2011EECTF European

Cybercrime Survey

2011EECTF European

Cybercrime Survey

4

EXECUTIVE SUMMARY..............................................................................................6

1 INTRODUCTION AND FOCUS OF THE SURVEY...................................................81.1 Cybercrime and cyberfraud.....................................................................81.2 Purpose of the survey.............................................................................101.3 EECTF, a task force against cybercrime ..............................................11

2 THE SURVEY METHOD ..........................................................................................122.1 Categories of participants......................................................................122.2 Data collection.........................................................................................132.3 Analysis of the data and presentation of the results.........................14

3 ANALYSIS OF CONTEXT .......................................................................................153.1 Cyber fraudsters, victims and attack vectors.....................................16

3.1.1 Fraudsters: organisations and roles............................................173.1.2 The victims of the attacks .............................................................18

3.1.2.1 Differentiation of the victims attacked .................................183.1.2.2 Geographic differentiation of the attacks ............................19

3.1.3 Some of the most commonly used attack vectors ....................203.1.3.1 Malware ....................................................................................203.1.3.2 Botnets.......................................................................................203.1.3.3 Spam ..........................................................................................213.1.3.4 Phishing .....................................................................................223.1.3.5 The compromising of business systems ..............................233.1.3.6 Compromised websites and the drive-by download..........243.1.3.7 Toolkits .......................................................................................243.1.3.8 Blogs and social networks as “unwitting vectors”............25

3.2 A structured marketplace ......................................................................263.2.1 The fragmentation and specialisation of the skills ...................263.2.2 Various channels for proposing underground services...........273.2.3 Different services at different prices .........................................28

Summary

5

4 SURVEY RESULTS ..................................................................................................304.1 Comments on the extent of the phenomenon.....................................304.2 The targets of the attacks: victims and assets involved...................32

4.2.1 Types of victims attacked..............................................................324.2.2 Use of data to create complete identities ..................................334.2.3 Methods of choosing the victims.................................................35

4.3 Attack vectors..........................................................................................364.3.1 Most common and emerging attacks .........................................374.3.2 Relationship between attack and target information...............384.3.3 Choosing the level of complexity of the attack..........................40

4.4 Efficacy of attacks and detection .........................................................414.4.1 Efficacy of various types of attack ..............................................414.4.2 Perception by the various parties of the methodswhich can be used to attack them .......................................................424.4.3 Propensity of victims to report the attack ..................................444.4.4 Methods and timescales for detecting attacks.........................464.4.5 The role of the technological outsourcerand the security solution provider ........................................................484.4.6 The role of audit and compliance activities ...............................48

4.5 Performance and outcome of the investigations...............................504.5.1 Efficacy of the investigations and typical results ...........................50

4.5.2 The investigation techniques and the role of the preliminary analysis user/business side ..................................534.5.3 Collaboration between the victims attackedand the law enforcement authorities (efficacy and limits)...............554.5.4 Collaboration between the various lawenforcement authorities in Europe (channels and limits).................56

5 FINAL OBSERVATIONS .........................................................................................585.1 Key elements emerging during the survey .........................................585.2 Anatomy of a cyberfraud attack ...........................................................615.3 The EECTF’s role and its contribution to fighting cybercrime..........63Bibliography ...................................................................................................65Glossary ..........................................................................................................66

6

Executive Summary

Cybercrime is a criminal phenomenon centred on the abuse of information technology, and itsmanifestations range from cyber terrorism to industrial espionage. Cybercrime today is a parti-cularly extensive and complex phenomenon expressed via an intricate ecosystem of operators,victims and instruments which, over the years, has acquired a complex organisational hierarchy.This survey examines a particular type of cybercrime, called “cyberfraud”. Cyberfraud differs fromother cybercrimes, for example, because of the undue profits enjoyed by the fraudster, gainedby illegally manipulating IT systems, or for other peculiarities based on the legislation in force inthe various countries.The European Electronic Crime Task Force decided to explore the dynamics of cyberfraud at Eu-ropean level in 2010, setting itself the following specific objectives in this report:• provide an overview of cyberfraud by studying the most up-to-date reports on the phenome-

non. This analysis is a reference for subsequent comments on the results of the survey;• analyse the differences between cybercrime as it really is and cybercrime as it is perceived by

operators: the perspectives of individuals, companies and the law enforcement authorities inparticular were taken into consideration;

• understand whether there are essential differences, objective or perceived, between countrieswith regard to the methods used to carry out cyberfraud;

• analyse the methods for fighting cybercrime and associated problems. More specifically, thesurvey examines the issue of collaboration between the various operators involved, and theinfluence that the co-operation models may have on the effectiveness of the action taken tofight the phenomenon.

The survey has brought together the contribution of those who operate in the field of IT securityand those who belong to bodies and organisations which are particularly affected by cyberfraudor committed to fighting it. More specifically, the participants were chosen from the law enfor-cement authorities, security solution providers, intelligence agencies, experts and companies ofinternational importance. The visibility of certain stakeholders within the scenario of cybercrimein the United States has also made it possible to compare a number of elements from the Euro-pean context with those on the other side of the Atlantic.The survey contributes to defining four fundamental theme-based areas of cybercrime, both accor-ding to objective data and the perceptions of the participants: • the victims of attacks and the reasons why they are attacked;• how attacks are carried out;• the efficacy of the attacks and how they are discovered;• how investigations are carried out and with what results.

The survey begins by describing the nature of cybercrime today, before focusing on the contextof modern cyberfraud. This analysis clearly reveals two trends: a sharp differentiation in crime(geographic customization of worldwide attacks, attack vector and the evolution of the commu-nity), and the increasing focus on profits, with the continual evolution of criminal organisationsinto increasingly better organised structures, along with a healthy black market for the purchaseand sale of illegal services and information. An analysis has been made on the basis of the responses provided by the participants, whichreveals the following key factors:• a marked discrepancy between the actual situation and the perception of cyberfraud by those

parties that fall victim to it or fight against it. This is also aggravated by the extremely dynamic

7

nature of the cybercrime environment, which does not permit the consolidation of methodswhich are always effective and the “sedimentation” of expertise. Users often represent the“weak link” in the chain fighting fraud, but businesses also often do not have a complete per-ception of the risks which they are subject to.

• the key role of malware in implementing any type of fraud, increasingly relevant given thegrowing pervasiveness of ICT. Unfortunately, the increasing efficacy of malicious software,its growing versatility, its greater ability to mimic and the ease with which it can be dissemi-nated are all elements which facilitate the implementation of massive attack campaigns. Thesevary greatly in nature, ranging from the exploitation of configuration errors in systems to so-phisticated examples of social engineering.

• business logic as a driver for fighting cyberfraud, which is increasingly perceived as a “riskfactor” by businesses and therefore included in risk management plans. This represents a po-sitive element, as it enables the introduction of countermeasures. However, there is a “resi-dual” threshold in all risk plans which is generally tolerated since the cost of reducing it furtheroutweighs the costs linked to the risk itself.

• the growing acknowledgment of the skills of the law enforcement authorities tasked withhandling cases of cyberfraud. Particularly for private users, law enforcement authorities in-creasingly represent the first point of contact they can go to for assistance. By contrast, greaterreluctance is noted with regard to businesses in making any attacks they have fallen victim toofficial, unless these fall within the spheres in which it is mandatory to report the same, orunless the attacks have already been reported by their clients. The phenomenon is howeverprogressively decreasing.

• the growing demand and need for collaboration between the parties involved in the fightagainst cyberfraud, so as to make the fight against cybercrime more effective and capable ofmore fully responding to the dynamics of the phenomenon. A positive contribution to the fightagainst cybercrime could come from a round table for the fast, efficient and bureaucracy-freeexchange of information.

As a rule, the number of cyberfraud attacks is rising sharply, but the average profit per attack isdropping, at least for certain types of fraud. This might be explained by the increasing awarenessof users and the proliferation of effective countermeasures against the most common attacks.Therefore, the economic damage of cyberfraud is not proportionate to the intensity of the at-tacks. This has resulted in an increase in the number of attempts to compromise systems: cyberfraudster organisations must raise the intensity of attacks to maintain their profits.From a geographical point of view, cybercrime is a phenomenon that has practically no limits:cybercrime instruments are widespread in all countries in an undifferentiated manner. The ma-jority of criminals seem to limit themselves to choosing techniques that are of sufficient com-plexity to overcome the countermeasures implemented in a specific nation, preferring richercountries and more dynamic economies.The theme of collaboration between various bodies represents a sort of common thread bet-ween the various theme-based areas defined in the survey. This topic is analysed in further depthby asking participants about the role played by organisations such as the European ElectronicCrime Task Force in furthering and enhancing the collaboration between the various parties in-volved in the fight against cybercrime. First and foremost, this role involves strengthening therelationships between members. Another important theme is the promotion of training initiatives,mainly aimed at less technical parties. On a more general note, the EECTF is also seen as auseful source for inspiration relating to new types of cyber threats or known threat trends. TheEECTF intends to be a reference point for active and effective collaboration between the mainplayers as regards operations in the fight against cybercrime.

8

Introduction and focus

of the survey

This survey examines the phenomenon of cyberfraud at European level. Thestudy brings together information from literature and a series of data collateddirectly by interviewing some of the main European and global operators invol-ved in the fight against cybercrime. The following sections will provide an initialintroduction to the phenomenon and describe the aims of the work.

1

1.1 CYBERCRIME AND CYBERFRAUD

A cybercrime is a type of crime thatinvolves the abuse of information te-chnology [1]. The term cybercrime co-vers a series of crimes which rangefrom cyber terrorism to industrialespionage.Cybercrime is an extensive phenome-non expressed via of an intricate eco-system of operators, victims andinstruments. Over the years, in fact, cy-bercrime has acquired a hierarchicaland international organisation, with agenuine “black market” for the com-merce of data, tools and skills.As the instruments have becomemore streamlined, the expertise re-

quired to access the world of cyber-crime has lowered: whereas cybercri-mes were once perpetrated bygroups of “black hats1”, today anyonewith minimum technical skills candownload and use instruments inorder to carry out all types of attacks,from anywhere in the world.Today’s cybercrimes are characteri-zed by these two aspects (Figure 1):on the one hand, crimes can take nu-merous different forms in terms ofexpertise and attacks; on the otherhand there is a series of well-structu-red schemes and mechanisms thattypically characterise organisationsand markets focused on profit.This survey focuses on the study of aspecific cybercrime called “cyber-fraud”. Cyberfraud differs from othercybercrimes due to the presence ofundue profits, obtained by altering thefunctioning of an IT system or interfe-ring in any way with data, informationor programmes without the right.

In general, cyber fraudsters generateprofits in two ways:• by altering the functionalities of the

computer systems of users and or-ganisations so they are able to takecontrol of them, for example by ar-ranging bank credit transfers to

1 C

Figure 1.Cybercrime today:conceptual diagram.

9

their own accounts or manipulatingthe output shown to the user, sothat they do not become aware ofany anomalies in the transactions;

• stealing information and creden-tials which can be used for movingmoney around, such as credit cardnumbers or access codes to homebanking services.

The ways in which the fraudster ope-rates vary from case to case, andevolve over time in order to get roundthe countermeasures which organisa-tions and users set up. The followingparagraphs contain a description ofsome of the most common types ofcyberfraud, which will be covered bythis survey.

Theft of home banking credentialsand other payment instrumentsHome banking credentials and accesscodes to other payment instrumentsare one of the main types of informa-tion which permit a cyber fraudster toobtain an economic return from theattack, since they allow money to bemoved around. The theft of userna-mes, passwords and operating codesfor online financial transactions is anincreasingly common phenomenon,which has forced banks and paymentsystems to raise security levels.Examples of this are the introductionof strong authentication mechanisms,such as confirmation codes, typically‘one-time’, to authorise credit instruc-tions, and monitoring instruments onthe amount transacted.

Fraud linked to credit or directdebit cardsCredit cards are one of the most com-mon payment instruments. The sen-sitive data associated with them isprocessed and passes through manycomputer systems which, in turn,keep of copy of this data, sometimesin a manner not compliant with cur-rent legislation and standards. Fraudrelated to sensitive credit card infor-mation can be both ‘physical’ and ‘on-line’. The former includes phenomenasuch as credit card cloning via skim-ming and the compromising of POSdevices. In contrast, online fraud aimsto obtain the card data by means of

false e-commerce sites or by compro-mising existing websites. Additionalsecurity devices, such as “VbyV” or“Securecode”, do not pose insur-mountable obstacles for the cracker,since they are for all intents and pur-poses static credentials which, oncestolen, can be used again.

Theft of personal data for financialfraud purposesThe theft of information is not only li-mited to that directly associated withpayment tools, but increasingly ex-tends to the personal data of the indi-vidual, which can be found – forexample – on social networks. Thepersonal profile of an individual, toge-ther with payment instruments data,increases the efficacy of the fraud.For example, some call centres au-thenticate the caller by requestingpersonal details in addition to traditio-nal credentials, such as date of birthor the postcode of their city: a fraud-ster in possession of such informa-tion obviously has a considerableadvantage. As proof of the value ofsuch data, the prices of credit cardnumbers furnished with informationon the holder are considerably higheron the black market than those wi-thout such information.Social networks represent a veritablegoldmine of data which is not limitedto merely personal information. Infact, thanks to social networks crac-kers can reconstruct the professionalrelationships of the victims, discove-ring the organisation they work for orwho their bosses are, for example.This information can subsequently bere-used to carry out attacks based onsocial engineering or defraud the tar-get organisation.

Provision of fake servicesof various typesFake services represent another typeof fraud. These can range from thesale of counterfeited or infected soft-ware containing malware (fake antivi-ruses), to the failure to deliver aproduct the user has paid for. Thistype of fraud is not often accompa-nied by formal complaints made to thecompetent authorities, especially incases where the nature of these servi-

1 Malicious hackers, or rather crac-kers, who operate for criminal ends,in contrast to white hats who act pu-rely out of scientific curiosity [2].

10

vices do not make it possible to obtaina direct profit from their use, but canhelp the fraudsters to improve theprofitability of their activities and ex-change information. Examples of suchservices are tools for handling the pur-chase and sale of information on at-tacks, and websites for checking thevalidity of stolen credit card numbers.

ces is compromising (such as the caseof pornography or online gambling onillegal websites), or the amount of theloss suffered is relatively low.

Sale of illegal servicesCybercrime is so evolved that, overthe years, it has stimulated the crea-tion of a series of services supportingthe activities of fraudsters. These ser-

1.2 PURPOSE OF THE SURVEY

This survey explores the dynamics ofcyberfraud from a particular perspec-tive, setting a number of specific ob-jectives that can be summarised asfollows:• contextualise the “objective” infor-

mation contained in the most up-to-date reports in the sector inorder to reconstruct a baselinewith which the results of the sur-vey can be compared;

• analyse the differences betweenthe objective phenomena studiedand the “perception” which va-rious operators have of it. Morespecifically, we will analyse theperspective of individuals, compa-nies and the authorities using di-rect and indirect information, inaccordance with the survey metho-

dology (described in section 2);• understand whether there are es-

sential differences, real or percei-ved, with regard to the cyberfraudmethods used by the various Euro-pean nations, and between Europeand the US;

• analyse the methods for fightingcybercrime and associated pro-blems. More specifically, we willanalyse the issue of collaborationbetween the various operators in-volved, and the influence that theco-operation models may have onthe end result.

In practice, we shall seek to analysethe various elements that characte-rise criminal events, as per the dimen-sions shown in Figure 2:

Figure 2. The anatomy of attacks: conceptual diagram.

11

standing between the Chief Execu-tive of Poste Italiane (Italian Post Of-fice), Massimo Sarmi, the Chief ofItalian Police, Antonio Manganelli, andthe director of the US Secret Service,Mark Sullivan. In May 2010 the GlobalCyber Security Center joined theEECTF. On 17 November 2010, theEECTF welcomed two new mem-bers: American Express and RSA (theSecurity Division of EMC). During2011, EECTF’s board shall dedicate it-self, among other things, to the re-cruitment of other importantinternational organisations within theproject.Given the global nature of the cyberthreat, the task force intends to playa leading role, at both European andinternational level, in enabling the pla-yers involved in fighting cybercrimeto share their information and exper-tise. It is therefore a body that is opento the participation of both private andinstitutional partners who share acommitment to fighting cybercrime.

1.3 EECTF,

A TASK FORCE AGAINST CYBERCRIME

The European Electronic Crime TaskForce (EECTF) carries out a series ofactivities concerning the analysis,examination and prevention of allthose criminal acts which are increa-singly common on the Web andwhich threaten the security of IT ser-vices, such as digital theft, attacks oninstitutions and any other type of cy-bercrime. The EECTF therefore aimsto define new techniques and instru-ments for the prevention, detection,combating and investigation of thesecrimes, in Europe and worldwide. The Task Force originates from anagreement between Poste Italiane,the Polizia Postale and the Secret Ser-vice (US government agency which,since 1865, has been in charge of in-vestigating counterfeiting and fraud,and which today is also entrustedwith looking after the security of theUS President). The EECTF was established on 30June 2009 in Rome through the si-gning of a memorandum of under-

12

The survey method2

this knowledge has been used tocompare the European context withthat of the US.The survey is divided up into fourareas which deal with subjects pertai-ning to the objectives of the attacks,the methods used for perpetratingthe crimes, the outcome of fraud, andthe consequent analysis and investi-gation activities. This section contains indications on thetype of participants involved, the me-thods used for collecting data, and themethods used to present the results.

The survey brings together the contri-butions of those who operate in thefield of IT security and the fightagainst cybercrime within the law en-forcement authorities, security solu-tion providers, intelligence agencies,experts and companies of internatio-nal importance. The survey focuseson Europe: those interviewed in factmainly operate in Europe or have im-portant relationships with Europeancountries. Certain stakeholders alsohave an overview of cybercrime inthe United States: where possible,

2.1 CATEGORIES OF PARTICIPANTS

users have with regard to the phe-nomenon of cyberfraud. The inve-stigation methods used also provideinformation on the methods for col-laborating and fighting against thephenomenon at judicial level;

• businesses operating in the sectorsmost commonly affected by cyber-fraud, which contribute their directexperience of cybercrimes com-mitted against themselves or theirclients. The businesses weremainly selected from the financialand electronic payment instru-ments sector;

• security solution providers, intelli-gence agencies and experts, who areable to provide reference materialfor the objective analysis of cyber-crime, with indications on trendsand on new fraud models. Theseparties have a global vision of thephenomenon thanks to their sizeand international presence.

The survey has brought together thecontributions of operators specialisedin the field of IT security or involvedin the fight against cybercrime, andwho have provided answers regar-ding their experience and perceptionof the phenomenon.

The parties who contributed to thesurvey have a different perspective ofcybercrime, since they belong to dif-ferent organisations. The survey hastherefore gathered information origi-nating from:• law enforcement authorities, chosen

from amongst those belonging tothe twenty-seven countries in theEuropean Union, also on the basisof their specific interest and invol-vement in the sector. The law en-forcement authorities havevisibility on reports and on investi-gations. Via these they gather indi-cations on the perception that the

13

2.2 DATA COLLECTION

The participants provided their contri-bution via three separate channels:• questionnaires, with questions re-

lating to the type of organisationfor which the parties work;

• informative and analytical materialprovided by the parties, such as re-ports and analyses;

• direct interviews.

More specifically, the questionnairespropose a series of questions dividedup into ten spheres, each of which or-ganised into four theme-based areasas mentioned: purposes of the at-tacks, methods used in the crimes,outcome of the fraud and analysisand investigation activities. Three dif-ferent versions of the questionnaireswere drawn up, one for each type oforganisation, maintaining the samespheres. In this manner, it was possi-ble to examine the specific nature ofthe interlocutor while maintaining acommon approach, useful for thesubsequent analysis of the results. The spheres into which the question-naire was divided up were also usedas guidelines during the interviews,and acted as a springboard for the in-terlocutors to develop new ideas andreflections also on spheres not initiallycontemplated.

The survey has examined the contextof cybercrime as described by someof the main sector studies and hascompared it with the perception thatsome representative entities have ofthe phenomenon.In addition to the founders of theEECTF, the survey involved twenty-three organisations from the majorityof the European Union nations andthe United States, chosen from va-rious categories including: law enfor-cement authorities; businesses;security and solution providers; intel-ligence agencies and experts.The context is illustrated in section 3,by means of reports, analysis andother publically available material. Ap-proximately twenty studies havebeen analyzed, chosen from amongthe most recent ones available. Theperception of the parties, meanwhile,is provided in section 4, via a series ofquestionnaires, interviews and datapromptly provided.

14

2.3 ANALYSIS OF THE DATA AND

PRESENTATION OF THE RESULTS

The results of the survey are presented in section 4, maintaining the distinctionbetween the theme-based areas described in the introduction:• the victims of attacks and the reasons why they are attacked;• how attacks are carried out;• the efficacy of the attacks and how they are discovered;• how investigations are carried out and with what results.

The results are presented anonymously by means of the aggregation and par-tial re-processing of the data, and their representation in graphic form, if per-tinent. The results are commented on in order to highlight any emerging trendsor reveal differences between the various types of parties, geographical areasand time periods. These comments also include possible observations madeby those interviewed, also in this case presented in anonymous form.

15

3

As already mentioned in the introduc-tion, cybercrime today is characterizedby a “manifold” approach and by afocus increasingly aimed at obtaininga profit. The term “manifold” refers tothe considerable differentiation of cy-bercrime according to geographicalcustomisation, the attack vectorsused and the evolution of the commu-nity. The ongoing evolution of criminalorganisations into increasingly moreorganized structures and the creationof a black market for illegal servicesand information sharing are by con-trast elements which highlight the im-portance of profit. Figure 3 shows theconceptual outline of cybercrimes asdescribed in this survey. The imagecontains some keywords which re-present the spheres explored in thissurvey.This section presents an overview ofcybercrime, based on the analysis ofthe latest sector studies.

Figure 3. Cybercrime today

Analysis of context

16

3.1 CYBER FRAUDSTERS,

VICTIMS AND ATTACK VECTORS

In the current panorama of cyberfraud, two types of players can be identified:the fraudsters and the victims. The fraud exploits a series of attack vectors,both technological and linked to social engineering concepts. The subsequentsections examine some of the main concepts relating to these elements.These starting points are taken from objective analysis of the facts and cantherefore provide a useful basis for the critical interpretation of the resultsemerging from the survey, as described in section 4.

17

3.1.1 FRAUDSTERS:

ORGANISATIONS AND ROLES

The evolution of the crime is linked tothe opportunity of making a profit atthe expense of others. The spread ofPCs and internet connectivity has in-creased the use of digital informationand, therefore, also its value: banktransactions, patents, and personaldetails are just some of the examplesof information stored in electronic for-mat. The widespread circulation ofthis information represents an oppor-tunity to make a profit in the event anindividual is able to acquire it. This op-portunity is at the basis of the deve-lopment of the cybercrime.Cyber attacks have evolved as a con-sequence: initially carried out by hac-kers, whose purpose was tosurmount the security systems as ahobby or an intellectual challenge,they passed into the hands of cyberfraudsters, or individuals whose soleobjective is to make a profit by meansof cyber attacks.The majority of cyber fraudsters actwithin criminal organisations, whichcan be made up of just a few ele-ments, or be very complex and well-organised, even similar to mafia-typeorganisations [3], managed hierarchi-cally by means of real business objec-tives, and generate importantrevenues. One of the famous exam-ples of the past is CarderPlanet, a cri-minal organisation which handled thesale of stolen credit card numbers,which was organized hierarchicallyand whose structure was similar tothat in Figure 4.Criminal organisations of this type arestill present today and are predomi-nantly based in countries where thereis weak legislation in force with re-gard to cybercrimes, such as forexample Rumania, Russia, Nigeria orBrazil. With regard to Europe, forexample, the majority of the attackscome from or are directly attributableto organisations which are based inEastern Europe. Anyway the attacksare targeted on many countries andone of the main problems involves

turning the information into cash. Forthis reason, there are a number of in-dividuals present in the territory,known as mules2 , who are placed atthe last level of the hierarchy and, re-cruited via Internet, carry out the roleof intermediary in order to steal themoney from the accounts of the vic-tims. The money is sent to the headsof the organisations, usually bymeans of anonymous transfers andthe mules keep a percentage for eachtransaction.

Figure 4. Layout of a criminal organisation, based on a mafia model (Source: [4]).

2 The term derives from theanimal used by smugglers totransport illegal goods.

18

3.1.2 THE VICTIMS OF THE ATTACKS

Victims of the cyber fraudsters range from individuals to multinational organi-sations. In general, there are two ways in which the victims are chosen andattacked:• there are general attacks, which are based on little or no differentiation bet-

ween the attempts on the basis of the victim. In this type of attack, forexample, we can find mass phishing campaigns, which reach thousands ofpotential victims without distinction;

• there are targeted attacks, which considerably reduce the number of fraudattempts in favour of a more precise campaign, which takes into accountthe information obtained on the victim. This type of attack, for example, in-cludes “spear phishing”, a variation of phishing where the e-mails containprecise references to information on the victim (e.g. the name of their bossor the division within the organisation they work for).

3.1.2.1 DIFFERENTIATION

OF THE VICTIMS ATTACKED

With regard to the victims attacked, itcan be stated that private individualsand business are very closely linked:private individuals are sometimes at-tacked because they are members ofa business, and in the same way, thebusinesses are victims of violationsaimed at stealing sensitive data onthe individuals, such as credit cardnumbers, etc. The following sectionsprovide a description of the varioustypes of victim.

UsersThe end users of PCs or other techno-logical devices represent a main tar-get for cyberfraud attacks. The endusers may be subject to attacksaimed at the direct stealing of infor-mation linked to financial instruments(by means of malware or phishing), orat the stealing of personal informationwhich may permit the complete re-construction of the digital identity ofthe victim attacked. They may also beincluded in botnets, so that attackersare able to use the technological de-vice of the users as a means for car-rying out further attacks.

Banks and payment service operatorsBesides direct attacks on their sy-stems, banks and payment serviceoperators are subject to indirect at-tacks, aimed at the theft of informa-tion relating to financial instruments

of users, as already seen previously.The latter attacks, if successful,create economic damage for the enduser, but further still image-related da-mage for the financial institute. Even technological infrastructuresideally separated from the Internet,such as the ATM3 network, cannotbe considered immune to attacks.These devices, in fact, are today simi-lar to PCs linked to a network and areoften equipped with commercial ope-rating systems: for such reasons,they are vulnerable to viruses andother compromising situations typicalto workstations [5].

Direct debit/credit card issuersOne of the sectors most frequentlytargeted by cyberfraud is that of cre-dit and direct debit cards, via which itis possible to make payments in the“card not present” mode, typically onthe Internet. As already mentioned previously, themethods for stealing sensitive infor-mation relating to payment cards arenumerous, from phishing from indivi-duals to intrusion in an IT system,with predominance of the latter case. Physical cloning of cards is also wide-spread, together with the theft ofPINs for direct debit cards. The chan-geover to EMV technology underwaythroughout Europe is helping to miti-gate the phenomenon, even if newshas already been received of attackswhere certain POS based on EMVhave been compromised [5].

3 Automatic Teller Machine, auto-matic cash withdrawal points

19

3.1.2.2

GEOGRAPHIC

DIFFERENTIATION

OF THE ATTACKS

The attacks are also subject to diffe-rentiation on a geographic basis: insome countries, certain attacks ap-pear to be more effective than others.A number of factors which could ex-plain this phenomenon are attributa-ble to the degree of diffusion of onlineservices and the cultural characteri-stics of the people. Likewise, also thematurity of the countermeasuresused and their proliferation could ex-plain these differences.In contrast to what one might ima-gine, cyberfraud also seems to in-volve the so-called emergingeconomies, China, Brazil and India inthe first place, as clearly show in Fi-gure 5 [7].

BusinessesThe above aspects also relate themore general subject to attacks onbusinesses: they can be the target ofattacks which have manifold purpo-ses. In general, the attacks on the ITsystems of companies are carried outby means of internal collaboration, orvia purely technological attacks. Themain target of these attacks is infor-mation linked to customers, or valua-ble for the business itself, such aspatents or commercial information.

Online servicesFinally, we should not forget that ac-tually all online services represent po-tential targets. As a point of fact, anonline service can be attacked inorder to steal sensitive information, orit may be used as an instrument forlaunching attacks on the user base.The platforms for providing online ser-vices can also be compromised andused to host clone websites, mal-ware or illegal services associatedwith the underground.

Figure 5. Distribution of the attacks at geographic level (Source: [7]).

20

3.1.3 SOME OF THE MOST

COMMONLY USED ATTACK VECTORS

This section gathers together someof the most common vectors used bycyber fraudsters when carrying outtheir attacks. Often, a vector becomean enabling factor for another: forexample, the violation of the machineof the user may permit the deactiva-tion of the protections against clonesites and consequently enable the at-tacks which deceive the user, with re-gard to the authenticity of theinformation displayed.

3.1.3.1 MALWARE

The term “malware” indicates gene-ric software written to access theuser’s computer system or worksta-tion without their consent. The term“malware” covers a vast array ofcyber threats, direct descendents ofthe first computer viruses, such as

worms, Trojans, rootkits, botnets, spy-ware, keyloggers and dialers. On a si-milar basis as has occurred in relationto cybercrime, malware is also turninginto an instrument for generating pro-fit, thus becoming “crimeware”.Over the last few years, the variety ofmalware in circulation has seen an al-most exponential outbreak, as shownclearly in Figure 6 [8].The criminal action of the malwarehas many purposes, which can be se-parated, in general, into two main ca-tegories:• theft of information or money from

the user, for example by means ofthe theft of credentials (e.g. homebanking or e-commerce websitedata), the direct theft of money(e.g. via dialers who make calls tonumbers which make a charge, athreat now moved to mobile devi-ces) and the theft of personal infor-mation (e.g. sending of worddocuments found on users harddisk via e-mail).

• unauthorized use of the IT resour-ces of the user whose computer,once infected, permits the supplyof illegal services sold on the blackmarket (e.g. distributed deciphe-ring of documents, forcing of pas-swords), the generation of illegaltraffic (e.g. the mass mailing of un-desired mail, spam), the destruc-tion of stored data, or itsencryption, e.g. for the purpose ofblackmail (ransomware), admini-strative remote access to the infec-ted machine (e.g. using backdoorsfor controlling the workstation).

3.1.3.2 BOTNETS

One of the objectives of malwarecreators is the setup of botnets.When malware with botnet functionsinfects the victim’s computer, thecomputer can be controlled remotely,via Internet. The attackers can thenuse the user’s computer to carry out

Figure 6. Growth of new varieties of malware between 2007 and 2010 (Source: [8])

21

their own crimes, or rent it to othercriminals, without the user beingaware of the fact. The attackers aimto acquire control of a considerablenumber of machines, which representan effective army of “bots”, fromwhich they gain a profit renting themout to third parties. A computer orworkstation infected by botnet mal-ware becomes a point from where at-tacks can be launched towards otherpoints of the net or from which sensi-tive information can be stolen.The geographic distribution of thebotnets, indicated in Figure 7, showsa high concentration of compromisedcomputers in Europe. Among these,as can be seen in Figure 8, the majo-rity are distributed throughout EasternEurope, with a growing tendencyespecially in this latter period [9].Botnets are a clear example of mo-dern crimeware: instead of damagingthe victim’s computer, as it used tooccur with viruses in the past, the at-tacker’s interest is now entirely inmaintaining the computer active andconnected, because each hour of run-ning generates profit.

3.1.3.3 SPAM

“Spam” means the mass sending ofundesired messages, generally com-mercial, carried out using any me-dium. At present, the instrumentmost widely used is without doubt e-mail. The phenomenon representsnot only an inconvenience for thosereceiving the e-mails but it is also re-lated to phishing threats.Botnets have a fundamental role insending spam messages: accordingto Symantec [9], during 2010 on ave-rage more than 88% of total spam ge-nerated at global level had in factbeen sent by “bot” workstations be-longing to a botnet, involving growthof 5 percentage points on the pre-vious year. Figure 9 shows the graphwhich indicates the trend in spamsent by botnet, disclosing a rise.

Figure 7. Geographic distribution of botnets (Source: [9]).

Figure 8. Distribution of botnets in Europe by area (Source: [9]).

Figure 9. Trend in spam sent by botnet (Source: [9])

22

Figure 10. Phishing trend (Source: [28]).

Figure 12. Geographic distribution of the sources and the phishing targets (Source: [28]).

Figure 11 – Distribution of the phishing campaigns at European level (Source: RSA).

3.1.3.4 PHISHING

By means of phishing technique,fraudsters attempt to persuade theusers to communicate their sensitivedata, such as, for xample, the creden-tials for accessing a service. Attacksof this type are often conveyed viaspam e-mails, counterfeited in such away as to seem “licit”, and re-addres-sed to the user using a clone websitewhich appears to be the original one,but which sends the inserted creden-tials to the attacker. Even though banks inform their cu-stomers about the risks related to thephenomenon and implement additio-nal security devices (e.g. OTP), phi-shing remains a widely usedtechnique, in particular for stealingstatic credentials. For example, thesecurity codes of credit cards (Secu-reCode or VbyV, referring to well-known credit card brands).Throughout 2010, phishing remainedat roughly constant levels in terms ofthe numerousness of the attacks de-tected, even if there were significantvariations in the volumes of e-mailsinvolved, especially in concurrencewith events such as the closing downof specific botnets. Figure 10 belowshows the trend in the phishing cam-paigns active worldwide in 2010 [28].At European level, the UK, Italy andthe Netherlands are at the top of theranking with regard to attacks madein form of new phishing campaigns,as clearly indicated by the data indica-ted in Figure 11 relating to November2010 [21].

Analysing the geographic distributionof the phishing phenomenon, in Fi-gure 12, two interesting aspects canbe noted:• phishing is global and nations exist

which generate more attacks thanthey suffer. Clearly, in these na-tions, fraudsters launch campaignsagainst users in other countries;

• more than half of the phishing cam-paigns originate from the UnitedStates, contrary to the popular be-lief that more tolerant legislationson the subject of cybercrimes,such as those in Eastern Europe,aid the fraudsters’ activities. This

23

Figure 13. Geographic distribution of the data breaches in 2009 (Source: [11]).

Figure 14. Characteristics of the data breaches (Source: [11]).

phenomenon can be explained bythe fact that usually the attackstake place following the violation ofsystems providing different servi-ces, generally legal, which are “in-fected” and unwittingly used forphishing purposes.

3.1.3.5 THE COMPROMISING

OF BUSINESS SYSTEMS

The violation of the user’s computeror workstation and the use of socialengineering techniques such as phi-shing are not the only ways used bya fraudster in order to access profita-ble information. The extent of the at-tacks, the importance of the fraud andthe prosperity of the undergroundmarket which have been noted overthe last few years allow to hypothe-sise the existence of more structuredinformation theft campaigns, whichtake place directly at source, on com-pany servers [11]. These criminalevents are known as “data brea-ches”. Figure 13 gives an idea of thegeographic distribution of the databreaches at global level [11].One can observe that the data brea-ches involve a wide variety of systemtypes, such as online servers, techno-logical equipment of users, data archi-ved in backup devices, etc. Accordingto the figures shown, the source fromwhere the greatest quantity of infor-

mation is stolen is represented by da-tabases and by other systems ofcompanies and organisations. Thisdata could certainly suffer inevitabledistortions deriving from the fact thatthe private users are often unawareof the attacks they suffer. However,the numeric values are so significantthat they make the phenomenon ofdata breach by no means negligible.Malware and technical attacks are ingeneral the main attack techniquesused for stealing the data even if, in-creasingly more often, the attackersuse social engineering techniques (+16% during a year, as shown in Fi-gure 14)

24

3.1.3.6 COMPROMISED

WEBSITES AND THE

DRIVE-BY DOWNLOAD

The compromising of company ser-vers may go beyond the mere theft ofinformation. Unauthorised access toservers, in fact, can be the first steptowards control over the users’ wor-kstations: by exploiting one or morevulnerabilities, in fact, the attackerscan take control over the servers of acompany and change the web pagesvisited by the users, so that they areguided to download malware. Thispattern of attack, known as “drive-bydownload”, involves exploiting thetrust which the victims place in thewebsite of an organisation which hasbeen attacked: thanks to this relation-ship, the victims are more likely todownload and execute the malware.The end result is that the hacker or

Figure 15. Geographic distribution of drive by download (Source: [12]).

Figure 16. "Drive-by download" attacks in 2010 via the “Trojan-Downloader.Java.OpenConnec-tion” malware (Source: [5]).

cracker has obtained control over theuser’s workstation, or is at least able toseize the sensitive data transiting in it.The extension coverage of drive-bydownload is shown in Figure 15,which discloses the geographic distri-bution of the websites infected viathis technique divided up into firstlevel domains [12]. One can observehow the spread of the phenomenonis more concentrated for certain firstlevel domains. This does not “safe-guard” users in other areas, since theirnavigation may be re-directed to infec-ted websites via a number of tricks.The violation of company servers ty-pically exploits one or more vulnera-bilities of the software and theequipment used by the company toprovide its legitimate services. Thesetechnologies are fairly similar and,therefore, once the vulnerabilitywhich afflicts them has been discove-red, the attack can easily be replica-ted to attack other servers. Forexample, Figure 16 shows the rapidspread of a specific malware via drive-by download [5].

3.1.3.7 TOOLKITS

Toolkits are collections of attack tools,which often offer simplified and hi-ghly automated interfaces in order topermit the use also by the less expertpeople. The most advanced toolkitslaunch attacks which are able to ex-ploit the latest vulnerabilities, oftennot yet public. These toolkits are typi-cally sold on the underground market.Since 2007, RSA Security has detec-ted the sale on the underground of atoolkit known as “Universal Man-in-the-Middle Phishing Kit”. For roundUS$ 1,000, the kit offers an instru-ment for creating clone websites andcarrying out man-in-the-middle4 at-tacks by means of just a few simpleclicks, without the need for any parti-cular technical expertise. Another to-olkit example comes from that usedfor generating personalised versionsof the Zeus botnet, one of the mostcommon malware packages, whichmakes it possible to include a userworkstation within a botnet or inter-cept the web traffic. Using a specific

25

4 A man-in-the-middle attack is an at-tack where the attacker is able tocompromise a communications chan-nel without anyone being aware. Inthis way, an attacker can read, input orchange messages at pleasure whichare exchanged within the channel.

interface, the attacker can create ma-licious PDF documents which, onceopened by the victim, infect the wor-kstation [13].Toolkits also include the instrumentsfor the creation of advertising cam-paigns, aimed at recruiting personnelfor illegal organisations, as in the caseof mules.

3.1.3.8 BLOGS AND SOCIAL

NETWORKS AS “UNWITTING

VECTORS”Social networks represent an extre-mely useful tool for fraudsters, sincethey make it possible to gather sensi-tive information on the victim in ashort space of time and then use it forsocial attacks (e.g. pretending to bethe IT manager of the company wor-ked for and requesting the accesscredentials) or for surmounting theauthentication mechanisms based onpersonal information (e.g. requestingthe date of birth or mother’s sur-name). Users in fact tend to have badhabits with regard to sharing confi-dential information: the episode at thestart of 2009 linked to the sharing ofinformation on the private life of thefuture head of the British secret ser-vice by his wife was glaring in thissense [14].

26

3.2 A STRUCTURED MARKETPLACE

The figures for the last few years relating to the underground market discloseconsiderable growth in both demand and supply of data and services for cy-bercrime. This market shows an evolution towards complex business models,made up of various roles: on the one part, there are the producers of the toolsfor fraud, on the other part the users who gain a profit from their activities bymeans of individuals such as mules, who transfer the fraud into hard cash.A number of observations follow, useful for understanding the complexity ofthe underground market and the dynamics which regulate it.

The on-going development of the un-derground market and the criminal or-ganisations, has led to the creation ofprofessionals with specific skills forevery type of illegal activity. For exam-ple, the most expert individuals nolonger operate out in the field, butoffer out and out advisory services totheir own network of “trusted” con-tacts. In the underground communities, thefragmentation of the skills and the re-putation of the individuals within theorganisations is disciplined by instru-

Figure 17. Fragmentation of the skills and roles within a forum

ments such as forums. These colla-boration channels, in fact, present anumber of intrinsic characteristics forthe handling of the roles which are as-signed to the users, and which arealso used to assess the reputation orassign roles within the organisations[11]. For example, concepts such asadministrator, moderator and mem-ber are, in fact, easily to use as refe-rence in the organisations. Figure 17 shows an example of thehierarchical structure of a forum,where the roles of the users are re-mapped in roles within the organisa-tion. The administrators of the forumperform the role of managing andcontrolling the organisation, the mo-derators supervise the performanceof specific theme-based areas inwhich generic users participate, ac-quiring goods or services. These pro-ducts are sold by users who havebeen acknowledged a higher reputa-tion, according to the assessments oftheir superiors, on the basis of thequality of their contribution.

3.2.1 THE FRAGMENTATION AND

SPECIALISATION OF THE SKILLS

27

The illegal organisations linked to cy-bercrime benefit from the extremeease by means of which the Internetenables the spread and the publica-tion of goods/services related to theunderground. An enormous numberof websites exist which bring toge-ther catalogues of illicit resources orillegal services. Sometimes, these are“supplementary” services, which arenot necessary for directly bringingabout the attacks, but which supportthe fraudsters. On the web, for exam-ple, it is possible to access under-ground services for checking thevalidity of credit card numbers pur-chased or stolen (Figure 18). At other times, the services are linkedto the sale of credit card numbers, forexample carderplanet.com, andCounterfeitLibrary.com, which havenow all been deactivated. Other chan-nels used for the purpose of exchan-ging illicit information are forums andIRC channels, an example of which isshown in Figure 19 [16].

The purchase and sale of goods andservices on the underground marketis difficult to fight, because:• the sales channels are only known

to a restricted circle of users, whoknow one another by means of thereputation mechanisms seen in theprevious section;

• the access methods are usually dif-ferent from the classic website andvery often are based on anonymouschat channels or hidden pages;

• the monitoring of the channelswhich offer services is complicatedby the fact that they often changename and the domain from wherethey are accessible, also followingany closures imposed by the provi-ders and the law enforcement au-thorities.

Figure 19. Examples of an IRC channel for the sale of illicit information (Source: [16]).

Figure 18. A website for checking the validity of the credit cards (Source: [23]).

3.2.2 VARIOUS CHANNELS

FOR PROPOSING UNDERGROUND SERVICES

28

Much of the information and many ofthe services supporting cyberfraud,mentioned previously, have a preciseeconomic quantification. Figure 20below shows a few examples [15]. Be-sides the effective cheapness of manypackages, the existence of a widerange of variety can also be noted. Inrecent times the difference in the num-ber of cases of credit card informationtheft and all other kinds of cyberfraudhas decreased. This shows how othertypes of information, aside from creditcard data, have gained value. Mecha-nisms like VbyV (for Visa cards) and Se-cureCode (for Mastercard cards) haveincreased the difficulty of fraud in“card-not-present” context (where cre-dit card information alone is enough).The initial consideration which regula-tes the price of a good exchanged onthe underground market is to a largeextent the potential profit which thecyber criminal can obtain. For example,credit cards with higher credit limits areresold at higher prices, and the price ofthe credentials of a current account de-pends on the funds available in it. Be-sides these technical considerations,other ones, typical of unrestricted mar-

kets based on the law of supply anddemand, can be added,: wide availabi-lity of a good, such as credit card num-bers, could reasonably lower the salesprice. Another factor which may in-fluence the price on the market is thereputation of the seller: even if thismight seem to be a concept out ofplace within a sphere unregulated bylaw, it is a fact that a fraudster is willingto pay a higher price for goods acquiredfrom more reliable sellers. In fact,these are usually able to offer greaterassistance if required, for example re-placing blocked credit card numbers. Another interesting fact concerns theprices of the tools used to develop theattacks which make it possible to reco-ver the above mentioned information,as shown in Figure 21 [16]. The pricesof these tools are constantly fallingwhile the instruments are increasinglymore efficient and easy to use, and canbe used without any specific expertise.Lastly, it is appropriate to point out howthe same underground market may inturn become a place of fraud: certainsellers, in fact, attract less expertbuyers by means of excessively lowprices and by selling them products

Figure 20. Sales value of underground goods/services (Source: [15]).

3.2.3 DIFFERENT SERVICES

AT DIFFERENT PRICES

29

Figure 21. Sales prices of tools or kits for cyber attacks (Source: [16]).

which do not work, or products contai-ning malware which ends up infectingthe buyer. These fraudulent sellers arealso known as “rippers”.As can be seen further on, the surveywill show how the dynamics and thevivacity of the underground market donot yet seem to be understood by allthe potential victims. In particular, theunderground market and communitiesare the place where new threatsemerge, also involving methods whichthe victims hardly perceive. The surveytopics deal also with this aspect.

30

4 Survey results

This section is the heart of the surveyand presents its results. The evidencecollected is analysed in light of thedata provided by those taking part,presented in aggregate form.The work is organised according tothe four theme-based areas alreadyidentified, discussing the method fol-lowed in the survey. Through an ana-lysis of the results and the evidencecollated, the survey answers fourmain questions:• Who are the victims of attacks and

why?• How are attacks carried out?• How effective are attacks and how

are they discovered?• How are investigations carried out

and what are the results?

The interviews also produced rele-vant comments and observations re-lating to the various experiences and

4.1 COMMENTS ON THE EXTENT

OF THE PHENOMENON

The general perception of the inter-viewees is that cybercrime has in-creased over the last two years. Thisopinion seems to be fairly widespreadboth in the law enforcement sphereand the business and security sphere,albeit with a few slight differences, asillustrated in the graph in Figure 22.Specifically, all operators in the lawenforcement sector agree on the riseof the phenomenon and tend to as-sign it with more pronounced levels

opinions of the participants. Thesecontributions are re-proposed to ac-company the analysis of the results,thereby providing original in-depthanalysis of the issues examined.

In the section, reference is made tothe various classes of interviewees:• law enforcement, for the legal autho-

rities and police forces;• business, for businesses and orga-

nisations;• security, for security solution provi-

ders and intelligence agencies.

During the analysis of the question-naires, great similarity was observedbetween the responses of those in-terviewed in the business sphere andthose in the security sphere. Accor-dingly, their responses have been in-cluded in a single category.

of growth. A quarter of those intervie-wed in the business and security sec-tor by contrast consider thephenomenon to be stable. This diffe-rence might derive from various fac-tors, more fully analysed further on inthe survey.

These factors include:• the rise in user awareness, which

over the years has led to an in-crease in the number of complaint

31

reports because users are moreable to comprehend that they havebeen defrauded. This is also a re-sult of the growing confidence inlaw enforcement authorities, linkedto a constant rise in their expertise.According to many interviewed inthe law enforcement sphere, ho-wever, the number of reports re-mains greatly inferior to the realvolume of the attacks;

• the obligatory nature of reportingcertain types of cyberfraud and epi-sodes involving data theft, by busi-nesses, in accordance with theamendments made to the legisla-tion of certain countries (in additionto the need to report by those sub-ject in credit card fraud);

• the greater visibility which the lawenforcement authorities have withregard to the phenomenon at ag-gregate level, since the reforms ofthe justice sector in certain coun-tries have concentrated the han-dling of the reports of cybercrimeswithin just a few specialised cen-tres. This reorganisation has madeit possible to more fully monitorthe reports, avoiding “disper-sions”, as well as improving the ef-ficiency of the investigations5 .

The interviewees who operate in Ea-stern Europe agree on the sharp in-crease in the activities of cybercriminals in their own countries: thisconfirms the hypothesis that cybercrimeis a highly dynamic phenomenon, capa-ble of relocating rapidly and attackingnew markets.The interviews also reveal an intere-sting trend with regard to the profita-bility of cybercrime: the number ofattacks is rising sharply, but the ave-rage profit per attack is dropping, atleast for certain types of fraud. Thismight be explained by the increasingawareness of users and the prolifera-tion of countermeasures effectiveagainst the most common attacks.Therefore, the economic damage ofcyberfraud rises disproportionatelywith regard to the intensity of the at-tacks. This factor contributes to theincrease in the number of attempts tocompromise systems: cyber fraud-

0%0%

0%25%

40%25%

60%50%

0% 20% 40% 60%

has been decreasing

is nearly stable

has increased byless than 50% a year

has increased by50% a year, or more

enterprise + securitylaw enforcement

ster organisations must raise the in-tensity of attacks in order to maintaintheir profits.With regard to combating cyberfraud,it is observed how the cost/benefitratio influences businesses whenadopting countermeasures: in particu-lar, the investment must be lowerthan the amount of the damage po-tentially thwarted.

Figure 22 - "According to your data, do you think that the cybercrime phenomenon..."

5 In Italy, this reorganisation took place withthe management of cases of cyberfraudsplit up into districts. Today, a limited num-ber of Public Prosecutor’s Offices are assi-gned investigations into cyberfraud cases,which take place in broad areas under theirjurisdiction.

32

4.2 THE TARGETS OF THE ATTACKS:

VICTIMS AND ASSETS INVOLVED

The first aspect studied by the survey concerned the objectives of cyber cri-minals, both in terms of victims and in terms of the information and assetsmost commonly attacked. The analysis of the contributions of the intervie-wees was also carried out in light of the comments made in section 3,which define the current status thereof.

There is the net perception amongthe interviewees that the main vic-tims of cyber criminals are individuals(or clients, in the case of businesses).As can be observed in the graph in Fi-gure 23, the interviewees believe thatbusinesses are attacked five timesless often with respect to individuals:according to those interviewed in thelaw enforcement sphere, this factcould mask a different situation andcould be explained by the differentpropensity towards making reportsshown by private individuals and bu-sinesses. Another interpretation maybe that, often, attacks on businessesin any event have an impact on indivi-duals, in the form of clients, and the-refore the business tends not to be

Figure 23. "Cybercrime attacks take place mostly against…"

33%25%

11%13%

56%

63%

0% 20% 40% 60% 80%

both, in equalmeasure

enterprises(your enterprise)

individuals(yours costumers)

enterprise + securitylaw enforcement

4.2.1 TYPES OF VICTIMS ATTACKED

identified as the victimThe representatives of the law enfor-cement sector receive reports andcomplaints from both individual citi-zens and businesses. According totheir experience, based on the re-ports dealt with, the fastest growingtype of cyberfraud is that linked to thedirect theft of money by means ofmethods such as, for example, thetheft of home banking credentials andthe cloning of payment instruments,as described in section 3.The elevated impact of cybercrime onindividual citizens might also be ex-plained by the intrinsic characteristicsof the malware phenomenon, a verypopular tool of attack nowadays.Computers and workstations belon-ging to individuals are in fact typicallyless protected than corporate sy-stems and, therefore, represent aneasy target for malicious software.Confirming this hypothesis, it is pos-sible to observe that attackers preferto target small organisations, such ashotel chains, airlines and small banks,which they know (or hypothesize) tobe endowed with less protection thanthe large companies. We shall seefurther on how this links up to the ob-servations on the propensity of thebusinesses to pursue compliancewith the standards and regulationsand the effectiveness of the inve-stments in information security (sec-tion 4.4.6). Nonetheless, the fraud analysis car-ried out by credit card companies orsecurity solution providers showsthat the prevalence of reserved credit

33

card data comes from attacks on mer-chant databases (or those of otheroperators involved in the paymentprocesses), rather than PCs belon-ging to private individuals. Moreover,the studies did not reveal any signifi-cant geographic distinctions regardingthe possible origin of this information.With regard to the sources providingthis information, it should be notedthat the result of the attack, even ifcarried out in a somewhat targetedmanner, may sometimes providemore extensive results than those ini-

As already seen in section 3, the in-formation stolen by the fraudsters isin many cases resold and used for dif-ferent purposes. Cyber criminals nowseek to obtain as much informationas possible, also from different sour-ces. The wealth of the informationstolen sometimes makes it possibleto reconstruct a credible identitywhich can be deployed for varioustypes of fraud. For example, stolenidentifies can be used to request theissue of credit cards (applicationfraud) or purchase goods and servicesby surmounting the telephonechecks.Figure 24 and Figure 25 illustrate theperception of specialists in the lawenforcement sector with regard tothe kind of the assets attacked, in re-lation to private individuals and orga-nisations respectively.According to the perception of thoseinterviewed in the law enforcementsphere, therefore, the attackers seemto concentrate precisely on that datawhich can be immediately turned intocash or which, in any event, makes itpossible to create complex profilesthat can be used for other types offraud.The graph shown in Figure 26 is alsointeresting in this sense, illustratingthe most commonly attacked plat-forms according to the perception ofthe various categories of participants

4.2.2 USE OF DATA TO CREATE

COMPLETE IDENTITIES

interviewed.What emerges is that the attacks arenot limited to just home banking. Thisvision is very close to the actual situa-tion, also on the basis of the opinion ofthe security experts and the data takenfrom the most up-to-date reports. Ac-cording to the parties within the busi-ness and security sphere, all platformsappear to be subject to attacks, albeitwith differences in intensity.

Observing the results of Figure 26 inparticular, it is possible to state that:• e-commerce is the platform indica-

ted as the most attacked within thebusiness and security sphere. Thisis attributable to the fact that e-commerce, understood as a gene-ral portal type, does not currentlyhave robust countermeasures likehome banking: thus it is weakerand more exposed to attacks;

• it can be observed that unexpectedattacks still exist. For example, ex-perts believe that fraud on onlinegaming platforms are one of thepotential new frontiers for cyber-fraud, but businesses do not havesignificant perception of this phe-nomenon. This may establish anundue sense of security in busines-ses who present themselves onthe Internet in a manner conside-red to be “not at risk”. As a rule, infact, as illustrated in section 3, any

tially envisaged, especially if based onthe spreading of malware (the versa-tility of which has already been di-scussed). The data obtainedrepresents one of the sources whichfuel commerce on the undergroundmarket.In conclusion, in order to introduce anumber of geographic observations,it can be added that it is the authori-ties in Eastern Europe who most fullyperceive the varied nature of the fieldof action in the information theft.

34

Figure 24. “Which data or assets are most often stolen or compromised duringcyber-attacks against individuals?” (Only in law enforcement sphere)

5%

5%

11%

21%

21%

37%

0% 10% 20% 30% 40%

other

know-how/patent

institutionalweb sites

commercialinformation

confidentialinformation

credentials for financial operations

law enforcement

13%15%

40%20%

7%10%

27%20%

0%5%

13%30%

0% 10% 20% 30% 40%

other

home banking

enterprise webportals

social web sites

online gamingplatforms

e-commerce websites

enterprise + securitylaw enforcement

Figure 25. “Which kind of data or assets are most often stolen or compromisedduring cyber-attacks against organizations/enterprises” (Only in law enforce-ment sphere)

Figure 26. “According to your data or your perception, which are the most attac-ked services by cyber criminals..."

4%

22%

22%

22%

30%

0% 10% 20% 30% 40%

other

login data

credit cards orother payment info

personal data

home bankingcredentials

law enforcement

website or service with a largenumber of users can in any eventbe turned into a threat, using it forexample as “bait” for the drive-bydownload;

• a different perception, meanwhile,was registered among participantsfrom the law enforcement sector,maybe since it is linked above allelse to the reports received, whichmany concern cases of fraud rela-ting to the abuse of home bankingor other payment instruments.There is however considerable un-derstanding of the risk of identitytheft on social networks. Obser-vers in the law enforcement fieldtherefore do not seem to have aprivileged view on a series ofemerging phenomena, particularlywhen the loss of money to the de-triment of the victims is not repor-ted. This is once again attributableto the differing propensity of theorganisations to report the attacks,and also to a different perceptionof the importance of the varioustypes of data by all the parties in-volved: the credit card number isconsidered more critical and in anyevent involves a risk and/or da-mage of an economic nature,when compared with the creden-tials of a social network or e-mailaddress.

Naturally, even though all the types ofdata are significant and help in the im-plementation of cyberfraud, a numberof geographic distinctions are pre-sent, linked to the potential victim’savailable funds in specific areas. Infact, the studies carried out by thosetaking part in the survey for the secu-rity sector reveal that the informationwith the highest market value is theone stolen in the United States. Bycontrast, in Europe the one conside-red the most valuable comes fromthe UK, Germany, France, Italy andSpain.

35

The indications of the various partici-pants have made it possible to moreprecisely characterise certain aspectsregarding the methods used by cybercriminals when choosing their vic-tims. Irrespective of the type of at-tack, the choice of the target isgenerally guided by various factors:• the possibility of relatively easily

overcoming the safety measures,for example when they are insuffi-cient, affected by known vulnerabi-lities, or can be got round by meansof exploiting the human factor;

• the possibility of converting infor-mation into money, and the ease ofdoing so. This is also valid in thecase of attacks for the purpose ofindustrial espionage or the theft ofintellectual property rights, whichpartly lie outside the scope of thesurvey;

• the importance of the chosen tar-get, the most commonly conside-red factor with a view to APT typeattacks, a type of attack which ashas already been seen does notdisclose any significant growth,but however already remains si-gnificant;

• the geographic vicinity to the tar-get, due both to any need to physi-cally interact with certain paymentinstruments, and for other “culturalreasons” (for example, in the caseof social engineering attacks,where linguistic correctness is de-cisive).

It is also confirmed that malware iscurrently the preferred medium forthe attacks, thanks to the “generalpurpose” functions and multi-purposeimplementations. Sometimes attackscommence with large-scale infec-tions where the targets are chosenrandomly. Only subsequently aresteps taken to assess the profit po-tential offered by the compromisedasset.Fraud based on phishing is still verycommon. However, in order to over-come the countermeasures, phishingis now achieved using more sophisti-

cated techniques, capable of targe-ting specific services, even if frequen-tly extensive re-use of the texts isseen, especially if produced in langua-ges other than English. Once again inthis case, mass campaigns are gene-rally seen, with slight customizationsmade.Returning briefly to APT attacks, whichare instead highly selective on the tar-get, those interviewed within the se-curity and business sphere remarkedon the persistence, even if it is notpossible to provide a characterizationbeforehand of the used techniques,which, given the kind of the attack it-self, are numerous and highly bent onobtaining the chosen objectives.In this regard, one very significantaspect with regard to the impact ofthe target choice on the outcome ofthe attack derives from certain analy-sis on the phenomenon of data bre-ach [11]: even if the targeted attacks6

represent just one third of the casesconsidered in the study, they providethe attackers with around 89% of totaldata stolen, as shown in Figure 27.The same attackers may in turn be-come victims: as already mentionedin section 3.2, there are malwarecreators who include phoning homeelements in their creations, capableof transmitting the stolen informationto their systems and not only to thoseof the attackers. Malware analysis ex-perts show how the rippers also pro-gramme false backdoors, easy toidentify and deactivate by less expertpurchasers, and which have the fun-ction of sidetracking the latter with re-gard to the presence of othermalicious code which is better ca-mouflaged.

In contrast, it is possible to furthercharacterise the choice of the targetsin relation to the attacker’s position inthe “fraud chain”, or rather the hierar-chy mentioned in section 3.2.1:• those who operate by developing

attack tools or obtaining informa-tion by means of malware or viola-tions of database, typically act on avast scale, also without geographic

4.2.3 METHODS OF CHOOSING THE VICTIMS

6The term “targeted attack”refers to cases where the tar-get is chosen first and onlysubsequently studied so as toidentity its vulnerabilities.

36

distinction. The eventual sale oftheir services or information takesplace via the typical channels of theunderground market;

• those who by contrast use the in-formation for the direct attainmentof cash, must often take into ac-count the geographic restrictions.For example, certain paymentcards do not permit cash withdra-

Figure 27. “Attack targeting by percentage of breaches (and records in red)”(Source: [11])

One of the subjects explored by the survey concerns the methods used by cri-minals to attack their targets. As described in section 3.1.3 security expertshave already identified a series of recurrent methods: the intention in the surveyis to look closer at these concepts on the basis of the participants’ experience.

wal abroad and this could makeany cloned cards or card data unu-sable outside the country of issue.In addition, certain types of fraudmay require the physical presenceof the fraudster in order to obtainthe money;

• if the obtaining of the informationrequires material interaction withthe target (for example, POS com-promising, skimming installation,etc.) a decisive selection of thearea and the type of target takesplace, according to guidelines suchas the assumed spending power,the ease of compromising the sy-stem, etc.

The interview revealed interesting ob-servations regarding the perceptionparticipants have of the use of thosecriminal techniques currently conside-red extremely evolved, based on theutmost customization of the attack.These, for example, include spear phi-shing, smishing and vishing attacks.According to all the participants inter-viewed, the use of these techniquesappears to be very limited in practice,at least at the moment. The intervie-wees who operate in the specific se-curity sector also estimate thisphenomenon to account for around5% of the attacks.

4.3 ATTACK VECTORS

37

50%30%

0%

30%

50%

40%

0% 10% 20% 30% 40% 50%

both equally

technologicalattacks

socialengineering techniques

enterprise + securitylaw enforcement

Figure 28. “What is the most common method used to attack (your) customers/users?”

enterprise + securitylaw enforcement

5%0%

42%15%

0%0%

26%38%

0%0%

26%46%

0% 10% 20% 30% 40% 50%

other

misconfigurations

trespassing

socialengineering

wire tapping

malware

Figure 29. "Which are the most common methods used to attack (your) organisation(s)?"

What emerges from the declarationsof the interviewees, especially in thesecurity sector, is that phishing is stilla very common phenomenon, even ifthe methods involved have changed.From a means of convincing users tosurf clone websites and reveal theircredentials, phishing has now beentransformed into an instrument whichinduces the user to install malicioussoftware on their own PC, or whichgets them to surf infected websites.The social aspect of phishing, or ra-ther the deceitful attainment of cre-dentials to carry out fraudulentpayment or transactions, is thus com-plemented by the technologicalaspects of the malware. The latterthen implements the “misleadingelements” on the user’s computeror workstation necessary for gettingthem to reveal their credentials,often intervening in the real timeconnections.Initially analysing the distribution bet-ween the social and technological ap-proaches in the attacks at a high level,the simultaneous use of both is con-firmed in the results shown in Figure28. It is interesting to observe howthe majority of the interviewees be-lieve purely technological attacks arenow fairly uncommon, especially inthe case of those interviewed fromthe law enforcement sector. In fact,from the point of view of an individualmaking the report, attacks are veryoften identified as phishing, and the-refore classified as social engineering. Going into detail with regard to themethods used in the attacks, the per-ception of the interviewees in the se-curity sphere is that the phishingphenomenon has been more or lessstable over time. As already seen, infact, phishing no longer produces theresults achieved in previous years interms of success percentages, espe-cially in countries which strengthen au-thentication requirements foraccessing bank websites by means ofone time passwords or similar mecha-nisms (UK, Spain, Germany, Italy). Dueto the simplicity involved, however,phishing remains the most accessible

4.3.1 MOST COMMON AND EMERGING ATTACKS

technique for less expert fraudsters.The same participants also confirmthat malware has become the mostcommon attack vector, as can be ob-served in Figure 29. The chief methodused to spread malware today is mal-vertising: users are convinced to dow-

38

nload software or visit infected web-sites by means of misleading onlineadvertising, inserted in compromisedwebsites or divulged via spam cam-paigns. Malvertising is linked to ele-ments such as false anti-viruses anddrive-by download, which has alreadybeen dealt with analysing the contextof the survey.Not all fraud takes place exclusivelythrough IT-based actions. Many inci-dences of fraud involve the physicalintervention of the fraudster, at leastfor the cashout stage, i.e. the use ofcloned cards at ATMs or in sales ou-tlets. The acquisition of informationfrom these sites also still takes placeto a large extent by means of physi-cally violating the devices which inte-ract with the cards (for example:POS). In this regard, it should howe-ver been borne in mind that certaindevices, which were once conside-red violable only via physical manipu-lation, are today partly vulnerable tocyber attacks, since they are increa-singly similar to PCs (virtual POS re-placing POS, ATMs which provide anincreasingly greater variety of applica-tion services)The most recent cases of attack alsohighlight the constant extension of

the families of systems chosen as tar-gets by criminals. Experts in the se-curity sphere agree that mobiledevices (smartphones) will soon bethe new targets of violations, even ifat present the phenomenon is still li-mited. The same infection strategiesand the same fraud applicable to PCsare in fact used on mobile terminals.Furthermore, the violation of a mobileterminal opens up new possibilities offraud: for example, the attacker maygain a profit from sending messagesand making calls to numbers whichinvolve a high cost without the kno-wledge of the owner.The model for supplying the softwarefor mobile platforms at present has aseries of limitations and implies beha-viour which increases the exposurerisk of the mobile devices.In conclusion, the infection of cellulardevices, together with that of PCs, ifachieved by means of “cross-infec-tion” approaches (cell phones whichinfect PCs, or vice versa), may cancelout the presumed independence bet-ween these two channels, therebypermitting a fraudster to violate au-thentication/authorization mechanismswhich use the cell phone as a channelfor confirming the transactions7

The survey has also looked in-depth atthe aspect of the relationship betweenthe attack made and the data which re-presents the attacker’s end target.Those interviewed in the securitysphere agree on the fact that the at-tacks are generally created to act in

Figure 30. Involvement of internal staff in stealing company data (2009) (Source: [11])

4.3.2 RELATIONSHIP BETWEEN

ATTACK AND TARGET INFORMATION

relation to specific targets. Manycompromises take place in the sy-stems of companies and organisa-tions, which also hold informationwhich can be directly turned intocash. In the case of phishing attacksas well, increasingly more sophistica-

39

role which the parties who have phy-sical access to the premises wherethe technology to be compromised re-sides can have (cleaning staff, clerksand similar), still considered to be apossible medium for specific types ofcompromise. Certain cases of POSviolation, for example, have been tra-ced back to these methods, even ifsometimes the connivance of themerchants themselves is involved.Figure 30 shows the situation relatingto information stolen by agents withinand outside the companies: as can beseen, the role of the insiders is by nomeans negligible in terms of the num-ber of attacks, but the attacks madeby the same are not significant if ob-served in terms of the volume of sto-len data [11].

ted “bait” tends to be created. The various types of attack share anextensive use of malware, installedexploiting vulnerabilities, configura-tion errors, or increasingly more oftenthrough the collaboration of the vic-tims, achieved by means of social en-gineering techniques. It can be observed that the attacks, inorder to be created and configured onthe basis of the chosen target, oftenrequire a preliminary study of the vic-tim. The use of the multi-purpose at-tack tool helps in this sense, since itcan provide the attacker with an ex-tremely wide quantity of results of atype which may also differ from thatexpected. This surplus, which aidsthe aforementioned preliminary ana-lysis, may not be directly usable bythe attacker, but might be valuable toother criminals. Therefore relation-ships for the exchange of skills bet-ween the various criminal groups areestablished, in which a more skilledgroup is involved for an improved ex-ploitation of the vulnerability or the ac-cess obtained. For example, it mayoccur that an attacker, specialised inthe theft of home banking creden-tials, infects a computer or worksta-tion by means of a keylogger withaccess to the company network.After having obtained the credentialsfor accessing the home banking, hemight hand over any network pas-swords intercepted to other attackersmore interested in company systems.It is also appropriate to note that, inthe interviewees’ opinion, the role ofinsiders (understood as disloyal em-ployees who have an in-depth kno-wledge of the systems and data) is bynow relevant almost exclusively incases of theft of intellectual propertyor industrial espionage (the same ap-plies to the role of former employeesand former consultants). This is ho-wever just a perception of the wor-kers, given the obvious difficulty inobtaining precise information on thisphenomenon. A number of those in-terviewed in the law enforcementsector indicated that no more than20% of the attacks come from insi-ders or former employees.A case apart from the general trendjust mentioned is represented by the

7Cross infection, for example, mayexploit the communication mecha-nisms between the PC and the mo-bile terminal, such as software forthe synchronization with or connec-tions to the local network.

40

4.3.3 CHOOSING THE LEVEL OF COMPLEXITY

OF THE ATTACK

The low level of complexity of the at-tacks is another factor on which allthe participants in the survey agree.In practice, the attacks tend to featurethe minimum complexity necessaryfor surmounting the mechanismswhich protect the data or the asset.In the case of home banking, forexample, the use of malware installedon the machine of the victim is seenmainly in those countries where aone-time password authenticationmechanism has been introduced,which in fact requires this kind of ap-proach (e.g. man-in-the-browser).Where possible, especially in relationto the violation of company systems,configuration errors in the targets areexploited. However, the analysis andreconstruction of the event after thefact, when implemented, rarely leadsto a discovery of the traces of particu-larly complex attacks, which thus riskpassing unobserved or not being fullycomprehended, even if they have pro-duced visible end results. A numberof studies on the phenomenon ofdata breaches [11] illustrate the lackof visibility on the systems and on thedata with regard to many companies,that therefore are often not able to

Figure 31. " Attack difficulty by percentage of brea-ches and records” (Source: [11]).

Figure 32. "Concerning complexity of the attacks […], most of the attacks are:…"

comprehend the exact methods bywhich the information leaks out (anaspect looked at in more depth fur-ther on). Moreover, the same studiesshow that even if the complex at-tacks are only a minimum part of thetotal (15%), they produce the grea-test damage in terms of stolen infor-mation (87% of the total), as can beclearly seen in Figure 31.However, a marked difference bet-ween the perception of the intervie-wees in the various spheres emerges.Within the law enforcement sphere,in fact, a clear association betweencyberfraud and simple attacks emer-ges. The factors regarding the propen-sity of the victims to report theattacks, as discussed further on, maypartly explain this difference.

41

Attack vectors and enabling techniques have been discussed in the previoussections. The presentation of the results continues with indications regardingthe efficacy of the cyberfraud, and the methods via which the attacks are de-tected. Furthermore, the subjects already touched on relating to the propensityof the various victims to report cases of cyberfraud, as well as the role of theIT outsourcers and the compliance processes, are looked at in more depth.

4.4 EFFICACY OF ATTACKS

AND DETECTION

4.4.1 EFFICACY OF VARIOUS TYPES OF ATTACK

The efficacy of the various attackvectors can be analysed from twostandpoints: while on the one hand,there is an increase in stolen infor-mation, on the other it seems to bemore difficult to convert this infor-mation into cash.Take, for example, the case of phi-shing. The percentage of users wholose their credentials during this typeof attack has decreased over theyears (after the boom in 2005) to va-lues lower than 0.1% [27]. This lowpercentage of “contacts” has neversignificantly discouraged the attac-kers, given the possibility of achievingvast spam campaigns for the purposeof phishing at low costs. During thesurvey, however, it emerged thattoday phishing – also when it permitsthe theft of operating credentials –ends up in the actual theft of moneyfrom the victim only in 25% of cases(approximately), thereby causing a de-crease in the overall profitability of thecampaigns. The attacks are thereforemoving more frequently towardsmore efficient techniques, such asmalware for example. It is sufficientto consider what is currently takingplace with regard to spam via email:according to those taking part fromthe security sphere, in fact, the num-ber of emails used as vectors for in-stalling malicious software on thePCs of the users is much higher thanthose used for purely social attacks,such as phishing involving direct re-quests for credentials.

42

One of the most interesting resultsemerging from the survey is the con-flicting perception of the various par-ties regarding the types of attack,their efficacy and, in particular, the po-tential target.Studies carried out by participantsthat have a more analytical and widerview of the cyberfraud phenomenon,show how individuals and businesses

enterprise + securitylaw enforcement

90%

71%

10%

29%

0% 50% 100%

no

yes

Figure 33. "Do you think that individuals are sufficiently aware of the cybercrimephenomenon? Do they have a perception of the amount of unsuccessful attacksthey receive every day (e.g. filtered phishing emails, blocked malware)?"

enterprise + securitylaw enforcement

60%

43%

40%

57%

0% 20% 40% 60%

no

yes

Figure 34. "Do you think that organizations in general are sufficiently aware of thecybercrime phenomenon? Do they have a perception of the quantity of unsucces-sful attacks they receive every day?”

4.4.2 PERCEPTION BY THE VARIOUS PARTIES OF THE

METHODS WHICH CAN BE USED TO ATTACK THEM

often have a scant perception of themethods used to attack them [17].With regard to the perception of therisk of fraud in the interaction with va-rious types of online services, it ispossible to state that:• there is a perception of the fact

that online channels involve certainrisks, both when this involves por-tals which enable financial transac-tions and social websites or otherportals which deal with personal in-formation;

• in general (with the exception ofcertain cases, including Italy ) ac-tors are aware of the fact that themalware plays an important role incyberfraud, even more so thanphishing.

Generally speaking, the intervieweesdo not agree on a marked awarenessof the cybercrime phenomenon fromthe point of view of private individualsand businesses. In detail, as revealedin Figure 33, those interviewed agreeon assigning insufficient awareness toprivate individuals, whilst they have sli-ghtly contrasting opinions when talkingof businesses (Figure 34). In this se-cond case, those interviewed from thebusiness and security sphere revealeda greater awareness of the businesseswith respect to the participants in thelaw enforcement sphere. It should beconsidered that the opinions of law en-forcement authorities mainly regardsmall businesses (which can often beregarded as “individuals” from a com-puter literacy point of view) and PublicAdministration.The difference in opinion may howe-ver depend on the fact that a signifi-cant part of those interviewedadmitted that they had only a partialidea of the phenomenon. In thissense, 50% of the participants in thelaw enforcement sphere believe thatthey are not able to explain the entirephenomenon by means of their ana-lysis. This percentage drops to 31%considering the opinion of the inter-

43

8 By way of confirmation of this fact, someof the Italian participants in the law enfor-cement sphere, involved in the survey, in-dicated that in the reports received forcases of cyberfraud, according to the inju-red party “it is always phishing”

Figure 35. Impact of the perception of the risk on the propensity to input personal details on So-cial Networks (Source: [10]).

Figure 36. "Percentage of respondents who don’t know basic information about the risks to theircompany’s information assets” (Data source: [20]).

viewees in the business and securitysphere, but in any event remains asymptom of a limited view at indivi-dual level. This limitation could beovercome by means of initiativeswhich encourage greater collabora-tion amongst all the players involved,as looked at closer further on.Despite the awareness of the risk as-sociated with cyberfraud, the inexactperception by the potential victims ofthe methods which can be used to at-tack them probably influences thefact that the users continue to “tran-sfer” their personal details on varioustypes of websites and online servi-ces. Studies carried out at global levelshow that just a minority of the usersare persuaded not to input their per-sonal details online, despite beingaware that the services in questionmay be compromised and said datacould be stolen [10] - see the graphrelating to the case of the Social Net-works in Figure 35.With regard to businesses, it is evi-dent that purely technological inve-stments are predominant for thepurpose of fighting the threats to ITsecurity, without the panorama of theattacks or phenomena the companiesthemselves are the victim of beingparticularly clear. Specifically, Figure36 should be considered, revising cer-tain data from a study carried out by[20], in which the responses of cer-tain security managers within compa-nies are presented, regarding thevarious types of basic events: it canbe noted how a partial lack of aware-ness of these themes is present,even if, with respect to the last fewyears, there has been a constant im-provement [18].

Furthermore, part of the investmentsintended to fight cybercrime are bycontrast used to achieve compliancewith standards, regulations and inter-nal security policies, which, again ac-cording to the opinion of theparticipants in the study indicatedabove, do not necessarily comply witha effective improvement in IT security.All these elements are reflected in thetype of reports presented as looked atin-depth in the following section.

44

The main reasons which lead usersnot to report cyberfraud attacks aregenerally linked to the negligible na-ture of the damage, or to reputationalfactors, for example when the fraudis associated with uncontrolled ga-ming websites. In this regard, see Fi-gure 37, which also shows howreasons linked to the possible illegalnature of the user’s behaviour at thetime of attack are of little importance,such in the case of installing piratesoftware infected by malware.According to all those interviewed,businesses show a lower propensityto report. The main reason can besought in the attempt to avoid mediascandals, or reputational damage, asshown in the graph presented in Fi-gure 38.Supporting these theories, it hasemerged that businesses implementvery stringent policies with regard toreports and, before presenting them,carefully assess all the factors in play,including any reputational damage.Another element which affects thepropensity of businesses to reportcyberfraud attacks is linked to the le-gislation in force in countries such asthe United States and the UK; infact, businesses are more inclined toreport these events, since it is man-datory to report data breaches ordata theft suspicion. Another factor

The propensity of the victims of at-tacks to report such events, accor-ding to those interviewed, isinfluenced by numerous factors and,above all else, differs according to thetype of victim attacked.Individuals are, in general, highly incli-ned to report an attack suffered. Thisis also due to the fact that the reportin many cases represents an unavoi-dable step for launching any refundprocedures following events such asphishing or credit card abuse. Further-more, according to those interviewedin the law enforcement sphere, overthe last few years individuals aremore confident in the capabilities andexpertise of law enforcement autho-rities in this area.

6%

12%

35%

47%

0% 10% 20% 30% 40% 50%

other

dread aboutlegal consequences

reputationalconsequences

complex procedures if compared to the damage

law enforcement

Figure 37. “What are the reasons that ex-plain the reluctance of individuals to reportattacks?” (Only in law enforcementsphere)

law enforcement

0%

8%

17%

75%

0% 20% 40% 60% 80%

dread aboutlegal consequences

other

greater confidence ininquiry competences

low benefits andreputational damage

Figure 38. “What are the reasons that ex-plain the reluctance of businesses to reportattacks?” (Only in law enforcement sphere)

4.4.3 PROPENSITY OF VICTIMS

TO REPORT THE ATTACK

45

law enforcement

90%

10%

0% 50% 100%

no

yes

Figure 39. “Are enterprises inclined to report unsuccessful attacks, e.g. firewall alerts about perimeter vio-lation attempts, data theft attempts etc.?” (Only in law enforcement sphere)

law enforcement

22%

11%

67%

0% 20% 40% 60% 80%

it depends onthe specific case

no (or in particularcircumstances)

yes (under certainconditions)

Figure 40. “Are preliminary analyses performed by enterprises useful in order to support the reports? Are theyusually performed avoiding unwanted alterations in the digital evidence?” (Only in law enforcement sphere)

which may push a company to makea report is a simultaneous reportmade by a customer.Considering the above, it is also com-prehensible (and confirmed by theperception of those interviewed inthe law enforcement sphere) that bu-sinesses are not inclined to report at-tempted attacks thwarted (i.e.unsuccessful attacks), even if theyare able to detect them (Figure 39).The causes which may stop busines-ses from reporting any attacks suffe-red should not include the fear of any

legal consequences of preliminaryanalysis and investigation activitiescarried out internally by the compa-nies (a subject which will be dealtwith in section 4.5.2). These activi-ties, as shown in the graph in Figure40, are on the contrary considered bythe authorities as generally useful forthe purpose of resolving the cases.What is more, those interviewed inthe law enforcement sphere believethat companies are justified in imple-menting defensive controls or activi-ties to protect their business.

46

According to all the interviewees, in-dividual users reveal that they havebeen victims of a cyber attack mainlyafter a direct damage. Figure 41shows in detail the opinion of the par-ticipants within the security and busi-nesses sphere concerning detectionmethods.This is confirmed at international levelif we look at the data held by the In-ternet Crime Complaint Center:among the fraud schemes reported inthe United States (shown in Figure

10%

10%

10%

70%

0% 20% 40% 60% 80%

other

intervention of acybercrime expert

scheduled PCcheck-up

directdamage

enterprise + security

Figure 41. (Your) customers/users usually di-scover attacks after:” (only in the business andsecurity sphere)

Figure 42. Cyberfraud in 2010 (Source: [20]).

4.4.4 METHODS AND TIMESCALES

FOR DETECTING ATTACK

42), those which contemplate directdamage to the user, such as the fai-lure to deliver goods, credential theft,credit card data theft, etc., stand out.Equally, despite it has emerged thatcertain law enforcement authoritiesaccept reports of mere attack at-tempts as well, according o the gene-ral opinion of participants in the lawenforcement sphere these events arerarely reported proactively.With regard to the methods for detec-ting the attacks suffered by busines-ses, there is no single viewexpressed by the participants in thesurvey: the matter is difficult to com-prehend, also due to the low propen-sity of the companies to report theattacks, mentioned previously. Accor-ding to those interviewed in the busi-ness and security sphere (Figure 43),the main methods are internal moni-toring and control activities, alongwith the contribution of organizationsspecialised in Information security.The interviewees in the law enforce-ment sphere have a different percep-tion, which is probably influenced bythe type of reports they receive frombusinesses. The graph in Figure 44 re-veals how direct damage (to the com-

47

enterprise + security

7%

7%

14%

14%

21%

36%

0% 10% 20% 30% 40%

other

auditingprocedures

direct damage

external alert

intervention of cybercrimespecialized companies

internal monitoring

0%

0%

13%

13%

19%

56%

0% 20% 40% 60%

other

auditingprocedures

intervention of cybercrimespecialized companies

external alert

internalmonitoring

direct damage

law enforcement

Figure 43. "(Your) organization(s) usually discovers it is under attack:” (only in the businessand security sphere)

Figure 44. "According to data from the reports you deal with, or in your perception, enterprises/organizationsusually detect they are under attack:” (Only in the law enforcement sphere)

Figure 45. "Unknown Unknowns bypercentage of breaches (bars) andpercentage of records (line)”(Source: [11]).

pany or to its users) is the most fre-quent method for detecting attacks,even though the contribution of theafore-mentioned internal monitoringactivities is acknowledged in somecases.In conclusion, it should be mentionedthat the businesses are not alwaysable to detect the attacks they fall vic-tim to, often due to the lack of visibi-lity on the problems. For example,one of the main themes (which is re-lated to the aforementioned lack of vi-sibility on the data) is represented bythe sensitive data which is duplicatedor shared without observing the com-pany security policies and, therefore,is no longer under the complete con-trol of the company: this implies thataccess, uses or anomalies might notbe detected. The theft of such data,referred to as “unknown unknowns”,cannot be traced by the company[11]. Control of access to the confi-dential data is another matter closely

related to this subject: obsolete andunduly possessed privileges repre-sent another problem that may causethe data leakage. In the face of a dropin the number of attacks of this type(histogram), Figure 45 discloses howtheir efficacy has improved conside-rably (red line).

48

The technological outsourcers and thesecurity solution providers are impor-tant players in the prevention and theinvestigations into cases of cyber-crime attacks against businesses,even though they cover different rolesand functions. As is revealed by the graph in Figure46, all the participants assign an im-portant role to technological outsour-cers. Analysing the impressions ofthose interviewed in the businesssphere in greater detail, however, in-dications emerge which partly goagainst the trend, since the role of

9 Payment Card Industry DataSecurity Standard

Compliance activities, apart from thespecific ones for compliance with thePCI-DSS9 standard, do not seem tohave a role of primary importance indiscovering vulnerabilities or possiblepoints of information leaks and accessviolation. In the opinion of the intervie-wees, in many cases these activitiesare not fast enough to keep pace withthe dynamics of cybercrime, and in-deed a large percentage of these acti-vities are intended to comply withregulations. Confirming this, according

30%

25%

70%

75%

0% 20% 40% 60% 80%

no

yes

enterprise + securitylaw enforcement

Figure 46. "Regarding enterprises, do you thinkthat outsourcers and solution providers have aproactive and significant role in discovering andreporting attacks?”

4.4.5 THE ROLE OF THE TECHNOLOGICAL OUTSOURCER

AND THE SECURITY SOLUTION PROVIDER

outsourcer is often seen as importantonly with a view to supporting theanalysis carried out after the fact. Thebusinesses in fact tend to internallyhandle the security processes or, pos-sibly, entrust them to expert firms inthe sector, such as security solutionproviders. Businesses recognize the specialisedrole of the security solution providers,who are involved for the analysis andsupport activities in the case of inci-dents, as well as being considered themain source of security alerts and ad-visory services.

4.4.6 THE ROLE OF AUDIT AND COMPLIANCE ACTIVITIES

to the CISOs , back in 2008 there wasa misalignment between the costs forcompliance and those really aimed atraising the level of security protectingthe business [19], as disclosed in Fi-gure 47.Similar studies [20] repeated in 2011show how the need to comply withthe “Legal/regulatory requirement”still represents today one of the mainexpenditure drivers in Information se-curity, in Europe (35% of the CISOs10

interviewed) and even more so in the

10 Chief Information Security Of-ficer: these are the individualsresponsible for the Informationsecurity of the businesses

49

Figure 47. " Percentage of senior business and IT executives who report that security policies and security spending are completely aligned withbusiness objectives " (Source: [19]).

USA (55% of the CISOs interviewed).In this sense, compliance with thePCI-DSS standard represents a sym-bolic case. According to the factswhich emerged from the studies [11]carried out on US companies subjectto data breaches, compliance did notappear to be particularly widespread,even if it is increasing (Figure 48). Thecauses of this phenomenon can beidentified in the limitations which thissecurity standard imposes on com-pany processes. The PCI-DSS, in fact,requires that the information on thetransaction is stored in protected for-mat, that it is only kept for the periodof time strictly necessary and thatthere is a restriction on keeping thistype of data (for example, in somecases, the cvv2 code on the back ofthe card). This involves higher costsfor all those businesses who decide tokeep this data in their databases, forexample for the purpose of providingservices which require repeated char-ges to be made to the customer’scard (due to restriction on keepingsome data, as already mentioned).The interviews reveal a similar situa-tion in the European context as well.The participants to the survey in the

Figure 48. "PCI DSS compliance status based onlast assessment" (Source: [11]).

business and security sphere, in fact,emphasise how compliance withstandards in general represents an ad-ditional cost for the businesses interms of expenditure, and a loss of bu-siness opportunities. For this reason,the credit card brands and the issuers,who request merchants to complywith the PCI-DSS standard, carefullyassess the costs/benefits trade-off.The investment, necessary for raisingthe level of compliance, must be justi-fied by a benefit, namely a decreasein the fraud risk and the consequenteconomic impact. While the impactremains under a threshold consideredto be acceptable, there is no real rea-son to set more stringent levels ofcompliance.On the other hand, again according to[20] it emerges that 56% of the CISOsinterviewed believe that the legisla-tive/regulatory sphere has becomemore complex and intricate, and itemssuch as “Risk reduction score” and“Potential revenue impact” are indica-ted respectively by 30% and 27% ofthe CISOs as justification of the roleof Information security within their bu-sinesses.

50

may be present to withdraw themoney or make the credit transfers.The information emerging about theskills and the expertise of the attac-kers is also interesting: the results ofthe investigations appear in variouscases to confirm that, with regard tocurrent cyberfraud, the attackers donot have high technical skills. On theunderground market, as already men-tioned, numerous ready-to-use toolsare available, which can be purchasedand customised to order, and which donot require any particular experience.Confirmation of this is attributable tothe fact that certain criminals havebeen identified partly thanks to a num-ber of traces left in communicationsvia email: an expert technology attac-ker, in fact, would not use this type ofchannel without any precautions.Another aspect which emerged con-cerns the hierarchical model of theseorganisations, entirely similar to thatbriefly described in section 3.1.1. Insome cases, the international organisa-tions operate throughout the territoryvia localised cells, using mechanismsfor sub-contracting the activities andthe redistribution of the revenues out.A typical case in this sense is currentlyphishing, now marginal with respect tothe main business.From the point of view of the localisa-tion of the command centres of these

The last part of the presentation of the results is dedicated to the methods usedby the various parties involved in fighting cyberfraud (first of all the law enforce-ment authorities) to proceed with the investigations, reconstructing the responsi-bility for the events and collaborating together in order to bust the criminalorganisations. The subject of collaboration is amply developed herein and analysedfrom various standpoints, also highlighting the limits of the current approaches.

4.5 PERFORMANCE AND OUTCOME

OF THE INVESTIGATIONS

The first sphere explored, relating tothe survey results, concerns the typeof parties involved in cases of cyber-crime. According to those interviewedin the business and security sphere,the majority of the attacks come fromindividuals, as shown in Figure 49. Ho-wever, looking closer at this aspect,the interviewees acknowledge thatthese individuals may be part of crimi-nal organisations, in the sense that or-ganizations provide them just support,such as providing them attack tools.The same question, put to the partici-pants from the law enforcementsphere, disclosed different results: inthis case, in fact, the involvement ofboth the types of parties is evident (Fi-gure 50). Analysing the different re-sponses between the intervieweesfrom Eastern Europe and Western Eu-rope, an essential difference emer-ges: in the first case, theinvestigations mainly highlight the in-volvement of individuals, while in thesecond groups and organisations areidentified, typically made up of threeor more individuals.Another characteristic emerged is re-lated to the foothold in the territory ofthe groups which effectively carry outthe attack, given the need to turn thestolen data into cash. The kind of figu-res in the territory varies in relation tothe type of attack: for example, mules

4.5.1 EFFICACY OF THE INVESTIGATIONS

AND TYPICAL RESULTS

51

law enforcement

30%

30%

40%

0% 10% 20% 30% 40%

both in equalmeasure

organizations

individuals

Figure 50. "In the cases you deal with, cybercrimes are mainly committed by which kind ofparty?” (Only in the law enforcement sphere)

Figure 51. "How often, after the victim’s report and a successful investigation, do trialslead to a satisfactory conclusion?” (Only in the law enforcement sphere)

enterprise + security

17%

0%

83%

0% 50% 100%

both in equalmeasure

organizations

individuals

Figure 49. “Cybercrimes against (your) customers/users or (your) organization are mostlycommitted by whom?” (only in the business and security sphere)

organisations, the margin of uncer-tainty expressed by the intervieweesis high. Despite this, those intervie-wed in the law enforcement sphere in-dicated the possibility that theorganisations are mainly based in Ea-stern Europe and countries in the for-mer Soviet bloc. With regard to thecountries in Western Europe, mentionwas made of Italy, Spain and Germany.In conclusion, outside the Old Conti-nent, China, Brazil (considered to be arapidly developing expert centre) andcertain African nations, such as Nigeriaand Ghana, were also indicated. InAfrica, the main reason for the deve-lopment of such illegal phenomenacan be sought in the absence of a solidlegislative framework in this sphere.The United States are also involved,mainly due to the immigration ofmembers of criminal organisations. The difficulty in identifying the interna-tional organizations has repercussionson the possibility of busting them, fol-lowing the investigations into specificcases of cyberfraud. Those intervie-wed indicated that in the majority ofcases where the law enforcement au-thorities carry out investigations intolocal groups, the results are excellent.The scenario which involves the iden-tification and busting of organisationsstructured at international level ismuch more complex. In such cases,international collaboration mecha-nisms are essential, but unfortunatelyrepresent certain limits, which will bedealt with in more depth further on. With regard to the efficacy of the inve-stigations with a view to prosecutionin court, it is possible to establish fromthe indications which have emergedthat, at least in the European sphere,once the correct identification of thoseresponsible has been achieved in thenation in which they have a foothold,in the majority of cases the trials con-clude satisfactorily, as disclosed by thegraph in Figure 51.The wide convergence of opinion pro-bably indicates the growing aware-ness and competence of thejudiciaries involved. This could also bean effect of specialization initiatives,such as the division into districts thattook place in Italy. These initiatives en-visage that the cases of cyberfraud are

law enforcement

0%

30%

50%

20%

0% 10% 20% 30% 40% 50%

never

sometime

often

always

52

the responsibility of specific Judicia-ries, which can therefore count onmore targeted skills and trained pro-fessionals. Another phenomenonwhich according to the intervieweescontributes to the positive conclusionof the trials is the involvement, duringthe investigations, of police divisionshighly specialized in cybercrimes.These corps are now present in manynations, and their intervention impro-ves the efficacy of the investigationsand the gathering of the proof. On the other hand, there is the opinionof those interviewees who declarethat only sometimes the outcome of

Figure 53. "Which are the techniques applied to investigation on cyber-attacks that providethe main or more useful information, in order to proceed to trial?” (Only in the law enforce-ment sphere)

the trials is satisfactory and conditio-ned by the perception that – despitethe intense investigative efforts and awell-formulated allegations – mecha-nisms exist such as plea bargaining orbail which permit release from prisonor a sharp reduction in the sentence.Another significant aspect to be inclu-ded among the outcomes of the inve-stigations is the one linked to thepossibility, for the victim, to regain pos-session of the stolen asset or obtaincompensation. This possibility is in factessentially linked to the type of fraudand the speed with which it has beendetected. By way of explanation, anumber of generalisations which canbe inferred from the interviews are in-dicated:• in the event of banking fraud, the

perception of the participants in thelaw enforcement sphere is that,when it is possible to identify andblock the account before the effec-tive transfer, the victim can be com-pensated. Otherwise, the possibilityof compensation varies case bycase and is entrusted to the willin-gness of the banks to undertake thedamage, or the assessment of theruling court;

• in the case of credit card fraud bycontrast, the issuers undertake theliability to compensate, subject tothe user reporting the matter, as ac-companied by the statement fromthe law enforcement authorities.This strengthens the observationsalready made in section 4.4.6, rela-ting to the business logics linked tothe investments within the sphereof fighting fraud.

Lastly, the matter of the dynamic na-ture of the cyberfraud phenomenonemerged, which is perceived by thoseinterviewed differently according tothe sphere they belong to, as shownin Figure 52. While those belonging tothe law enforcement sphere expres-sed the fact of not being able to com-pletely keep up with the rate cybercrime is evolving at, the majority ofthose in the business and securitysphere maintain the contrary, basingthe reasons also on the presence ofspecific internal divisions tasked with

67%

17%

33%

83%

0% 50% 100%

no

yes

enterprise + securitylaw enforcement

law enforcement

0%

90%

0%

10%

0% 20% 40% 60% 80% 100%

other

both

computeranalysis

traditionalinvestigation

Figure 52. "Do you believe that the dynamics of your analysis are fast enough to be compatiblewith the fast evolving world of cybercrime?”

53

studying the latest trends in this con-nection.Co-operation between the various pla-yers is generally indicated as one ofthe routes for improving the efficiencyand speed in fighting cybercrime. This

Figure 54. "Can you see any trend in the last years in giving to digital evidence and compu-ter analysis an increasing relevance and probative value?” (Only in the law enforcementsphere)

Figure 55. “How often is computer analysis a decisive factor in determining what has hap-pened?” (Only in the law enforcement sphere)

accompanies the creation of groups ofinterest or organizations which pro-mote the exchange of expertise andthe diffusion of information about thelatest fraud schemes, which aremainly the EECTF goals.

4.5.2 THE INVESTIGATION TECHNIQUES

AND THE ROLE OF THE PRELIMINARY

ANALYSIS USER/BUSINESS SIDE

Another aspect dealt with during thesurvey concerns the investigation te-chniques used by the law enforce-ment authorities to solve cases ofcyberfraud. The survey reveals that the investiga-tions cannot disregard the combineduse of IT and traditional techniques.Those interviewed in the law enforce-ment sphere confirmed that the phy-sical methods, such as monitoring themonetary flows, phone tapping, tailingsuspects and other similar techni-ques, will continue to be widely adop-ted, producing significant results, asshown in the graph in Figure 53.The IT investigation techniques, ac-cording to some interviewees, oftenrepresent just the start of the entireinvestigation process. According toone of the interviewees, for instance,even if the PC involved in an attack isidentified through IT investigation te-chniques, the traditional methods arestill the best way to identify the attac-ker in flesh and bones.In any case, there is a clear tendencyto assign to the sources of digitalproof a more and more important roleduring the investigations (Figure 54).Anyway, most of the intervieweesagree on the fact that IT investigationmethods will never substitute com-pletely the classic methods.Naturally, the appropriateness ofusing IT or traditional techniqueswhen solving a case varies on thebasis of the specific fraud in question.Those interviewed in the law enforce-ment sphere provided confirmationwith regard to the fact that, nowa-days, digital evidence is often the

law enforcement

10%

90%

0% 50% 100%

no

yes

0%

0%

40%

60%

0% 20% 40% 60%

never

almost never

sometimes

often

law enforcement

54

starting point on which to build a cor-rect investigation which permits theassignment of the right responsibili-ties (Figure 55).Besides this fact, theinterviewees appear to agree on theutility of the digital evidence also du-ring trials, assigning it an essentiallyprobatory value, even if there aresome who exclude this eventuality(Figure 56).With regard to the investigations, afactor of primary interest concernsthe appropriateness of the active in-volvement of the victims in providinginformation. The debate on this sub-ject is quite important: if the evidenceis digital, when elements are not han-dled or extracted using the properprecautions, the analysis carried outby the victims can cause a “contami-nation”, making the evidence uselessfor a further forensics examination.The interviews revealed two differentopinions: on the one hand, prelimi-nary analysis are without doubt use-ful, and may improve the credibility ofthe reporting and facilitates the under-taking. On the other hand, certain au-thorities discourage theimplementation of such practices, li-miting them to strictly indispensablesupport. The above is valid as a rule. However,when the victims are businesses,those interviewed remarked that pre-liminary internal analysis can be use-ful to find traces left on the companysystems. In general, internal investi-gations seems to do not prejudice thepossibility of using collected evidencefor further official investigations, evenwhen this takes place before officialacquisition. There are then authoritieswho prefer to assess this opportunitycase by case (Figure 57).The survey aimed to understand whe-ther law enforcement authorities han-dle priorities, for instance choosing tohelp some type of victims first. Thegraph in Figure 58 shows that thehandling is essentially equal for allthose reporting attacks.The few discrepancies with regard tothe mainly predominant opinion canbe linked to the need to protect thevictim who has been attacked in pro-portion to the impact which the attackhas on the economic funds of said

Figure 56. “How often does digital evidence provide not only useful clues and indications,but also has probative value during the trial? (Only within the law enforcement sphere)

law enforcement

0%

10%

30%

60%

0% 20% 40% 60%

never

almost never

sometimes

often

law enforcement

22%

11%

67%

0% 20% 40% 60% 80%

it depends onthe specific case

no (or in particularcircumstances)

yes (undercertain conditions)

law enforcement

80%

10%

10%

0% 20% 40% 60% 80%

both equally

enterprises

individuals

Figure 57. “Are preliminary analyses performed by enterprises useful in order to support thereports? Are they usually performed avoiding unwanted alterations in the digital evidence?”(Only in the law enforcement sphere)

Figure 58. “To which kind of subject is your organization more inclined to give priority whenhandling reports/signals?” (Only in the law enforcement sphere)

55

party. Furthermore, cases which re-ceive particular attention are thosewhich involve infrastructures of parti-

The law enforcement representativesindicate that the collaboration bet-ween the parties attacked and thelaw enforcement authorities has evol-ved over the last few years, even ifthere is still room for improvements.The development of this relationshipbetween the various parties for thepurpose of fighting cyberfraud can betraced back to two principal reasons.The first is of a legislative nature: cer-tain countries developed strict regula-tions which oblige the businesses toreport cases of data breach whichlead to the divulgation of financialdata or that on clients. The secondreason concerns a complex increasein awareness about the importance ofthe cyberfraud phenomenon, whichhas led to openings in the relation-ships between private companies andthe law enforcement authorities. Forexample, while in the past, US IT ser-vice providers showed reticence indialoguing with European law enfor-cement authorities, now they showmore willingness, up to the point ofestablishing permanent relationships.Collaboration with the law enforce-ment authorities, as it is only right toexpect, varies according to the victimattacked. Private individuals, asidefrom the already discussed reasonswhich may push them not to reportpossible crimes, generally offerample collaboration when they decideto contact the authorities, within thelimits of that which falls under theirresponsibility. With regard to businesses, the sub-ject is influenced by their little inclina-tion to report cybercrime. In thisconnection, according to the indica-tions expressed by those taking partin the survey within the law enforce-

Figure 59 - “Which organizations do you (or enterprises in general) turn to first for assi-stance?” (only in the business and security spheres)

7%

20%

27%

47%

0% 20% 40% 60%

legals

others

security solutionproviders

lawenforcement

enterprise + security

cular criticality and strategic relevancefor the State, so as to avoid impacts onthe whole Country system involved.

4.5.3 COLLABORATION BETWEEN THE

VICTIMS ATTACKED AND THE LA ENFORCEMENT

AUTHORITIES (EFFICACY AND LIMITS)

ment sphere, the companies couldperform a more active role in impro-ving the handling of the investigationsand make them more efficient bymeans of greater collaboration withthe law enforcement authorities. Indetail, companies could provide agreater quantity of data pertaining tothe attacks suffered, not only in theevent the fraud takes place but also inthe case that it is internally prevented.This information would permit the au-thorities to monitor the evolution ofthe fraud schemes and of the cyber-fraud phenomenon. There is also evi-dence that in some cases, smallbusinesses would be extremely incli-ned to collaborate, but bureaucraticcomplexities and legal fulfilmentsconsequent to the reporting of the at-tack represent an obstacle.The tendency towards the growingwillingness of businesses to improvetheir collaboration with the law enfor-

56

cement authorities is confirmed bythe interviews, in which the partici-pants from the business and securitysphere - although they believe thelevel of involvement of the securitysolution providers to be important - in-dicate the law enforcement authori-ties as the main party to co-operate incases of cyberfraud (Figure 59).

Collaboration between the variouslaw enforcement authorities, at Euro-pean level, is formalized and ratifiedby inter-state agreements such as the“Council of Europe Convention on cy-bercrime” (Budapest Convention),and the presence of bodies which,like the EECTF, encourage the volun-tary co-operation between those whoactively fight the phenomenon of cy-bercrime. On an operating level, inthe investigations into a specific case,the co-operation between the variouslaw enforcement authorities, for ga-thering and exchanging digital evi-

Figure 60. “Which means are more often used in order to acquire digital evidence from dif-ferent countries?” (Only in the law enforcement sphere)

In conclusion, from the point of viewof prevention, it emerges that the va-rious security solution providers andintelligence agencies collaborate withthe law enforcement authorities forthe reporting of new forms of fraudwithout any particular geographic di-stinctions.

4.5.4 COLLABORATION BETWEEN THE VARIOUS LAW

ENFORCEMENT AUTHORITIES IN EUROPE (CHANNELS

AND LIMITS)

dence, takes place through variouschannels, including:• official channels (in particular using

the mechanism of international let-ter rogatory);

• bilateral or multilateral mutual assi-stance agreements;

• interpersonal relationships.

The participants in the survey belon-ging to the law enforcement sphere,as shown in the graph in Figure 60,maintain that mechanisms such asthe international letter rogatory and bi-lateral agreements are the most com-monly used channels for co-operationpurposes.Bilateral agreements emerge as beingless binding and bureaucratic than offi-cial channels, but more formal andstructured than mere collaboration andpersonal relationships. The latter, bythe way, are very much used in the firstinstance, since they also permit extre-mely rapid response times: even ifthey remain on an unstructured and in-formal level, in certain cases they arethe only instrument enabling efficientresistance to specific attacks, andwhich are compatible with the time-scales of the phenomenon in question.International letter rogatory is an indi-spensable instrument for making surethat the digital evidence can have aprobatory value. Nonetheless, despitethe fact the instrument is indicated asmost commonly used by the law en-

law enforcement

0%

19%

38%

44%

0% 10% 20% 30% 40% 50%

other

personalrelationship

cooperationagreements

official inter-state channels

57

forcement authorities, it presents anumber of problems. According to theinterviewees, international requestsare time and management effort con-suming for all the parties involved. Indetail, the procedure is influenced bythe “sensitivity” of the magistrateswho follow the same in the variouscountries concerned: personal relation-ships from this point of view may helpto steer the official process towardsthose who are particularly aware of thesubject matter. As illustrated in thegraph in Figure 61, those interviewedin the law enforcement sphere main-tain that the chief problem is in anyevent linked to the timescales whichoften are not compatible with the in-vestigations underway.Another opinion which has emergedis that this channel can be used withreasonable efficiency in the countrieswhere specific collaboration agree-ments are acknowledged and wherethe procedures for handling the casesare standardized, while in other cir-cumstances it risks introducing delayswhich may compromise the possibi-lity of using the material requested. Inthe cases where the evidence is indi-spensable for the continuation of theinvestigations, personal relationshipsmay lead to prompter responses. Theproblem is also partly addressed bythe Budapest Convention, which in-troduced the possibility of “freezing”the data necessary for the investiga-tions, so that the waiting time due tothe international request process iscompatible with that of the investiga-tion itself.From a geographic point of view, co-operation between the law enforce-ment authorities in EU is becoming aconsolidated and frequent practice,involving also the most recent mem-bers. The main relational problems re-main with countries such as Russiaand with a number of Asian nations,where certain legislative shortfalls onthe subject of cybercrime still exist.In the opinion of the interviewees, col-laboration between the European au-thorities and the US law enforcementauthorities is by contrast variable andfluctuates between periods of greatcollaboration and others when the flowof information goes in one direction

Figure 61. “Which are the main issues you can see in the “international rogatory letter” me-chanism?” (Only in the law enforcement sphere)

law enforcement

0%

32%

27%

41%

0% 10% 20% 30% 40% 50%

other

procedurecomplexity

number ofsubjects involved

timing

only (essentially from Europe to theUSA). Recently, collaboration with USlaw enforcement authorities seems totake place more often, mostly thanksto the rising awareness about the utilityof information exchange. Such propen-sity has led, for example, to the crea-tion of bodies such as the EECTF, as apoint of fact importing the Americanapproach for the fight against cyber-crime into Europe.The subject of collaboration betweenthe law enforcement authorities is wi-thout doubt important. From the inter-viewees point of view, the presenceof occasions for periodically sharingideas, meeting with other professio-nals and exchanging informationemerges as essential, for the purposeof making the investigation processesmore efficient and reducing the time-scales.

58

This final section contains an overview of the key elements emerging fromthe analysis and a summary of the concepts which help to define the DNA ofthe cyberfraud attacks, according to the dimensions established in the intro-duction (agents, threats, purpose, specializations, detection, investigations).

The analysis of the survey’s results hi-ghlighted a series of key elementswhich characterise cybercrime andthe fight against it in Europe. Theseelements are illustrated below.

Discrepancy between the reality and per-ception of cyberfraud Cybercrime, and more specifically cy-berfraud, is now highly structured andnot many entities have a completeoverview of it. This is made evenmore difficult by the extremely dyna-mic nature of the cybercrime environ-ment, which does not always permitthe consolidation of effective me-thods and the “sedimentation” of ex-pertise. In the opinion of participants,the users represent the weak link inthe chain for fighting fraud. Althoughtheir awareness of the fraud risk hasincreased over the years, it is still ina-dequate. The same observation canbe applied to businesses as well,apart from those belonging to sectorswhich are specifically and historicallyvictims of cybercrime. Major compa-nies that are fairly unaccustomed todealing with attacks on their IT sy-stems represent today one of themain sources of divulgation of confi-dential information, facilitating fraudagainst themselves and against theircustomers.

Key role of malware in implementing alltypes of fraudAlso in light of the growing pervasive-

ness of ICT, the role of malware in im-plementing many types of fraud is in-creasingly evident. The growingefficacy of malicious software, its gro-wing versatility, increasingly greaterability to mimic and the ease withwhich it is disseminated are all factorswhich contribute to the implementa-tion of massive attack campaigns,which may vary greatly in nature. On the one hand, malware is used toattack private users, spy on them andsteal sensitive data, or include theirworkstations in worldwide botnets.At the same time, it is becoming thetechnological means by which attac-kers compromise the IT systems ofcompanies. The hazardous conduct ofemployees often allows malware toinfect their workstation and assumean optimum position from which theattacker can launch offensivesagainst the company.In both cases, “social engineering” isone of the main means of spreadingmalware on a large scale. This com-plicates the action taken to fight it.

Business logic as a driver for fighting cy-berfraudCompanies have started to under-stand the risks and effects of cyber-crime and have therefore begun toconsider it in their risk managementplans. This is a positive developmentas it enables countermeasures to beintroduced. However, the presence ofa “residual” threshold remains in all

5 Final observations

5.1 KEY ELEMENTS EMERGING

DURING THE SURVEY

59

risk plans, and it is generally toleratedsince the cost of reducing it furtherwould outweigh the potential damageproduced by the fraud. In practice, theillegal profit linked to the phenome-non of cyberfraud can be contained,but it is highly unlikely that it can becompletely avoided. Compliance withbest practices and regulations canhelp organisations achieve levels ofsecurity sufficient for partially resi-sting attacks. However, this repre-sents a cost and therefore, in theabsence of further obligations, not allcompanies are inclined to make im-portant investments in this field.

Perception of the important role playedby law enforcement authorities in thefight against cybercrimeThe survey highlighted the growingrecognition by victims of the skills ofthe law enforcement authorities ta-sked with handling cases of cyber-fraud. Law enforcement authoritiesincreasingly represent the first pointof contact for private users that re-quire assistance. By contrast, it isnoted that businesses are far morereluctant to officially report attacksthey have fallen victim to, unlessthese fall within the spheres in whichit is mandatory to file such reports orthe attacks have already been repor-ted by their clients. This tendency ismainly due to the different criteriawhich guide the assessment of thecost/benefit ratio by businesseswhen declaring their exposure to at-tacks, and does not invalidate the per-ception that they have of the value ofthe support that they can receivefrom the authorities. An increasingnumber of businesses are establi-shing points of preferential contact forco-operation with the law enforce-ment authorities to support their inve-stigations.

Growing request for increasingly effec-tive and extensive collaborationThe survey portrays a picture in whichthere is an objective need for collabo-ration between all parties involved inthe fight against cyberfraud. This isalso confirmed by the responses ofthe interviewees: 93% of those whoparticipated in the survey agree onthe need for constant dialogue bet-

ween parties.Greater collaboration could make thefight against cybercrime more effec-tive: on the one hand, it would permitswifter investigations, on the other itwould facilitate the reporting of newscenarios, attacks and emergingtrends. The fight against cybercrimecould benefit greatly from a roundtable for the fast, efficient and bure-aucracy-free exchange of information.This channel could facilitate the ex-change of information between the au-thorities and improve communicationbetween the victims of attacks and theauthorities themselves. Furthermore, itmight encourage co-operation bet-ween law enforcement authorities andthose businesses that are affected bycybercrime on a daily basis. At present,in fact, law enforcement authorities re-port a certain difficulty in remainingconstantly updated on such a rapidlyevolving phenomenon.

60

Figure 62. General anatomy of the attacks, and indication of the point of view of various types of parties involved

61

Analysis of the information providedby those interviewed has made it pos-sible to trace a clear picture of the Eu-ropean cybercrime situation. On the basis of this result, it is possi-ble to characterise the elements ofthe conceptual diagram relating to theanatomy of the cyberfraud attacks (ini-tially drafted in Figure 2 - section 1):

• Agent:one common belief is that themajority of the attacks come fromoutside, by virtue of the ongoingevolution of malware and social at-tacks. However, there are specificspheres or types of attacks where in-ternal parties, knowingly involved,play an importance role. This said, in-ternal parties are generally unawareof their involvement: just think of thesocial techniques for obtaining con-fidential information and for gettingusers to install malware on their sy-stems. As a rule, the knowing invol-vement of internal parties is limitedto specific spheres. The externalagents actively involved in the attackare of different types: they rangefrom individuals to organisations,also of noteworthy complexity.

• Action/vectors (Threats): the com-mon perception is that the mostcommon attacks are social attacks,mainly phishing, and more recently(but not in all countries) the use ofmalware for directly interceptingdata which enables the use ofhome banking services or the on-line use of credit cards. This is cer-tainly true. However, those whowork in the sector understand that apredominant role in the leak of infor-mation is today attributable to theexploitation of configuration errorsor inadequate security levels withincompany systems. Often, these vul-nerabilities can be found directly inmerchant systems. Also, the physi-cal factors of the attack should not

5.2 ANATOMY

OF A CYBERFRAUD ATTACK

be underestimated: there is evi-dence of cases where the cyber-fraud is enabled by physical accessto structures, even if, in the end, itcomes down to IT measures.

• Target/purpose (Aim): once again,the general opinion, especially withregard to the types of parties lessfamiliarised with the problems ana-lysed, seems to be that cyberfraudattacks those systems which per-mit the attainment of informationfrom which an immediate profitcan be gained (e.g. home bankingcredentials). The survey shows,however, that attackers targetmany types of information, eventhat not directly transformable intocash, but which can be used toenable complex fraud (spear phi-shing, etc.) or permit the accompli-shment of other attacks (forexample of a social nature). The re-sults also show that practicallyevery IT systems and online ser-vice is a potential target. The data-bases of large organisations,however, remain very attractive tar-gets as it is possible to obtain agreat quantity of information fromthem which can then be directly orindirectly turned into cash (e.g. cre-dit card numbers).

• Specialization: the first impression,extremely widespread among theinterviewees, is that the targets arechosen by macro-category and onthe basis of considerations linkedto the “cashout” possibility thatthey offer. Even if this is the mostcommon choice criteria, the selec-tion of victims can also be madeafter the first intrusion, by meansof an initial collation of a greatquantity of information, also initiallyundifferentiated, and a subsequentselection also aimed at the sale ofsuch information on the under-

62

ground market. With regard to thecomplexity of the attacks, one verycommon opinion is that attackersuse as little complexity as possibleto obtain the target data of the at-tack. This leads to decreasing le-vels of success thanks also, forexample, to the increasing aware-ness of potential victims. However,very complex attacks are alreadyvisible as well, brought about bymeans of innovative techniques(such as smishing, i.e. phishing viasms) or extremely refined combi-nations of various techniques.

• Detection: it is interesting to notehow the detection of the attacksmainly takes place as a result of ex-ternal reports, even though the in-formation safety internalmonitoring activities provide an un-doubted form of support. With re-gard to the audit, on the otherhand, the perception is that internalauditing activities are not fastenough compared with the dyna-mics of cybercrime. This, as apoint of fact, makes the audit a toolwhich is not always effective for fi-ghting cybercrime. The businesseswho are victims of attacks oftenbelieve it appropriate to autono-mously implement activities for de-tecting possible violations, even ifover the last few years there hasbeen an increasing involvement ofthe law enforcement authorities,increasingly recognized as a sourceof expertise.

• Investigation/analysis: the subject ofthe reconstruction of the event withregard to a cyberfraud attack is verycomplex and refers back to severalsubjects including the numerou-sness of the parties involved, theexistence of effective forms of co-operation, the methods for initiatingthe investigation activities and thenecessary existence of a sharedand widespread skill base whichmakes the comprehension and thecombating of the phenomena pos-sible. It is interesting to note how,in the interviewees’ opinion, notonly IT related skills are required butthat traditional investigation techni-

ques are also very much used. Theimportance of the latter is not ho-wever under discussion, either nowor in the future. The typical outcomeof an investigation is the reconstruc-tion of the chain of responsibility as-sociated with the attack.Compensation of the victims is amore problematic aspect and oftenis not guaranteed.

Essential differences in the attack me-thods in the involved parties emergewhen one considers the geographicdimension: as a rule, cyberfraud is car-ried out where there is the greatestavailability of money, and where grea-ter ease of intrusion and compromiseis detected. Specific cases take placein specific countries, but it generallyemerges that organisations and indivi-dual fraudsters choose the targets in-ternationally, on the basis of thetrade-off between the two elementsmentioned. Also extending the scopeoutside the European Union, and sub-sequently to the USA, the principle ap-pears to maintain its validity.The countries in the former Sovietbloc are generally thought of as thearea where the “brains” of cyber-crime are located. They govern thecomplicated relationships which rulein the world of cybercrime or providethe means for committing such cri-mes. An analysis of the distribution ofcyber criminals revealed how othercountries also have an influential role:China in Asia, Nigeria and Ghana inAfrica, and Brazil in South America arethe places perceived as the most ac-tive in this sector. Even the nations ofWestern Europe and the United Sta-tes are not immune to the presenceof these organizations.The conceptual map in Figure 62summarizes the overall scheme, onthe basis of the observations madepreviously and expands the first cha-racterization with various related de-tails. These details include thosewhich, on the basis of an aggregateand high level valuation of the infor-mation collated, are perceived as themost relevant or recurrent by the par-ties involved in attacks, divided upbetween the various types initiallyidentified (private individuals, busines-ses, authorities).

63

5.3 THE EECTF’S ROLE

AND ITS CONTRIBUTION

TO FIGHTING CYBERCRIME

It is interesting to note that, with re-gard to many aspects which charac-terise the anatomy of the attack,there is often a partial view of the fac-tors from the point of view of the dif-ferent categories of intervieweesconsidered (private individuals, busi-nesses and law enforcement authori-ties). This is a key factor in describingwhy they feel the need to compareand share experiences, each accor-ding to its role.Nevertheless, many of them, accor-ding to the information and the im-pressions emerging from thoseinterviewed, tend to define or classifythis type of attack in a more limitedmanner than the real complexity. Thiscould lower the efficacy of the fightagainst cybercrime. This leads also to a further observa-tion, which is confirmed in the results

Within the sphere of the survey, theinterviewees were asked to give theiropinion on the potential role which as-sociations and bodies such as theEECTF could play in the fight againstcybercrime. The majority of indica-tions regard the aim of information-sharing and creating knowledge, butit was also noted how bodies such asEECTF could undoubtedly contributeto creating those personal relation-ships which are very useful for impro-ving operations in cases ofinternational investigation into cyber-crime. The perception of the generalutility emerges clearly from the graphin Figure 63, which illustrates the opi-nion of all types of participants.The point-specific analysis of the re-sponses reveals a number of aspectsto be taken into account in order toimprove the overall efficacy of the ini-

yes (71%)

yes, under

certain

assumptions

no (7%)

(22%)

Figure 63. “Do you believe that the creation of an organization with the aim of promoting directcooperation between public subjects and individuals directly involved in the cybercrime con-trast may help to fight the cybercrime, increasing the awareness about this phenomenon?” (Ag-gregation of all the answers of the participants)

emerging from the survey: factorssuch as the ongoing improvement ofthe methods for sharing information,the rising awareness of all parties in-volved in fighting the phenomenon,the creation of new channels for thedivulgation of knowledge, may repre-sent a decisive factor in the fightagainst cyberfraud.Once again, the survey highlights theneed for collaboration and knowledgetransfer between the actors involved:this has been already analysed withregard to various perspectives duringthe survey.The next section provides a specificanalysis of the role of an organizationsuch as EECTF, which could operatein an increasingly focused and effi-cient manner in order to answer tothe general need for collaboration.

64

tiative and differentiate it from otherworkgroups or round tables with thesame purposes. These points aresummarised below, in revised and ag-gregate form.First of all, there is an acknowledgementof the organisation’s role as an enabler forenhancing the relationships between themembers. This role is already one of theEECTF’s main goals. The undoubtedutility of reciprocal awareness with aview to future informal collaborationon the cases has been largely explai-ned in this document. This would faci-litate a concrete improvement in thecomprehension of the reciprocal acti-vities, leading to focused and efficientrequests for collaboration amongmembers.Another key issue is the promotion oftraining initiatives, especially with re-gard to the judiciary profession(which, in general, has little IT back-ground). Shared awareness is one ofthe conditions for the satisfactory out-come of the trials: the presence ofspecialized judiciary departments isalso in line with initiatives aimed at aprogressive centralisation of theskills on specific offences. The inter-viewees believe, especially those inthe law enforcement sphere, that

the EECTF may have a significantrole in this way. On a more general note, the EECTF isalso seen as a useful source of ideasrelating to new types of cyber threatsor trends regarding known threats.Organisations such as the EECTFmay help to spread knowledge re-garding new fraud scenarios which,if known in advance, can be studiedin order to provide efficient solutionsto fight them. Efficient and periodic communicationcould permit the prompt identificationof new organisations created in theterritory where each EECTF memberworks. This would encourage co-ordi-nated and rapid intervention, capableof crushing the criminal organisationsbefore they spread or move to othercountries.All the above should take place, in theopinion of those interviewed, maintai-ning a reference target which envisa-ges the presence within the EECTF ofparties directly involved in the every-day activities for fighting the cyber-fraud. This should occur bymaintaining co-operation on a level ofsolid and active operations, delega-ting more institutional roles and tasksto other round tables.

65

1. Wikipedia, Crimine Informatico, http://it.wikipedia.org/wiki/Crimine_Informatico

2. Wikipedia, Black hat, http://it.wikipedia.org/wiki/Black_hat

3. F. Paget, Cybercrime and Hacktivism, McAfee Labs, 2010

4. M.J. McKeown, Cyber World – Identity Thetf, NICSA

5. Securelist – Information about Viruses, Hackers and Spam, http://www.securelist.com/

6. S.J. Murdoch et al., Chip and Pin is Broken, 2010 IEEE Symposium on Security and Privacy

7. F. Bosco, La cooperazione internazionale nel settore del cybercrime, UNICRI

8. Trend Micro, Trend Labs Global Threat Trends 1H 2010, http://bit.ly/9liWwZ

9. Symantec, Message Labs: Intelligence Security Report 2010, http://bit.ly/h2efZS

10. RSA, RSA 2010 Global Online Consumer Security Survey, 2010, http://bit.ly/b2YsKJ

11. Verizon, Data Breach Investigation Report, 2010, http://bit.ly/fX2AGD

12. Microsoft, Security Intelligence Report, 2010, http://www.microsoft.com/security/sir/

13. IBM, Internet Security Systems Blog, http://www.iss.net

14. G. Dotta, Metti una spia su Facebook, WebNews, http://bit.ly/eDPC7z

15. Symantec, Global Internet Security Threat Report April 2010

16. Symantec, Report on the Underground Economy, November 2008

17. RSA, RSA 2010 Global Online Consumer Security Survey: European Results, 2010

18. PricewaterhouseCoopers, The Global State of Information Security, 2008

19. PricewaterhouseCoopers, Safeguarding the new currency of business. Findings from the2008 Global State of Information Security Study, 2008, http://bit.ly/hShIXp

20. PricewaterhouseCoopers, Respected – but still restrained. Findings from the 2011 GlobalState of Information Security Survey, 2011, http://bit.ly/bfARaR

21. Internet Crime Compliant Center, http://www.ic3.gov

22. RSA Anti-Fraud Command Center (AFCC)

23. I. Aharoni, Rogue Merchant Testing, RSA, EECTF 2010

24. Internet Identity, Phishing Trend Reports, http://bit.ly/e26seE

25. RSA, Malware and Enterprise, 2010, http://bit.ly/adaBae

26. Ponemon Institute, First Annual Cost of Cyber Crime Study, 2010, http://bit.ly/bgT0LX

27. ABILab, La sicurezza informatica in Banca, 2010

28. RSA, Online Fraud Report, November 2010, http://bit.ly/bcTBPR

Bibliography

66

Glossary

Drive-by download An attack scheme that consists in the download of malwarefrom the Internet, without a person's knowledge: for examplethe download can be initialized simply by visiting a compromisedwebsite, or reading an e-mail attachment.

APT (Advanced Persistent Threat) refers to advanced and clandestinemeans to gain continual, persistent intelligence on an individual,or an organization, such as a foreign nation state government oran enterprise. Attacks make use of the full spectrum of intelli-gence gathering techniques, and coordinated human involve-ment.

Phoning home Refers to the communication performed by an application or adevice in order to report to a server user’s information or data,without user’s knowledge.

Backdoor An access point to a system that allows bypass security controlmechanisms. A backdoor allows an attacker to access to thecomputer resources, avoiding detection.

spear phising An advanced phishing attack that targets a specific organization:email messages seem to be sent from colleagues or other legi-timate people inside the organization, making the attack morecredible

smishing (SMs phISHING) is a particular phishing attack performed via cellphone text messages: a smishing message usually contains anattractive message that redirect to a website, or to an automatedvoice response system in order to steal personal or financial in-formation.

Vishing (Voice pHISHING) is a particular phishing attack that consists inthe use of landline telephony systems to persuade someone toperform unintended actions, for example a fake bank call centerasking a customer to provide his/her financial information or webbanking credential.

malvertising Refers to the attempt to distribute malware through advertise-ment campaign. Possible vectors of attack include maliciouscode hidden within creative advertising, embedded on a web-page, or within software downloads

67

man-in-the-browser A Trojan that infects a Web browser and has the ability to modifypages or transaction content in a transparent way for both theuser and the server application.

botnet A collection of infected PCs connected to the Internet that canbe controlled remotely from a malicious user. A botnet can beused to initiate attacks against other systems, such as DDoS (Di-stributed Denial of Service), or to retrieve information from ahuge number of users

skimmer A device that is able to read and retransmit information storedon the magnetic strip of a credit/debit card.

POLICE DO NOT CROSS

POLICE DO NOT CROSS

EECTF, a task force against cybercrime - The European Electronic Crime Task Force (EECTF)carries out a series of activities concerning the analysis, examination and prevention of all thosecriminal acts which are increasingly common on the Web and which threaten the security of IT ser-vices, such as digital theft, attacks on institutions and any other type of cybercrime. The EECTF the-refore aims to define new techniques and instruments for the prevention, detection, combating andinvestigation of these crimes, in Europe and worldwide. The Task Force originates from an agreement between Poste Italiane, the Polizia Postale and the SecretService (US government agency which, since 1865, has been in charge of investigating counterfeitingand fraud, and which today is also entrusted with looking after the security of the US President). The EECTF was established on 30 June 2009 in Rome through the signing of a memorandum ofunderstanding between the Chief Executive of Poste Italiane (Italian Post Office), Massimo Sarmi,the Chief of Italian Police, Antonio Manganelli, and the director of the US Secret Service, Mark Sul-livan. In May 2010 the Global Cyber Security Center joined the EECTF. On 17 November 2010, theEECTF welcomed two new members: American Express and RSA (the Security Division of EMC).During 2011, EECTF’s board shall dedicate itself, among other things, to the recruitment of otherimportant international organisations within the project.Given the global nature of the cyber threat, the task force intends to play a leading role, at both Eu-ropean and international level, in enabling the players involved in fighting cybercrime to share theirinformation and expertise. It is therefore a body that is open to the participation of both private andinstitutional partners who share a commitment to fighting cybercrime.