FP7-SEC-2013.2.5-2

Grant Agreement Number 607775

Collaborative Project

E-CRIME

“The economic impacts of cyber crime”

D2.2 Executive summary and brief: Cyber crime inventory

and networks in non-ICT sectors

Deliverable submitted in January in fulfilment of the requirements of the FP7 project, E-CRIME –

The economic impacts of cyber crime

This project has received funding from the European Union’s Seventh Framework Programme for research,

technological development and demonstration under grant agreement n° 607775.

E-CRIME Coordinator:

Trilateral Research &

Consulting (TRI)

Crown House

72 Hammersmith Road

London

14 8TH

T: +44 207 559 3550

www.ecrime-project.eu

Project Acronym E-CRIME

Project full title The economic impacts of cyber crime

Website www.ecrime-project.eu

Grant Agreement # 607775

Funding Scheme FP7-SEC-2013-1

Deliverable number: D2.2

Title: Executive summary and brief: Cyber crime

inventory and networks in non-ICT sectors

Due date: 03/03/15

Actual submission date: 03/03/15

Lead contractor: Tallinn University of Technology

Contact:

Rain Ottis

Authors: Tiia Sõmer Rain Ottis Toomas Lepik

Reviewers: INT and TUD

Dissemination Level:

Contents Introduction ............................................................................................................................................. 4

Taxonomy and inventory ......................................................................................................................... 4

Costs of cyber crime ................................................................................................................................ 5

Cyber criminal revenue ........................................................................................................................... 6

Legislation ................................................................................................................................................ 6

Culture ..................................................................................................................................................... 6

Journey mapping ..................................................................................................................................... 7

Victims of cyber crime ............................................................................................................................. 7

Cyber crime networks and ecosystem .................................................................................................... 8

Perpetrators of cyber crime .................................................................................................................... 9

Conclusion ............................................................................................................................................. 11

Introduction Cyber crime is growing in intensity, and modern criminals seem to have clear, almost business-like objectives. The issue of cyber crime is complex, and in order to understand it better, deeper insight into all different aspects related to cyber crime it is needed.

The current deliverable is a part of the E-CRIME project. In this work package, the aim was to analyse the structures and drivers behind cyber crime, their economies and criminal revenue streams; and to develop perpetrator and victim “journeys”. We have provided an overview of the cost of cybercrime and cultural aspects related to cybercrime, and presented journey maps for both victims of cyber crime and the perpetrators of cyber crime. The work undertaken is based on literature review and expert interviews, but also a questionnaire to stakeholders developed as part of the current work.

This report is being published at an early stage in the three-year E-CRIME project because of its significance to other work packages. The results presented above will feed into WP4 on economic impact and analysis, the gap analysis in WP7 and will be used as additional input for determining critical interventions to deter criminals in WP8.

This report presents the results of the work performed in respect of Tasks 2.3 and 2.4 of WP2. Task 2.3 consisted of developing and distributing a questionnaire to key stakeholders in order to collect additional real-life information. The results of this questionnaire were fed into Task 2.4, the aim of which was mapping of cyber crime “journeys“ and structures.

Taxonomy and inventory The concept of cyber crime is problematic because it is open to a variety of social, political, practical

and scientific interpretations and explanations. The definition adopted for the E-CRIME project initially

was broad, including all cyber activities supporting crime in any aspects. However, in the course of

project development and initial findings, the consortium has redefined the area of research and the

focus for taxonomy and journey mapping to include legal and practical considerations stemming from

the selected non-ICT sectors (i.e., energy, financial services, health, retail, and transport). This was

motivated mostly by the need to develop taxonomy and journey mapping which can effectively be

used as an input for identifying not only practical, but also inter- and cross-sector opportunities or

solutions to manage threats from cyber crime.

For this, the current work had to be firmly based on a shared understanding of what is legally

considered as cyber crime, while at the same time being economically relevant to the identified non-

ICT sectors. In order to do that we have initially used the Council of Europe Convention on Cybercrime

(2001). As a result the work undertaken in this research focused on offences against the confidentiality,

integrity and availability of computer systems and data; computer related offences (forgery, fraud);

and offences related to infringements of copyright and related rights. The consortium decided not to

cover content-related offences, since these are not economically relevant for the non-ICT sectors

selected for the purposes of this analysis; namely energy, financial services, health, retail, and

transport. The final taxonomy developed is presented in Table 1.

CoE Convention Alkaabi Subgroup Alkaabi Crime (Article 2) Illegal access 1A - Unauthorised

Access 1. Hacking

2B - Unauthorised Alteration of Data or Software for Personal or Organisational Gain

3. Privacy

(Article 3) Illegal interception 1D - Theft or Misuse of Services

2. Misuse of Services

(Article 4) Data interference 1B - Malicious Code 1. Virus

2. Worm

3. Trojan Horse

4. Software Bomb

2B - Unauthorised Alteration of Data or Software for Personal or Organisational Gain

4. Sabotage

(Article 5) System interference 1B - Malicious Code 1. Virus

2. Worm

3. Trojan Horse

4. Software Bomb

1C - Interruption of Services

1. Disrupting Computer Services

2. Denying Computer Services

2B- Unauthorised Alteration of Data or Software for Personal or Organisational Gain

4. Sabotage

(Article 6) Misuse of devices 1D - Theft or Misuse of Services

1. Theft of Services

2. Misuse of Services

2C - Improper Uses of Communications

1. Harassment

3. Cyber-stalking

4. Spamming

5. Conspiracy

6. Extortion (not Critical Infrastructure Threats)

7. Drug Trafficking

8. Social Engineering

(Article 7) Computer-related forgery 2A - Content Violations 7. Forgery / Counterfeit Documents

(Article 8) Computer-related fraud 2B- Unauthorised Alteration of Data or Software for Personal or Organisational Gain

1. Identity Theft

2. Online Fraud

5. Telemarketing / Internet Fraud

6. Electronic Manipulation of Markets

2C - Improper Uses of Communications

2. Online Money Laundering

(Article 9) Offences related to child pornography

2A - Content Violations 1. Child Pornography

(Article 10) Offences related to infringements of copyright and related rights

2A - Content Violations 5. Copyright Crimes

6. Intellectual property

Table 1. E-CRIME cyber crime taxonomy

Costs of cyber crime An essential element in analysing the impact of cybercrime is to measure its costs. Most studies looked

at for the work within the current research do not provide definitive, widely accepted results. The cost

estimates usually cover known direct costs related to detected cyber crimes, or provide speculative

extrapolations of single cases to overall population. The criminal revenues and direct losses, reported

by the victims, provide important information in relation to cyber crime. Direct losses are the monetary

equivalent of losses and damages directly felt by the victim of a cybercrime. These can be money

withdrawn from victim account, time and effort to reset credentials, but also hidden costs (i.e. distress

suffered). The criminal revenue is the monetary equivalent of the gross receipts from a crime. But

there are also indirect costs of cyber crime: the monetary equivalent of the losses and opportunity

costs imposed on the society, such as loss of trust in online banking, reduced trust on electronic

services, or efforts to clean infected devices. An important element is also defence costs, or monetary

equivalent of prevention (security products, browser extensions, security services, training). Even

though defence costs cannot be accounted to any particular criminal attack, the are still part of overall

cybercriminal costs. As a result of work undertaken, we would like to emphasise the importance of

indirect losses and defence costs in analysing the cost of cyber crime. The collection of new data, to be

conducted in work package 4 and the economic framework to be developed in work package 6 of the

E-CRIME project, should take into account a need to consider indirect and defence costs together with

direct costs.

Cyber criminal revenue While much is written about the costs of cyber-crime, the headline figures available typically focus on

the negative economic impact to the victims. However, published research into how much profit

specific cyber-criminal entities are making, is sparse. The cost to an individual or organisation from a

cyber attack does not directly equate to the amount of tangible profit the cyber-criminal receives.

Based on our research we can conclude that at least some types of cyber-crimes are profitable,

otherwise there would be much less of an interest in it. However, in order to build an accurate picture

of true numbers of cyber criminal revenue, more openly available research in understanding such costs

and true profitability is required.

Legislation Successful fight against cyber crime requires a well-working interplay between a number of legal

aspects. This paper looked at substantial and procedural criminal law, investigative measures, regional

and international information exchange, jurisdiction, and operational mechanisms for international

cooperation. Legal aspects are especially important, since cyber crime – in most cases – involves many

jurisdictions, with parts of the crime taking place in different countries.

Culture Culture can also play a key part in cyber crime. However, the key problem with the investigation of

culture as a motivating factor in cyber crime is that ‘culture’ is not a simple, easily-defined entity. It

involves a wide range of factors, including morality, religion, politics and many other belief systems

and ideologies. The aspect of cultural dimensions in connection with cybercrime is vast and we have

looked at ways this has been linked to cyber crime in existing literature. The use of cultural aspects in

connection with cyber attacks may augment the existing solutions in finding the origin of attacks, but

it would fall outside the scope of this research.

Journey mapping Central to the work in this research was journey mapping. This ‘map’-style of output has been adopted

and applied within a number of different disciplines where it is often referred to as a script, a

predetermined, stereotyped sequence of actions that define a situation in a particular context. For the

purposes of E-CRIME project we have developed eight journeys from the victim perspective and nine

journeys from perpetrator perspective, representing a sequence of events within a select number of

cybercrimes. The selection of journeys was based on commonalities between different crimes as

provided for in existing literature and the results of expert interviews.

Victims of cyber crime Cyber crime acts are distributed across different cyber crime categories, with victimisation rates higher

than conventional crime. The current research looks at victimisation, before looking at crime victim’s

journeys. The cyber crime victim journeys were looked at within three general types of offences

(offences against the confidentiality, Integrity and availability of computer systems and data; computer

related offences (forgery, fraud); and offences related to infringements of copyright and related

rights). Within these, we described the relevant cybercrime victim journeys, providing reference to the

corresponding perpetrator journeys.

Victims of cyber crime can be affected through their own action during regular use of information

technology: using e-mail (receiving and opening infected messages, attachments or links), browsing

the web (visiting infected websites), using removable media (infected USB-s, hardware), etc.

Alternatively, one’s devices or systems can become infected, if these are not patched or updated, if

unsupported software or hardware is used, or if systems are poorly managed. Once affected by a

criminal act, the victim will face damages. Their accounts may be hijacked, their identity may be stolen,

they may lose data or intellectual property or it can become unavailable to them, data and devices

may become encrypted, they may suffer direct financial losses, there might be damage to their

reputation, or their computing power and other resources may be abused.

After gaining victim view on cyber crime and drawing respective crime journeys, the paper continues

with a look at the perpetrator view. The criminals seem to know which end-results they want to

achieve, and how to reach these goals. They are sometimes willing to spend a lot of time in research

and in planning their actions. On the other hand, a criminal action may also emerge during the course

of other (criminal) activities, by accident. There are also some cyber crimes that do not tangibly benefit

the criminal: attacks related to hacktivism are typically not motivated by personal gain. An illustrative

victim journey can be seen in Figure 1.

Figure 1. General victim journey

The research undertaken within the current project looked at the cyber crime victim journeys from the

Council of Europe’s Cybercrime Convention (2001) as a starting point. We describe the journeys in

cases of offences against confidentiality, integrity and availability; computer related offences (forgery,

fraud); and offences related to infringements of copyright and related rights. Content-related offences

(such as offences related to child pornography) are outside the scope of the current work. Victim

journey maps for the three types of offences are provided.

Cyber crime networks and ecosystem As it seemed obvious that different organisational structures are involved in cyber crime, we looked at

literature concerning this. The players in black markets come from all over the world, there are

international criminal organisations, but also virtual criminal networks. We looked at four main types

of cyber criminals: international criminal organisations, foreign intelligence agencies (i.e., states),

individuals and small criminal groups, and legitimate organisations. The cyber criminal ecosystem is

very big, there are many players, it is disjointed and constantly changing. Based on the research into

cyber crime journeys, we were able to identify the key roles in the cyber crime networks and economic

structures. However, it has to be noted that one person can perform many roles simultaneously, or

less sophisticated crimes may not require the full range of roles in a criminal ecosystem. Therefore,

the cyber crime network and economic structure map developed for the current research is a

generalization that may not fit to each specific criminal network.

It is challenging to describe the entire ecosystem of cyber crime, as it is very big, there are many

players, it is disjointed and constantly changing (RAND Corporation 2014). Based on the research into

cyber crime journeys, we were able to identify the following key roles in the cyber crime networks and

economic structures. However, since the same person or group can perform multiple roles

simultaneously, the resulting map is a generalization that may not fit to a specific criminal network. In

addition, some less sophisticated cyber crimes may not need the full range of roles described below.

Therefore, the map should be viewed as a guide and not a strict blueprint (see Figure 2 below).

Figure 2. cyber crime network and economic structure map

Perpetrators of cyber crime Having looked at the victim view, and then at cyber crime networks and economic structures, we

continued to look at the perpetrator journeys. Crimes can be seen as a process, where resources are

required and decisions are made, constituting the modus operandi of a crime. From the perspective of

the criminal, we grouped similar actions under broad terms: preparation, execution, and monetization.

The preparation phase of a crime includes pre-attack actions, i.e. initial decision, deciding the

worthiness of attack, identifying victims, and conducting targeted reconnaissance. It also includes the

choice of an attack method, including the cyber criminal undertaking an analysis of their own means

and abilities, and deciding on whether to use outsourcing or buying solutions from such ‘service

providers’. The execution phase includes creating an attack plan and executing the attack, which

comprises of entering or interfacing with target system and the actual criminal activities (i.e.

distributed denial of service (DDoS), extortion, espionage, etc.) themselves. The monetization phase

includes both payment in some form and the laundering of this payment, finally ending in personal

Infrastructure Provider

Criminal Service

Provider

Organized Crime

Intermediate victim

Criminal Zero

Developer

Corruption

Black Market

Monetization

Service Provider

Victim

gain for the criminal. In this work, we provide a general crime cycle, and thereafter specific crime cycles

for building a botnet, extortion (ransomware), espionage (APT/ APA), malware development/ 0-day

exploit development, VoIP attacks, cryptocurrency mining, DRM cracking, and click fraud. The selection

of criminal journeys to be mapped within this project was decided after combining initial research with

expert interviews. We believe the journeys mapped within this research cover a wide area of cyber

criminal activities, by representing major criminal modus operandi. These maps help identify the cyber

criminals’ modus operandi, an account of how they operate within a crime cycle from preparation to

monetization and exit.

Figure 3. General cyber crime cycle including motivation

Based on literature review and expert interviews, but also a questionnaire to stakeholders developed

as part of the current work, eight cyber crime journey maps were drawn up:

- Building a botnet;

- Extortion (ransomware);

- Espionage (APT/ APA);

- Malware development/ zero-day exploit development;

- Cryptocurrency mining;

- DRM cracking;

- VoIP attacks;

- Click Fraud

For each journey, a mapping was conducted in three principal phases of cyber crime: preparation,

execution and monetization. These maps help identify the cyber criminals’ modus operandi, an

account of how they operate within a crime cycle from preparation to monetization and exit. It will

also provide a sense of the processes and practices through which cyber crime occurs.

Conclusion This report stands alone as a specific piece of work relating to the completion of two specific tasks

within work package 2, but it should be remembered that it is one deliverable among many that will

present a comprehensive view of the current state of cyber crime.