are generally not illegal and can be used by software developers to test applications on a number of devices because they can imitate the features of mobile devices without having to buy the actual devices. In this case, they were used in a sophisticated cyber-enabled attack to conduct fraudulent transactions at scale. The group was able to automate the fraudulent transfers too, as well as keeping them below amounts that may trigger alerts within the financial institutions. They would even shut down elements of the operation and wipe traces before moving onto the next attack to cover their tracks.
The findings show the great lengths the group went to ensure the fraud was successful, not only in its sophistication but methodology. They set up a repository of emulated devices, these emulations appeared just like the real ones and to ensure this was successful, the group downloaded legitimate Apps to view and test parameters to make sure the emulations ran correctly. They fed device specifications to the emulators to ensure they appeared just like real devices and using the compromised customer credentials they then automated and initiated the fraudulent transactions. They even spoofed GPS locations and every time an emulated device saw success in the fraud they recycled and used another one that was unused, with the same method employed when the banks blocked some of the emulated devices.
Whilst ‘transaction monitoring’ is often a term synonymous with financial institutions in anti-money laundering efforts, in this case the attackers monitored activity and their transactions for their own ends. The attackers carried out the monitoring in real time to see how servers of the targeted applications were reacting to the emulator’s attempts. Sessions logs and screen grabs were sent to the attackers to monitor activity and adjust their strategy when needed, as well as wipe traces when operations needed to be stopped.
Although there were lessons to be learned from this particular attack vector, independent investigations by other cybersecurity experts suggest that, at least in the UK, there remains room for improvement. Experts checked to see if a number banks in the UK detected testers downloading their Apps on emulated or ‘rooted’ (e.g. jailbroken) devices and a number of the banks were said to have failed to perform such detection. One challenger bank even disagreed that this exposed their App to security weaknesses and claimed that emulator and root detection can be unreliable.
CyberCrime Goes Corporate
One of the cyberthreats that made repeated headlines in 2020 was ransomware. Here, criminals can gain access to victim networks, locking them out of their own files and threaten release of compromised information if payment is not made. Blockchain analysis firm Chainalysis reported that, in 2020, whilst ransomware only accounted for 7% of all funds received from criminal crypto wallet addresses, totalling $350million, this was a 311% increase from 2019. When consideration is taken for all payments related to ransomware, the estimated losses were said to be $20 billion according to some experts. Various media reports of ransomware attacks showed that threat actors had set their sights on bigger targets beyond the individual, ranging from the GPS-based technology company Garmin to the education sector, healthcare, a football club, a helicopter firm and even a reportedly failed attempt at Tesla.
Former cybersecurity official from the UK’s National Cyber Security Centre (NCSC), Ciaran Martin, raised concerns that insurance companies may even inadvertently be funding cybercrime by paying out to companies who had been victims of ransomware attacks. With no legal obligation for companies that are victims not to pay cybercriminals, he said they were paying out ransoms and claiming back through their insurance. He was quoted as saying “People are paying bitcoin to criminals and claiming back cash” in a media report.
Some cybercriminals operate just like professional outfits (albeit involved in criminal activity) with online chat support, branding and guaranteed turn-around times too, with cybersecurity analysts suggesting that “The groups are increasingly becoming ruthlessly efficient…They have more of a chance of success the easier they make life for their victims – or the easier they make it to pay them”. The corporate models used by attackers even include discounts for early payment as well as corporate responsibility-style statements, where in one case they were said to not target schools, non-profits, governments or hospitals and focus only on targets they know could pay based on their net worth.
With Crime-as-a-Service (CaaS) offered to both less tech-savvy and experienced cybercriminals, barriers to entry have not only been lowered but it has also contributed to furthering cybercrime by more experienced actors. Recent news of the disruption by law enforcement of one of the world’s most prolific of malware, Emotet, was welcome news for many. The malware, said to date back to 2014, would be used to gain unauthorised access to systems the world over, after which compromised access would be sold to other cybercriminals to conduct further cybercrime through additional malware and ransomware attacks.
Enterprising cybercrime activity is not limited to just malware and ransomware attacks either. Evolution of technology has allowed for convergence with other crimes, such as drug dealing. The days of buying drugs on the dark web are a distant memory for some – cyber drug dealing now offers speed, sophistication and a 24 hour service because it is mainly staffed ‘bots’.
Enter Telegram and Televend. Televend is an automated retail system used to sell drugs on the popular messaging App, Telegram. Vendors operating on Televend can be found by adding it as a contact on Telegram and users can then visit vendor stores/channels selling drugs online. Bots allow for the process to be fully automated by taking orders, keeping track of stock and even creating invoices for payment to be received in Bitcoin – once payment is received, vendors are notified and can log-in to print off address information to post the drugs.
Although law enforcement have been clamping down on some of these vendors by shutting them down, unverified claims by Televend state they had 200,000 registered users of which 20,000 of them were said to be active but it was believed only a few hundred were dealers.
A Global Threat
Threat to national agencies and organisations means that the effects of cybercrime can literally be a matter of life and death for some. As was the case in Germany, where prosecutors opened an investigation last year into the death of a patient who died after a hospital was unable to take her in following a cyberattack that crippled its systems. The patient was turned away from one hospital and sent to another about 20 miles away. Subsequently, it was difficult to lay blame on the hackers for the death and it transpired they may have even attempted to target a university as opposed to the hospital because they seemed to have provided the encryption keys upon discovering the hospital had been affected. This case does, however, serve as a warning of just how dangerous cybercrime can be.
Although the hospital case was the first of its kind, the risk to national security can have a much wider reaching impact which may not always be evident or tangible. Such a scenario presented itself in Canada when details of the military’s Bombardier Global 6000 spy plane, which uses Saab’s GlobalEye spy system, were shared on the dark web on a website used for publishing stolen data from victims who refuse to pay the ransoms.
Cyber intrusions are not limited to Earth, even the National Aeronautics and Space Administration (NASA) has also been affected by cyberattacks, in 2018 hackers took advantage of a weakness they found and were able to access a network by connecting to an unauthorised Raspberry Pi device that was on the network. As a result, the hackers remained undetected for 10 months and stole 500MB of data from a number of files including two containing International Traffic in Arms Regulations (ITAR) information connected to the Mars Science Laboratory. In 2017 foreign hackers also accessed a server used to run source code for scientific spacecraft by exploiting flaws in ‘software, hardware or firmware’, where they were able to upload, manipulate, execute files and commands – though not related to controlling the spacecraft.
Opportunistic organised crime groups involved in fraud and money laundering may also compound damage from cyberattacks, posing further threats at a national and global level when their activities converge with state actors intending to cause damage at a country level. Ramon Olorunwa Abbas, known on social media as “Ray Hushpuppi”, made news headlines in the summer of 2020 when he was arrested and expelled from the United Arab Emirates (UAE) and taken to the US. He was charged with laundering millions of dollars from frauds and schemes that targeted among others, a US law firm, a foreign bank and an English Premier League football club. He was then also mentioned in a 2021 Department of Justice (DoJ) press release on the indictment of three North Korean Military hackers who were charged with conducting cyberattacks in order to steal and extort more than $1.3 billion of money and cryptocurrency from banks and organisations, creating and deploying a number of malicious cryptocurrency applications, as well as developing a fraudulent a blockchain platform. He was said to have helped launder money from a cyber-enabled heist from a Maltese bank in February 2019 by the North Korean hackers.
Reports from December 2020 of a cyberattack on SolarWinds, a software company that allows organisations to manage their systems, networks and Information Technology (IT) infrastructure, show just how much of a threat cybercrime can pose to national and global security. The cyberattack was described by Microsoft president, Brad Smith, as “The largest and most sophisticated attack the world has ever seen” and state actors were believed to be behind the attack.
The attack on SolarWinds involved inserting malicious code to their ‘Orion’ software, which was widely used by up to 33,000 customers, though the company believed the actual number of customers that may have installed products that contained this vulnerability to be fewer than 18,000 according to their SEC filings at the time. These customers included not only large companies but also multiple US government agencies such as departments of State, Homeland Security and Commerce and Energy.
Microsoft found itself a victim also, they reported in March 2021 that there had been an attack on their Microsoft Exchange Server, with state actors again thought to be the culprits. In the days that followed, the European Banking Authority (EBA) had to take their entire email system offline to assess the damage. Whilst other organisations and government bodies have yet to come forward to state they have been affected by this latest attack, the use of these servers across the globe is likely to have affected many others, both large and small.
First-Hand Insights: Malware and Cyber Heists
Having been in a number of financial institutions in anti-financial crime functions, cyberthreats are not typically something experienced day to day but on one occasion, overhearing a conversation between two colleagues led to what may have averted a significant cyberattack.
A referral had come in from the payments team requesting whether there were any concerns with a payment by a member of the board of the bank to a friend. The colleagues in the anti-financial crime department saw no initial money laundering related issues and were debating whether to contact the member of the board directly to check up on the payment from a fraud perspective. For some reason, having found the scenario strange, I joined the conversation and asked to see the email they had received.
Both colleagues had thankfully not spotted nor opened the attachment with the email, which had a false file extension added to it e.g. ‘Invoice.pdf.exe’ which looked like it could have been malware. I explained that the email address could also have been spoofed and the file attached definitely appeared suspect, given it appeared to be an execution file and not a PDF document.
Although it was initially challenging to convince the colleagues, due to what appeared to be the spoof email address made to look real, eventually they did agree that this should be raised with the cyber security team. I advised that everyone in the email chain should be contacted using a new separate email, notifying them not to transmit or open the suspect email and its attachment again.
The outcome of the suspect email was never fed back to us following referral to the cyber security team but it highlights just how easily intrusions can occur without vigilance or attention to cyber risks.
On another occasion, having read about the Bangladesh Bank cyber heist the night before, I attempted to warn peers to check if they had any nexus to the parties involved. Hackers had used SWIFT credentials in an attempt to transfer out nearly $1 billion from the Bangladesh Bank’s account at the Federal Reserve Bank of New York to a number of offshore accounts, where $81 million ended up at Rizal Commercial Banking Corporation (RCBC) in the Philippines. It was only due to a typo that the hackers were not successful in removing the full $1 billion. Responses from peers suggested there was no appetite to check nor was there any interest in the case. However, some weeks later I received a text message from one peer thanking me for raising it as it was a point of discussion that day at their institution – I suspected their adverse media screening may have finally picked up the case, albeit some weeks after I had initially advised them to check if they needed to take action.
The cybercrime landscape, just like financial crime, is ever-evolving and changes quickly therefore if anti-financial come professionals haven’t previously saw it as something of concern, then it should be worthy of consideration today – especially against the backdrop of ransomware attacks and the ever-increasing crossover between cryptocurrency transactions and the traditional financial system, for example.
The increased popularity in cryptocurrencies has seen multiple hacks and thefts from exchanges, therefore as well as building resilience of traditional financial systems, focus should turn to the virtual asset-related infrastructure also. Whilst some may argue it is not the correct place for it, notably, guidance from the Financial Action Task Force (FATF) for virtual assets and virtual asset service providers makes no reference to cyber security – even though the IT infrastructure forms a key (and almost unique) part of virtual asset services.
Threats are not limited to finance, there are risks to healthcare, transport, defence and even all aspects of a person’s life (often stored on a mobile phone). As some countries such as the UK consider the introduction of ‘digital identity’ housing everything from an individual’s drivers license to health records, focus on cyber security should be paramount. A major breach of security exposing such records could compromise en masse the safety and security of information belonging to whole populations.
Against the backdrop of recent cybercrime incidents involving state actors and the increased reliance on advancing technology, increased threats from cybercrime have the potential to cause major disruption to not only society and commerce but whole nations. It needs attention at all levels.