A look inside the FBI’s 2018 IC3 online crime report
Credit to Author: Christopher Boyd| Date: Wed, 24 Apr 2019 15:57:07 +0000
The FBI’s Internet Crime Complaint Center have released their annual Crime Report, with the most recent release focusing on 2018. While the contents may not surprise, it definitely cements some of the bigger threats to consumers and businesses—and not all of them are particularly high tech. Sometimes less is most definitely more.
What is the Internet Crime Complaint Center?
Good question. For those not in the know, it’s the FBI’s way of allowing you to file a complaint about a computer crime. If the victim or alleged perpetrator are located in the US, you can file. The information is then handed to trained analysts who distribute the data as appropriate.
They eventually take all that information and turn it into a report. There’s a fair bit in there to chew on—here’s the report, in PDF format—but there are some prominent themes on display. Shall we take a look at what’s hot?
Business Email Compromise (BEC)
Business Email Compromise is something we mention on here fairly regularly. Someone usually pretends to be the CEO of an organisation, and attempts to pull off a wire transfer via someone else in finance. Cash is often routed through Hong Kong where wires are common, so as not to attract attention.
It’s a straightforward attack, low risk, small overheads, and if you fire enough out, eventually someone will bite. You only need one successful attack to walk away with millions.
In 2018, IC3:
- Received just over 20,000 reports of BEC attacks
- Declared adjusted losses of over $1.2 billion
Those are big numbers, but even bigger when you consider BEC reports the year before were 15,000, and adjusted losses were $675 million. One slightly peculiar twist to the usual “steal your money” approach is this:
In 2018, the IC3 received an increase in the number of BEC/EAC complaints requesting victims purchase gift cards. The victims received a spoofed email, a spoofed phone call or a spoofed text from a person in authority requesting the victim purchase multiple gift cards for either personal or business reasons.
Not quite as glamorous as Hong Kong wires, and in all honesty it sounds faintly ludicrous at first viewing, but it’s definitely working for somebody.
Payroll diversion
This is an interesting twist on the BEC scams. The attackers don’t waste time pretending to be CEOs. Instead, they go for logins tied to payroll processing systems. Once they’re in, they change the account information and the money is diverted to somewhere controlled by the hacker. They’ll also hide warnings to admins, which would’ve alerted them to deposit information changes. The money will then typically be sent to a prepaid card—yes, prepaid cards are flavour of the month (year?) this time around. From the report:
Institutions most affected by this scam have been education, healthcare, and commercial airway transportation.
From just one hundred complaints, there was a combined reported loss of $100 million dollars. This is frankly astonishing. Phishing can truly be devastating in the right hands.
Tech support fraud
Tech support scams feel as though they’ve been around forever, and they’re busy cementing their place in the top three table of awful things. The 2018 tally for these antics weigh in at 14,000 complaints from victims scattered across 48 countries. The losses almost hit $39 million, representing a 161 percent rise from the previous year. Most of the victims are over 60, which fits the general M.O. of going after older targets who may not be aware of the latest happenings in fraud land.
The full report covers topics such as top states divided by both number of victims and victim losses, breakdowns on target age groups, crime types, assets recovered, and much more.
One thing’s for sure: with over 900 complaints a day, roughly 300,000 complaints received per year on average, and something in the region of $2.71 billion in losses accounted for in 2018, online crime isn’t going away anytime soon.
The post A look inside the FBI’s 2018 IC3 online crime report appeared first on Malwarebytes Labs.