The front line in the war on cybercrime can be an unrelenting place. Those tasked with bringing cyber-criminals to heel work long hours for relatively low pay. But they also offer an arguably unique insight into the cybercrime landscape which we can all learn from. Two new reports from the European Union and the UK are a great example.
Both Europol’s Internet organised crime threat assessment 2023 and the National Crime Agency (NCA)’s National Strategic Assessment reports have one thing in common: they emphasize the criticality of data to the cybercrime economy.
Here’s what we can learn from the reports, in greater detail:
1- Data is the main commodity of the cybercrime economyStolen data is both bought for and produced by various cyber-attack types, Europol says. It could be log-ins which enable hackers to hijack employee or customer accounts. It could be personally identifiable information (PII) that can be leveraged for use in fraud (see below). It could be trade secrets sold to the highest bidder. It could be customer or corporate information held to ransom by extortionists. It could even be highly sensitive personal information that sextortionists try to use for blackmail.
Europol also warns that the type of stolen data available on criminal markets is changing. It is no longer only static data such as card details, but increasingly “is compiled of a number of datapoints retrieved from victims’ malware-infected devices.” Whatever type it is, it needs to be better protected.
2- Data theft is fuelling a fraud epidemicWhile data is the main commodity of the cybercrime economy in general, it’s driving a particular surge in fraud. NCA director general, Graeme Biggar, warns that fraud now accounts for over 40% of all crime in the UK, with three-quarters of adults targeted by scammers in 2022—many of them online.
“The internet has enabled fraud to be undertaken at scale, anonymously, and from overseas,” he says.
The data fuelling this fraud is typically PII, financial details and logins. It could be phished directly from victims, but often it’s breached en masse from corporate data stores. The inability of organizations to keep this under lock and key ultimately has a devastating impact on downstream victims, through no fault of their own. If this data were protected in the first instance, the impact could be significantly reduced.
3- The same victims are often targeted multiple timesNo organization is 100% breach proof. But following an incident, a victim corporation could be forgiven for thinking the worst is over. They would be wrong. According to Europol, cyber-criminals are increasingly victimizing the same company multiple times. This happens because internet access brokers (IABs), who sell access to corporate networks, usually do so to multiple attack groups. That means the same credentials or vulnerability exploits may be used by multiple threat groups. This makes it more important than ever that organizations focus security first on data protection.
4- The cybercrime supply chain is well establishedThe cybercrime economy is estimated to be worth trillions annually today. That doesn’t happen by accident. As Europol explains, it’s a product of a well-oiled machine comprised of many moving parts—professional criminals with discrete specialisms. These range from the aforementioned IABs to malware developers, providers of “crypters” designed to hide malware, bulletproof hosters and sellers of counter-antivirus (CAV) services. They all congregate around cybercrime forums and marketplaces.
“Fraud and cybercrime are enabled by criminal marketplaces, where you can buy hacked personal data, victim lists, accesses, and capabilities. All these professional services can make life easier for organized criminals,” says Biggar.
5- Humans remain the weakest link in the chainCyber-criminals are nothing if not opportunistic. That means they’re always primed to take advantage of any gap in corporate security. Unfortunately, they continue to have a significant and unwitting ally in the form of corporate employees. That makes phishing a key access vector for data compromise, one made more attractive by the ready availability of phishing kits which have lowered the barrier to entry for cyber-criminals, says Europol.
The NCA’s Biggar also warns of the emerging threat from generative AI in this area, enabling criminals to “write more compelling phishing emails.” If threat actors continue to harvest corporate log-ins via phishing emails, it’s going to be increasingly difficult to stop them from breaching networks. Once again, that puts the focus on protecting the data.
That’s the bad news. But there’s also something more positive to takeaway from the reports.
“The impact of such attacks can be significant, but the solution can be simple: basic cyber security will defeat most attacks and it is important all organisations invest in it,” says Biggar.
One of the most important steps to achieving this kind of cyber hygiene should be data-centric security in the form of encryption or tokenization. By protecting what matters most, organizations can significantly mitigate financial, reputational and compliance risk. Even better, they can help to disrupt an entire cybercrime economy enabled by data theft.