cyber crime inventory and networks in non-ict sectors
TRANSCRIPT
FP7-SEC-2013.2.5-2
Grant Agreement Number 607775
Collaborative Project
E-CRIME
“The economic impacts of cyber crime”
D2.2 Executive summary and brief: Cyber crime inventory
and networks in non-ICT sectors
Deliverable submitted in January in fulfilment of the requirements of the FP7 project, E-CRIME –
The economic impacts of cyber crime
This project has received funding from the European Union’s Seventh Framework Programme for research,
technological development and demonstration under grant agreement n° 607775.
E-CRIME Coordinator:
Trilateral Research &
Consulting (TRI)
Crown House
72 Hammersmith Road
London
14 8TH
T: +44 207 559 3550
www.ecrime-project.eu
Project Acronym E-CRIME
Project full title The economic impacts of cyber crime
Website www.ecrime-project.eu
Grant Agreement # 607775
Funding Scheme FP7-SEC-2013-1
Deliverable number: D2.2
Title: Executive summary and brief: Cyber crime
inventory and networks in non-ICT sectors
Due date: 03/03/15
Actual submission date: 03/03/15
Lead contractor: Tallinn University of Technology
Contact:
Rain Ottis
Authors: Tiia Sõmer Rain Ottis Toomas Lepik
Reviewers: INT and TUD
Dissemination Level:
Contents Introduction ............................................................................................................................................. 4
Taxonomy and inventory ......................................................................................................................... 4
Costs of cyber crime ................................................................................................................................ 5
Cyber criminal revenue ........................................................................................................................... 6
Legislation ................................................................................................................................................ 6
Culture ..................................................................................................................................................... 6
Journey mapping ..................................................................................................................................... 7
Victims of cyber crime ............................................................................................................................. 7
Cyber crime networks and ecosystem .................................................................................................... 8
Perpetrators of cyber crime .................................................................................................................... 9
Conclusion ............................................................................................................................................. 11
Introduction Cyber crime is growing in intensity, and modern criminals seem to have clear, almost business-like objectives. The issue of cyber crime is complex, and in order to understand it better, deeper insight into all different aspects related to cyber crime it is needed.
The current deliverable is a part of the E-CRIME project. In this work package, the aim was to analyse the structures and drivers behind cyber crime, their economies and criminal revenue streams; and to develop perpetrator and victim “journeys”. We have provided an overview of the cost of cybercrime and cultural aspects related to cybercrime, and presented journey maps for both victims of cyber crime and the perpetrators of cyber crime. The work undertaken is based on literature review and expert interviews, but also a questionnaire to stakeholders developed as part of the current work.
This report is being published at an early stage in the three-year E-CRIME project because of its significance to other work packages. The results presented above will feed into WP4 on economic impact and analysis, the gap analysis in WP7 and will be used as additional input for determining critical interventions to deter criminals in WP8.
This report presents the results of the work performed in respect of Tasks 2.3 and 2.4 of WP2. Task 2.3 consisted of developing and distributing a questionnaire to key stakeholders in order to collect additional real-life information. The results of this questionnaire were fed into Task 2.4, the aim of which was mapping of cyber crime “journeys“ and structures.
Taxonomy and inventory The concept of cyber crime is problematic because it is open to a variety of social, political, practical
and scientific interpretations and explanations. The definition adopted for the E-CRIME project initially
was broad, including all cyber activities supporting crime in any aspects. However, in the course of
project development and initial findings, the consortium has redefined the area of research and the
focus for taxonomy and journey mapping to include legal and practical considerations stemming from
the selected non-ICT sectors (i.e., energy, financial services, health, retail, and transport). This was
motivated mostly by the need to develop taxonomy and journey mapping which can effectively be
used as an input for identifying not only practical, but also inter- and cross-sector opportunities or
solutions to manage threats from cyber crime.
For this, the current work had to be firmly based on a shared understanding of what is legally
considered as cyber crime, while at the same time being economically relevant to the identified non-
ICT sectors. In order to do that we have initially used the Council of Europe Convention on Cybercrime
(2001). As a result the work undertaken in this research focused on offences against the confidentiality,
integrity and availability of computer systems and data; computer related offences (forgery, fraud);
and offences related to infringements of copyright and related rights. The consortium decided not to
cover content-related offences, since these are not economically relevant for the non-ICT sectors
selected for the purposes of this analysis; namely energy, financial services, health, retail, and
transport. The final taxonomy developed is presented in Table 1.
CoE Convention Alkaabi Subgroup Alkaabi Crime (Article 2) Illegal access 1A - Unauthorised
Access 1. Hacking
2B - Unauthorised Alteration of Data or Software for Personal or Organisational Gain
3. Privacy
(Article 3) Illegal interception 1D - Theft or Misuse of Services
2. Misuse of Services
(Article 4) Data interference 1B - Malicious Code 1. Virus
2. Worm
3. Trojan Horse
4. Software Bomb
2B - Unauthorised Alteration of Data or Software for Personal or Organisational Gain
4. Sabotage
(Article 5) System interference 1B - Malicious Code 1. Virus
2. Worm
3. Trojan Horse
4. Software Bomb
1C - Interruption of Services
1. Disrupting Computer Services
2. Denying Computer Services
2B- Unauthorised Alteration of Data or Software for Personal or Organisational Gain
4. Sabotage
(Article 6) Misuse of devices 1D - Theft or Misuse of Services
1. Theft of Services
2. Misuse of Services
2C - Improper Uses of Communications
1. Harassment
3. Cyber-stalking
4. Spamming
5. Conspiracy
6. Extortion (not Critical Infrastructure Threats)
7. Drug Trafficking
8. Social Engineering
(Article 7) Computer-related forgery 2A - Content Violations 7. Forgery / Counterfeit Documents
(Article 8) Computer-related fraud 2B- Unauthorised Alteration of Data or Software for Personal or Organisational Gain
1. Identity Theft
2. Online Fraud
5. Telemarketing / Internet Fraud
6. Electronic Manipulation of Markets
2C - Improper Uses of Communications
2. Online Money Laundering
(Article 9) Offences related to child pornography
2A - Content Violations 1. Child Pornography
(Article 10) Offences related to infringements of copyright and related rights
2A - Content Violations 5. Copyright Crimes
6. Intellectual property
Table 1. E-CRIME cyber crime taxonomy
Costs of cyber crime An essential element in analysing the impact of cybercrime is to measure its costs. Most studies looked
at for the work within the current research do not provide definitive, widely accepted results. The cost
estimates usually cover known direct costs related to detected cyber crimes, or provide speculative
extrapolations of single cases to overall population. The criminal revenues and direct losses, reported
by the victims, provide important information in relation to cyber crime. Direct losses are the monetary
equivalent of losses and damages directly felt by the victim of a cybercrime. These can be money
withdrawn from victim account, time and effort to reset credentials, but also hidden costs (i.e. distress
suffered). The criminal revenue is the monetary equivalent of the gross receipts from a crime. But
there are also indirect costs of cyber crime: the monetary equivalent of the losses and opportunity
costs imposed on the society, such as loss of trust in online banking, reduced trust on electronic
services, or efforts to clean infected devices. An important element is also defence costs, or monetary
equivalent of prevention (security products, browser extensions, security services, training). Even
though defence costs cannot be accounted to any particular criminal attack, the are still part of overall
cybercriminal costs. As a result of work undertaken, we would like to emphasise the importance of
indirect losses and defence costs in analysing the cost of cyber crime. The collection of new data, to be
conducted in work package 4 and the economic framework to be developed in work package 6 of the
E-CRIME project, should take into account a need to consider indirect and defence costs together with
direct costs.
Cyber criminal revenue While much is written about the costs of cyber-crime, the headline figures available typically focus on
the negative economic impact to the victims. However, published research into how much profit
specific cyber-criminal entities are making, is sparse. The cost to an individual or organisation from a
cyber attack does not directly equate to the amount of tangible profit the cyber-criminal receives.
Based on our research we can conclude that at least some types of cyber-crimes are profitable,
otherwise there would be much less of an interest in it. However, in order to build an accurate picture
of true numbers of cyber criminal revenue, more openly available research in understanding such costs
and true profitability is required.
Legislation Successful fight against cyber crime requires a well-working interplay between a number of legal
aspects. This paper looked at substantial and procedural criminal law, investigative measures, regional
and international information exchange, jurisdiction, and operational mechanisms for international
cooperation. Legal aspects are especially important, since cyber crime – in most cases – involves many
jurisdictions, with parts of the crime taking place in different countries.
Culture Culture can also play a key part in cyber crime. However, the key problem with the investigation of
culture as a motivating factor in cyber crime is that ‘culture’ is not a simple, easily-defined entity. It
involves a wide range of factors, including morality, religion, politics and many other belief systems
and ideologies. The aspect of cultural dimensions in connection with cybercrime is vast and we have
looked at ways this has been linked to cyber crime in existing literature. The use of cultural aspects in
connection with cyber attacks may augment the existing solutions in finding the origin of attacks, but
it would fall outside the scope of this research.
Journey mapping Central to the work in this research was journey mapping. This ‘map’-style of output has been adopted
and applied within a number of different disciplines where it is often referred to as a script, a
predetermined, stereotyped sequence of actions that define a situation in a particular context. For the
purposes of E-CRIME project we have developed eight journeys from the victim perspective and nine
journeys from perpetrator perspective, representing a sequence of events within a select number of
cybercrimes. The selection of journeys was based on commonalities between different crimes as
provided for in existing literature and the results of expert interviews.
Victims of cyber crime Cyber crime acts are distributed across different cyber crime categories, with victimisation rates higher
than conventional crime. The current research looks at victimisation, before looking at crime victim’s
journeys. The cyber crime victim journeys were looked at within three general types of offences
(offences against the confidentiality, Integrity and availability of computer systems and data; computer
related offences (forgery, fraud); and offences related to infringements of copyright and related
rights). Within these, we described the relevant cybercrime victim journeys, providing reference to the
corresponding perpetrator journeys.
Victims of cyber crime can be affected through their own action during regular use of information
technology: using e-mail (receiving and opening infected messages, attachments or links), browsing
the web (visiting infected websites), using removable media (infected USB-s, hardware), etc.
Alternatively, one’s devices or systems can become infected, if these are not patched or updated, if
unsupported software or hardware is used, or if systems are poorly managed. Once affected by a
criminal act, the victim will face damages. Their accounts may be hijacked, their identity may be stolen,
they may lose data or intellectual property or it can become unavailable to them, data and devices
may become encrypted, they may suffer direct financial losses, there might be damage to their
reputation, or their computing power and other resources may be abused.
After gaining victim view on cyber crime and drawing respective crime journeys, the paper continues
with a look at the perpetrator view. The criminals seem to know which end-results they want to
achieve, and how to reach these goals. They are sometimes willing to spend a lot of time in research
and in planning their actions. On the other hand, a criminal action may also emerge during the course
of other (criminal) activities, by accident. There are also some cyber crimes that do not tangibly benefit
the criminal: attacks related to hacktivism are typically not motivated by personal gain. An illustrative
victim journey can be seen in Figure 1.
Figure 1. General victim journey
The research undertaken within the current project looked at the cyber crime victim journeys from the
Council of Europe’s Cybercrime Convention (2001) as a starting point. We describe the journeys in
cases of offences against confidentiality, integrity and availability; computer related offences (forgery,
fraud); and offences related to infringements of copyright and related rights. Content-related offences
(such as offences related to child pornography) are outside the scope of the current work. Victim
journey maps for the three types of offences are provided.
Cyber crime networks and ecosystem As it seemed obvious that different organisational structures are involved in cyber crime, we looked at
literature concerning this. The players in black markets come from all over the world, there are
international criminal organisations, but also virtual criminal networks. We looked at four main types
of cyber criminals: international criminal organisations, foreign intelligence agencies (i.e., states),
individuals and small criminal groups, and legitimate organisations. The cyber criminal ecosystem is
very big, there are many players, it is disjointed and constantly changing. Based on the research into
cyber crime journeys, we were able to identify the key roles in the cyber crime networks and economic
structures. However, it has to be noted that one person can perform many roles simultaneously, or
less sophisticated crimes may not require the full range of roles in a criminal ecosystem. Therefore,
the cyber crime network and economic structure map developed for the current research is a
generalization that may not fit to each specific criminal network.
It is challenging to describe the entire ecosystem of cyber crime, as it is very big, there are many
players, it is disjointed and constantly changing (RAND Corporation 2014). Based on the research into
cyber crime journeys, we were able to identify the following key roles in the cyber crime networks and
economic structures. However, since the same person or group can perform multiple roles
simultaneously, the resulting map is a generalization that may not fit to a specific criminal network. In
addition, some less sophisticated cyber crimes may not need the full range of roles described below.
Therefore, the map should be viewed as a guide and not a strict blueprint (see Figure 2 below).
Figure 2. cyber crime network and economic structure map
Perpetrators of cyber crime Having looked at the victim view, and then at cyber crime networks and economic structures, we
continued to look at the perpetrator journeys. Crimes can be seen as a process, where resources are
required and decisions are made, constituting the modus operandi of a crime. From the perspective of
the criminal, we grouped similar actions under broad terms: preparation, execution, and monetization.
The preparation phase of a crime includes pre-attack actions, i.e. initial decision, deciding the
worthiness of attack, identifying victims, and conducting targeted reconnaissance. It also includes the
choice of an attack method, including the cyber criminal undertaking an analysis of their own means
and abilities, and deciding on whether to use outsourcing or buying solutions from such ‘service
providers’. The execution phase includes creating an attack plan and executing the attack, which
comprises of entering or interfacing with target system and the actual criminal activities (i.e.
distributed denial of service (DDoS), extortion, espionage, etc.) themselves. The monetization phase
includes both payment in some form and the laundering of this payment, finally ending in personal
Infrastructure Provider
Criminal Service
Provider
Organized Crime
Intermediate victim
Criminal Zero
Developer
Corruption
Black Market
Monetization
Service Provider
Victim
gain for the criminal. In this work, we provide a general crime cycle, and thereafter specific crime cycles
for building a botnet, extortion (ransomware), espionage (APT/ APA), malware development/ 0-day
exploit development, VoIP attacks, cryptocurrency mining, DRM cracking, and click fraud. The selection
of criminal journeys to be mapped within this project was decided after combining initial research with
expert interviews. We believe the journeys mapped within this research cover a wide area of cyber
criminal activities, by representing major criminal modus operandi. These maps help identify the cyber
criminals’ modus operandi, an account of how they operate within a crime cycle from preparation to
monetization and exit.
Figure 3. General cyber crime cycle including motivation
Based on literature review and expert interviews, but also a questionnaire to stakeholders developed
as part of the current work, eight cyber crime journey maps were drawn up:
- Building a botnet;
- Extortion (ransomware);
- Espionage (APT/ APA);
- Malware development/ zero-day exploit development;
- Cryptocurrency mining;
- DRM cracking;
- VoIP attacks;
- Click Fraud
For each journey, a mapping was conducted in three principal phases of cyber crime: preparation,
execution and monetization. These maps help identify the cyber criminals’ modus operandi, an
account of how they operate within a crime cycle from preparation to monetization and exit. It will
also provide a sense of the processes and practices through which cyber crime occurs.
Conclusion This report stands alone as a specific piece of work relating to the completion of two specific tasks
within work package 2, but it should be remembered that it is one deliverable among many that will
present a comprehensive view of the current state of cyber crime.