Cybercrime

Updates

Facebook revealed it had discovered a security issue affecting millions of accounts on 25 September. The attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets users see what their own profile looks like to someone else. When composing a birthday wish message with video, as of July 2017 the attacker could exploit 'View as' option of the video uploader to get access to the profile of the user being looked up, including their log-in details. The access token was then available in the HTML of the page and extracted by the attackers who exploited it to log in as another user. Facebook reset the access tokens of the almost 50 million accounts thought to be affected and temporarily disabled the “View As” feature. On 12 October, Facebook announced hackers actually stole access tokens for about 30 million people, 20 million less than previously thought. For 15 million people, attackers accessed name and contact details (phone number, email, or both). For 14 million people, the attackers accessed name and contact details, as well as other details people had on their profiles, including username, gender, religion, birthdate, etc. For 1 million people, the attackers did not access any information.

 

The National Cyber Security Centre (NCSC) of the United Kingdom has attributed a “campaign of indiscriminate and reckless cyber attacks” to the GRU, the Russian military intelligence service. UK Foreign Secretary Jeremy Hunt stated that the GRU’s actions demonstrate “their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences”. The NCSC associated 12 threat groups with the GRU, among them APT 28, Fancy Bear, Sofacy, Voodoo Bear and CyberCaliphate (previously thought to be affiliated with ISIS). NCSC assessed with “high confidence” that the GRU was “almost certainly responsible” also for the BadRabbit ransomware of 2017, the release of confidential files of international athletes stolen from the World Anti-Doping Agency (WADA) in 2016, and attacks on the servers of the US Democratic National Committee in 2016. The NSCS also claimed the GRU attempted to compromise the UK Foreign and Commonwealth Office (FCO) computer systems via a spearphishing attack and gain access to the UK Defence and Science Technology Laboratory (DSTL) computer systems. At the same time, the UK Prime Minister May and The Netherlands Prime Minister Rutte issued a joint statement attributing the cyber attacks on the Organisation on the Prevention of Chemical Weapons (OPCW) to the GRU. Australia and New Zealand supported NCSC’s findings. The Russian Ambassador in London has denied the claims since. As some specialists point out, the attributions come at time of heated debates at the UN General Assembly around Russian proposals for the future of the UN Group of Governmental Experts and possible international treaties on cybersecurity and cybercrime.

EUROPOL published its Internet Organised Crime Threat Assessment (IOCTA) 2018, which provides an overview of past and future trends of cybercrime in Europe. According to the report, ransomware is the key malware threat in 2018. Distributed-Denial-of-Service (DDoS) attacks are still one of the most frequent types of cyber-attacks. An emerging cybercrime trend is cryptojacking and as criminal abuse of cryptocurrencies grows, currency users and exchangers become targets of cyber criminals. Payment fraud is dominated by card-not-present fraud and online criminal markets are unstable but will continue to exist. The significance of social engineering for cybercrime continues to grow.  The amount of online Child Sexual Exploitation Material continues to increase. Islamic State (IS) continues to use the internet to spread propaganda and to inspire acts of terrorism, but its sympathisers are not skilled enough to create cyber-attack tools.

According to a new FireEye report, 1 in 101 e-mails is sent with malicious intent. FireEye examined over half-a-billion e-mails between January and June 2018, and concluded that the majority of emails organizations receive daily are considered spam or malicious, with only 32% of traffic considered clean and sent to an inbox. 90% of the attacks blocked were malware-less while 10% of attacks blocked contained malware, FireEye found, showing that cybercriminals are adapting their attacks. The report also named impersonation e-mails as the go-to method of cybercriminals and included information on a new type of attack: impersonation e-mails containing links leading to phishing sites.

British Airways reported hackers stole personal and financial data of its customers from its website and mobile app. The customers affected are those who made bookings on British Airways website or app from 21 August 21 until 5 September. Names, billing address, email address and all bank card details were at risk, with around 380,000 payment cards compromised. The stolen personal data did not include travel or passport detail.

More than 7,500 MikroTik devices have been compromised by an attacker, NetLab researchers claim. The attacker is able to actively eavesdrop on these users, with their TZSP traffic being forwarded to some collecting IP addresses. The vulnerability the attacker exploited is the known Winbox Any Directory File Read CVE-2018-14847 vulnerability, which was exploited to maliciously enable Socks4 proxy on routers. It was patched by MikroTik in early August, but some users missed the update. Researchers claim that 370,000 MikroTik users are still CVE-2018-14847 vulnerable. It is recommended MikroTik users update their devices and check if the HTTP proxy, Socks4 proxy, and network traffic capture function are being maliciously exploited.

Cybercrime is crime committed via the Internet and computer systems. One category of cybercrimes are those affecting the confidentiality, integrity and availability of data and computer systems; they include: unauthorised access to computer systems, illegal interception of data transmissions, data interference (damaging, deletion, deterioration, alteration of suppression of data), system interference (the  hindering without right of the functioning of a computer or other device), forgery, fraud, identity theft.  

Other types of cybercrimes are content-related, and involve the production, offering, distribution, procurement and possession of online content deemed as illegal according to national laws: online child sexual abuse material, material advocating a terrorist-related act, extremist material (material encouraging hate, violence or acts of terrorism), cyber-bullying (engaging in offensive, menacing or harassing behaviour through the use of technology).

 

Cybercrime is part of a broader cybersecurity approach, and is aimed ensuring Internet safety and security.

Cybercrime: Threats and attacks

The techniques used to facilitate the types of cybercrime that affect the confidentiality, integrity and availability of data and system are very diverse and more and more sophisticated. Some of the most widespread techniques include:

Malicious software: This includes viruses, spyware, and other unwanted software that is installed on computer and other devices without permission and performs unwanted tasks, often for the benefit of the attacker. These programs can damage devices, and can be used to steal personal information, monitor and control online activity, send spam and commit fraud, as well as infect other machines on the network. They also can make devices vulnerable to viruses and deliver unwanted or inappropriate online advertisements.

Viruses, trojan horses, adware, and spyware are all types of malware. A virus can replicate itself and spread to other devices, without the user being aware. Although some viruses are latent, most of them are intended to interfere with data or affect the performance of devices (reformatting the hard disk, using up computer memory, etc). A trojan horse is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on users, steal sensitive data, and gain backdoor access to users’ system. Adware collects marketing data and other information without the user's knowledge, or redirects search requests to certain advertising websites. Spyware monitors users, gathers information about them and transmits it to interested parties, without the use being aware. Types of information that is gathered can include: the websites visited, browser and system information, the computer IP address, as well as more sensitive information such as e-mail addresses, and passwords. Additionally, malware can cause browser hijacking, in which the user’s browser settings are modified without permission. The software may create desktop shortcuts, display advertising pop-ups, as well as replace existing home pages or search pages with other pages.

Botnets: Botnets are networks of hijacked personal computers that perform remotely commanded tasks without the knowledge of their owners. A computer is turned into a bot after being infected with specific type of malware which allows remote control. Botnets are used for a wide variety of crimes and attacks: distributing spam, extending malware infections to more computers, contributing to pay-per-click frauds, or identity theft. One of the most worrying uses of botnets is to perform distributed denial of service (DDoS) attacks.

Researchers and cybersecurity companies have warned that botnets are becoming the biggest Internet security threat, as they are increasing the effects of viruses and other malicious programs, raise information theft, and boost denial of service attacks.  As an illustration of the dimension of this threat, the Simda botnet, taken down in April 2015, affected computers in 190 countries and involved the use of 14 command-and-control servers in five countries.

Denial of service (DoS) attacks: These attacks involve flooding a computer or website with information, preventing them to function properly. These attacks are aimed to exhaust the resources available to a network, application or service, in order to prevent users from accessing them. They are more frequently targeted as businesses, rather than individuals. Distributed denial-of-service (DDoS) attacks are those attacks in which multiples compromised computers attack a single target.

A DoS attack does not usually result in the theft of information or other security loss, but it can cause financial or time loss to the affected organisation or individual, because of its effects (particular network services becoming unavailable, websites ceasing operation, targeted email accounts prevented from receiving legitimate emails, etc.)

Legal frameworks

Since cybercrime transcends borders, any legal framework needs to be common among countries and this requires improved international cooperation. This international cooperation may be bilateral, regional, continental, or universal.

Most bilateral agreements on law enforcement come by way of Mutual Legal Assistance Treaties (MLATs). This provides an effective tool for cross-border investigations and prosecution.

At regional level, various regional blocks have developed frameworks for their regions in cybercrime legislation. The Organization of American States (OAS) created a framework of guidelines to manage cybercrime as early as 1999. In 2009 the Economic Community of West African States (ECOWAS) adopted a directive on fighting cybercrime, and in 2011 the Common Market for Eastern and Southern Africa (COMESA) presented the Cybersecurity Draft Model Bill. In June 2014, the African Union adopted the Convention on Cybersecurity and Personal Data Protection.

Several international frameworks have already been created to fight cybercrime, the most prominent of which is the Council of Europe's Convention on Cybercrime, which contains provisions on types of offenses, procedural Laws and international cooperation among countries.

Combating cybercrime

The application of technical solutions to combat cybercrime has always been the preferred option for most cybersecurity experts. However, most law enforcement personnel are not equipped with the requisite technological knowledge while most cybercriminals are experts in computer technology. Various organisations, such as the United States Department of Justice and the International Telecommunication Union (ITU), have initiated capacity building programmes for developing countries in Africa, the Caribbean, and Pacific as well as other countries in legislative drafting and prosecution of cybercrime.

As measures to combat cybercrime continue to multiply, various organisations have established their individual structures for cybersecurity. It is not uncommon for private organisations to have their own in-house rules on the acceptable use of their networks and also to educate their clients or staff on the issues of cybercrime. Some groups of organisations have also set up Computer Emergency Response Teams (CERTs) to assist in the technical handling of cybercrime, especially those targeted at computer networks.

Several multinational organisations have also contributed to the fight against cybercrime. These organisations have a unique role as some of them control the infrastructure on which the Internet runs, and include the US National Cyber Security Alliance and INTERPOL.

Other regional legal instruments include: the League of Arab States Convention on Combating IT Offences (2010), the Shanghai Cooperation Organisation Agreement on Cooperation in the Field of International Information Security, and the African Union Convention on the Confidence and Security in Cyberspace (2014).

On the global level, the UNODC is the leading organisation, with a set of international instruments to fight cybercrime. Since cybercrime often involves an organised approach, the UNODC’s Convention against Transnational Organised Crime could be used in the fight against cybercrime. Interpol facilitates a global network of 190 national police organisations, which plays a key role in the cross-border investigation of cybercrime. The ITU hosts the World Summit on the Information Society (WSIS) implementation process in cybersecurity, labelled the ITU Global Security Agenda.

Events

Actors

(CoE)

The Council of Europe has been actively involved in policy discussions on the issue of net neutrality.

...

The Council of Europe has been actively involved in policy discussions on the issue of net neutrality. In 2010, the Committee of Ministers adopted a Declaration on network neutrality declaring its commitment to the principle of net neutrality. Later on, and in line with the Council’s Internet Governance Strategy, the Committee adopted a Recommendation on protecting and promoting the right to freedom of expression and the right to private life with regard to network neutrality, calling on member states to safeguard net neutrality in legal frameworks. Issues related to net neutrality and its connections with human rights are also tackled in events organised and studies conducted by the Council.

(Spamhaus)

Spamhaus’s work focuses on tracking spam and providing realtime actionable threat intelligence to the Internet

...

Spamhaus’s work focuses on tracking spam and providing realtime actionable threat intelligence to the Internet’s major networks, corporations, and security vendors. It also works with law enforcement agencies to identify and pursue spam worldwide. It maintains several realtime threat and reputation blocklists which protect over two billion user mailboxes and block the vast majority of spam and malware sent out on the Internet. In addition, the organisation publishes regularly updated statistics on issues such as: spam enabling countries, Internet service providers with the worst reputation for hosting spam operations, top-level domains with the worst reputation for spam operations.

(ITU, UIT)
...

The ITU Telecommunication Standardization Sector (ITU-T) develops international standards (called recommendations) covering information and communications technologies. Standards are developed on a consensus-based approach, by study groups composed of representatives of ITU members (both member states and companies). These groups focus on a wide range of topics: operational issues, economic and policy issues, broadband networks, Internet protocol based networks, future networks and cloud computing, multimedia, security, the Internet of Things and smart cities, and performance and quality of service. The World Telecommunication Standardization Assembly (WTSA), held every four years, defines the next period of study for the ITU-T.

(M3AAWG)

The M3AAWG began as an anti-spam consortium, but has evolved to focus on the root cause of the issue, from bot

...

The M3AAWG began as an anti-spam consortium, but has evolved to focus on the root cause of the issue, from bots and malware to spyware and distributed denial of service (DDoS) attacks. Styled as a forum that works under Chatham House Rules, the M3AAWG works on developing policy comments and industry best practices. In direct relation to spam, most recently, it has released instructional videos on the Canadian Anti-Spam Law. Other spam-related initiatives include the India Anti-Abuse Working Group various meetings and event focused on ways to tackle spam challenges.

(ITU, UIT)
...

The ITU Telecommunication Standardization Sector (ITU-T) develops international standards (called recommendations) covering information and communications technologies. Standards are developed on a consensus-based approach, by study groups composed of representatives of ITU members (both member states and companies). These groups focus on a wide range of topics: operational issues, economic and policy issues, broadband networks, Internet protocol based networks, future networks and cloud computing, multimedia, security, the Internet of Things and smart cities, and performance and quality of service. The World Telecommunication Standardization Assembly (WTSA), held every four years, defines the next period of study for the ITU-T.

(Spamhaus)

Spamhaus’s work focuses on tracking spam and providing realtime actionable threat intelligence to the Internet

...

Spamhaus’s work focuses on tracking spam and providing realtime actionable threat intelligence to the Internet’s major networks, corporations, and security vendors. It also works with law enforcement agencies to identify and pursue spam worldwide. It maintains several realtime threat and reputation blocklists which protect over two billion user mailboxes and block the vast majority of spam and malware sent out on the Internet. In addition, the organisation publishes regularly updated statistics on issues such as: spam enabling countries, Internet service providers with the worst reputation for hosting spam operations, top-level domains with the worst reputation for spam operations.

Instruments

Conventions

International Telecommunication Regulations (WCIT-12) (2012)
Convention on Cybercrime (Budapest Convention) (2001)

Resolutions & Declarations

Wuzhen World Internet Conference Declaration (2015)
ITU Resolution 52: Countering and combating spam (2012)
IPU Resolution on the Contribution of new information and communication technologies to good governance, the improvement of parliamentary democracy and the management of globalization (2003)

Standards

Recommendation ITU-T X.1240 - ‘Technologies involved in countering e-mail spam’ (2008)

Other Instruments

UNODC Comprehensive Study on Cybercrime (2013)
Directive on fighting cybercrime within ECOWAS (2011)

Resources

Publications

Internet Governance Acronym Glossary (2015)
An Introduction to Internet Governance (2014)

Papers

Fighting Spam by Breaking the Economy of Advertising by Unsolicited Emails (2015)
The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape (2014)

Reports

Rule of Law and Democracy in the Digital Society: Challenges and Opportunities for Europe (2018)
Digital Dangers – Responding to the illicit wildlife trade online: what do we know? (2018)
Towards a secure cyberspace via regional co-operation (2017)
Comparative analysis of the Malabo Convention of the African Union and the Budapest Convention on Cybercrime (2016)
One Internet (2016)
Kaspersky Security Bulletin. Spam and Phishing in 2015 (2016)
Stocktaking, Analysis and Recommendations on the Protection of CIIs (2016)
The Global Risks Report 2016 (2016)
National Security Implications of Virtual Currency. Examining the Potential for Non-state Actor Deployment (2015)
Best Practice Forum on the Regulation and Mitigation of Unsolicited Communications (2015)
Best Practices to Address Online, Mobile, and Telephony Threats (2015)
A Survey on the Transposition of Directive 2011/93/EU on Combating Sexual Abuse and Sexual Exploitation of Child and Child Pornography (2015)
Global Cybersecurity Index & Cyberwellness Profiles (2015)
Best Practice Forum on Regulation and Mitigation of Unsolicited Communications (e.g. “spam”) (2014)
Quarterly Spam Reports
Infoblox DNS Threat Index

GIP event reports

Applying Technology to Reinforce Security and Promote Development (2018)
DNS Quo Vadis – Addressing Challenges and the Future Functionality of the DNS (2018)
Big Data and Conflict Prevention: Balancing Opportunities with Challenges (2017)
Recent Cyber Incidents - Patterns, Vulnerabilities and Concerns (2017)
Looking Ahead: What to Expect in the Cyber Realm (2017)
DNS Abuse Discussions at ICANN60 (2017)
Global Survey of Internet User Perceptions (2017)
Cybersecurity and Cybercrime: New Tools for Better Cyber Protection (2017)
Report for World Economic Forum Annual Meeting 2017 (2017)

Other resources

The Twitter Rules (2016)
Combating Spam and Mobile Threats - Tutorials (2016)
Symantec 2015 Internet Security Threat Report (2015)
Combating Spam: Policy, Technical and Industry Approaches (2012)
The Top 10 Worst
Symantec Monthly Threat Report
M3AAWG Best Practices
Global Spam Map
Global Legal Summaries about Regulatory and Policy Updates Related to Digital Advertising

Processes

Click on the ( + ) sign to expand each day.

WSIS Forum 2018

12th IGF 2017

WSIS Forum 2017

IGF 2016

WSIS Forum 2016

WSIS10HL

IGF 2015

WSIS Forum 2016 Report

Session 161 on Cyberlaw, Bitcoins, Blockchains, Cybercrimes & Darknet looked at obstacles faced by the enforcement of existing national cyber-related laws, such as multiple jurisdictions applying to cloud and web content (especially the Dark Web) and generic Top-Level Domains (gTLDs) and Internationalised Domain Names (IDNs), the unclear ownership of personal data collected by gadgets such as wearables and stored in the cloud, and the criminal misuse of new technologies like bitcoin and cryptocurrencies.

WSIS Forum 2016 Report

Spam related challenged faced by emerging economies were discussed in Spam: Understanding and Mitigating the Challenges Faced by Emerging Internet Economies (session 152). It was underlined during the session that spam has become a complex issue, as it is more and more associated with malicious content, and that emerging economies may not have enough technical, human, and financial resources to fight it. Possible modalities to break the vicious cycle of spam generation were discussed (such as spam filtering, intrusion detection, antiviruses and patches, and user education), and reference was made to key areas emerging economies need to work on to combat spam (legislation (with clear rules in place), staff (with technical and legal expertise), and tools).

 

The GIP Digital Watch observatory is provided by

in partnership with

and members of the GIP Steering Committee



 

GIP Digital Watch is operated by

Scroll to Top