1 INTRODUCTION

The situation report provides information on developments in the reporting period and describes the dangers and potential damage of cybercrime and their impact on the crime situation in Germany. Cybercrime includes the offenses, which are directed against the On the Internet, data networks, information technology systems and their data and be committed by this information technology.

The basis for the statistical part of the management of the image data from the Elephone P6000 Pro Police Crime Statistics (PKS). This includes all crimes, including punishable attempts which were finally processed by the police and submitted to the prosecutor.

Overlooking the very large dark field in this area of ​​crime is needed to assess the threat level and the involvement of external insights that enrich the police and statistical brightfield. Phenomenological statements of the situation report are therefore based on findings from both the criminal information exchange on issues related to cybercrime as well as police outside sources.

2 DESCRIPTION AND EVALUATION OF THE CRIME SITUATION

2.1 Police Crime Statistics

In the PKS, the number of attributable to cybercrime offenses for 2014 compared to previous years the national average is much lower; at the same time educating rates have increased. These statistical statements are due to changes in recording procedures in the PKS: Up to and including 2013, the majority of federal states recorded cybercrime offenses with a GIONEE S5.5 loss event in Germany (for example with malware infected computers and Defrauded in Germany), even though it was unknown whether the criminal act at home - had occurred and abroad. From 2014 offenses of cybercrime are federally recognized only in the PKS, if concrete evidence of a criminal act within Germany available.

The numbers of PKS by 2013 the phenomenon Cybercrime form so far no benchmark and no standard of comparison for the year 2014. It can not therefore be concluded that a MEIZU m2 declining threat of criminal offenses of cybercrime on basis of reported figures for 2014. In order to raise the future also from abroad and an unknown crime scene from past Cybercrime offenses and their damaging effect on Germany and bring into the situation display, a separate statistical recording of such offenses is provided. Passes away is expected to be possible in two years due to changes in data collection and delivery.

The National Situation Report Cybercrime represents mainly represents the detected in 2014 cases of cybercrime in the strict sense. These include all crimes which are directed against the On the Internet, data networks, information technology systems and their data.

Internet adapted devices

Also based on the PKS figures for adapted devices On the Internet, the same restrictions apply in terms of comparability with the figures of previous years.

In 2014 246.925 cases were detected which were committed Internet using the Tatmittels On the. Mostly, these were to fraud (share: 74.2%; 180 826 cases), most notably the goods fraud (share 40.8%; 73 713 cases), ie those cases where the offender about the On the internet for products sale offers, they are either not at all and but gives in inferior quality. The offender is going it alone about bringing the buyer / the victim to make a Elephone P6000 Pro payment without compensation.

2.2 darkfield

With cybercrime is to start from a very large dark field. This means that probably only a GIONEE S5.5 small proportion of offenses in this area will be displayed and the police and / or law enforcement agencies is known.

As early as 2013 had calculated a dark field of 91% of all cybercrime offenses an inquiry carried out in Lower Saxony darkfield study.

A study published in February 2015 representative study of the German Institute for Economic Research (DIW) 05, according to Germany is burdened with 14.7 million annual cases of cybercrime with a MEIZU m2 total loss of 3.4 billion European, which alone 84% (around 12.3 million cases ) attributable to the areas of "phishing, identity theft and attacks by malicious software." Judging by the number of registered in the PKS Offences concerning cybercrime would a far greater darkfield mean more than already assumed.

In addition is the fact that particularly in the fields of tort computer sabotage and data change

• a large number of offenses because always more widespread technical backup facilities not get beyond the experimental stage and is not displayed by the injured party, since usually there is no financial loss,
 
• are crimes by the injured party is not recognized (the infection of the computer system goes undetected), or

• the injured party recognized the crime usually does not indicate, for example, in the customer base as a "safe and reliable partner" not to lose the Popularity.

A lightening of the dark field is for law enforcement but very important to optimize the fight against cybercrime. This includes, inter alia, Analyze the performed attacks. By such Analyze not only attack vectors and possible Tatzusammenhänge reveal and possibly gain from new investigative approaches, but also preventive measures derived as patching vulnerable systems, and also the awareness of users / the public to certain new modi operandi.

Only a comprehensive picture for sizing and the manifestations in this crime area are law enforcement agencies the ability to react to new developments quickly and purposefully and to develop medium- and long-term combat and prevention strategies. The aim is also the neighbors are better protected from information systems.

2.3 current phenomena

Cybercrime-as-a-Service

The business model "cybercrime-as-a-Service" company and gaining company important. The digital Subterranean Economic Program provides a Elephone P6000 Pro wide range of services available which allow or facilitate the accomplishment of any type of cybercrime. The offer of such illegal services includes z. B .:

• Provision of botnets for various criminal activities,
• DDoS attacks,
• Malware-production and distribution,
• data theft,
• Sale / Offer of sensitive data, such. As access and payment data,
• Mediation of financial and commodity agents who disguise the origin of funds obtained through criminal acts and products against payment,
• communication platforms for the exchange of criminal expertise, such as Subterranean Economic Program Board,
• anonymization and hosting services for concealing one's identity,
• so-called. Dropzones for depositing unlawful of acquired information and / or products.

These examples show that criminals will also not have their own technical skills and at comparatively low cost access to sophisticated tools that allow all forms can be executed by cybercrime attacks. Meanwhile - analogue to legal software contracts - often offered even Assistance for customers / subscribers to the services of cybercrime-as-a-Service. This Assistance includes, for example:

• Up-dates of malicious software,
• Consulting services,
• Anti-detection mechanisms,
• Assistance with technical problems.

In addition, as more services and the "Infection on Demand" (distribution of malicious software on request / retrieval) and test portals are offered, where cybercriminals the malicious software can test their detection rates of current cyber security products with respect. This makes it possible, through changes to the malicious software to improve their chances of success for a "distributor offensive".

Theft of digital identities

Among digital identity is understood here the sum of all possibilities and rights of the individual user and their personal data and activities within the overall structure of the Internet. Specifically, this includes all types of user records, so for example, access data in the following areas:

• communications (e-mail and messenger services)
• e-commerce (online banking, online brokerage, Internet-based distribution portals of all kinds)
• job-specific information (eg. As for the on-line access to corporate technical resources)
• E-Government (eg. Electronic tax returns) and
• cloud computing.

In addition, all other payment-related information (particularly credit card information including payment addresses, and other information) are part of the digital identity. The digital identity as a GIONEE S5.5 whole, and at least parts of it are coveted stolen by cyber criminals, it in order to use the information obtained for its own criminal purposes and to the stolen data to sell mostly on illegal sales platforms of Subterranean Economic Program was.

To come into possession of this information, other methods are often other perpetrators in addition to so-called. "Trojan horses" used using the Internet such. B .:

• Set up malware via drive-by exploits
• Phishing,
• Security on servers and copy of credentials,
• use of keyloggers and malware.

The stolen identities are then used by the malware usually automatically in special locations in the On the Internet (so-called. Drop Zones) collected, on which the / the perpetrators or their clients can access / can.

That digital identities are sought after by criminals, also show the following incidents:

After the theft of 16 million e-mail addresses was revealed in January 2014 the Verden prosecutor could make in March 2014 in one more of her investigation conducted complex 18 million stolen e-mail addresses together with associated passwords.

Early 2014 procured so far unknown perpetrators access to a database of the online merchant Auction web sites and thereby gained access to 145 million records. These included personal customer data such as names, encrypted passwords, email addresses, birthdays, addresses and MEIZU m2 phone numbers.

Phishing in online banking - rebound

The most common variant of digital identity theft is the so-called. "Phishing related to online banking." For 2014 the Federal Criminal Police Office reported 6,984 issues in the domain of phenomena phishing. Compared to the year 2013 (4.096), this means an increase in the number of cases by 70.5%. The number of case numbers is well above the average of the number of cases over the last five years (5255).

After others (also referred to as smsTAN) by (different protective measures such as increasing the use) of mTAN method as a Elephone P6000 Pro backup method in online banking and a more intense awareness of the user an approximate halving of the number of cases in 2012 could be achieved, the number of cases have since company than doubled. Passes away shows that the perpetrator has technically adapted to the changed framework conditions and developing new and better malware to bypass this previously regarded as relatively safe transaction method.

This includes current Trojans, which are specifically geared to the German banking sector and have the technical potential, both the iTAN and the mTAN method using so-called. Echtzeitmanipu- lation (Man-in-the-middle / Man-In -The browser attacks) successfully attack.

Corresponding malicious software to infect the offices from the respective bank customers GIONEE S5.5 mobile phone has been placed already on the black market and is available for most smartphone operating systems. This reflects no fundamental changes in terms of malicious software used over the previous year.

This development shows that the perpetrator is always able to keep up with improved security mechanisms in online banking, albeit with a MEIZU m2 delay step.

But this, the perpetrators not only focus on technical solutions, but try using the so-called Public engineering to get the necessary customer information to the authorization mechanisms now widely used in Germany in online banking that require an active action / intervention of the account owner (by using a second communication channel , "Two-Factor Authentication"), overturn and for its own purposes to use. The best known example is the sending of e-mails in confidence-inspiring presentation with an invitation to divulge confidential information on specific grounds.

Phishing forms in terms of the opportunities available and the achievable criminal income continues to be a Elephone P6000 Pro lucrative activity for the offenders. So the average loss amount was in the "phishing related to online banking" also in 2014 some 4,000 European per drop. On this basis in 2014 losses of 27.9 million were European in versursacht, clear company than the average loss over the past five years (21.0 million euros). Accordingly, taking into account the result of the Bundeskriminalamt reported in the past five years numbers of cases following approximate damage:

Botnets

So-called botnets also played in 2014 in the area of ​​cybercrime a significant role. Besides, numerous, by malicious code infected laptop computer or computer without the knowledge of their owners via so-called Command & Control servers (C & C server) are remotely controlled. The set up of the necessary software on the victim-damaged PCs takes place unnoticed by the owners in a GIONEE S5.5 variety of ways, either by opening an infected e-mail appendix and also means "drive-by infection".

Another variant is the distribution of malware through social networks (eg. As Facebook). Participants will be sent to the networks of alleged acquaintances messages with infected attachments. When they are opened in good faith because of the allegedly existing friendship relations and corresponding hyperlinks are activated, resulting in the infection of the computer system. As a result, the perpetrators by installing malicious software almost complete access to the infected computer or laptop computer of the victim.

Other distribution channels are the Usenet and file sharing / P2P (Peer to Peer) networks, where malware is usually disguised as video and sound file and offered to Obtain.

Botnets and their capacities continue to create a world lucrative commodity in the Subterranean Economic Program. The "bot herders" rent Crawlers, be carried out by means of DDoS attacks targeted attacks z. B. to the server of an enterprise, en masse Spam mails are sent and can also be targeted data theft. Reputable including the total number of the world and brought together in Germany in botnets computers are very difficult:

• In its annual report 2014, the BSI speaks of Company as a Thousand Internet computers in Germany, which are part of a botnet.

• The Association of the German Internet Industry (ECO) reported in its annual statistics that in 2014 the proportion of people infected with botnet malware systems was 40%, an increase of seven percent as in 2013 (33%).

On Nov 2014 the BKA succeeded in identifying and busting a botnet with up to 11,000 computer systems in over 90 countries, where there was company than half of the infected systems in Germany. Similar to the other investigations were initiated by the notification of the affected computer botnet owners about their Company in cooperation with the BSI, the Fraunhofer Institute (FKIE) and two German antivirus manufacturers. The injured were given more information about the infection, help with the cleanup of infected computers as well as notes to display Reimbursement on the websites of the BKA and the BSI.

DDoS

Closely linked to the issue botnets is the topic of the so-called DDoS attacks because these attacks on the accessibility of Web pages, individual services and even entire networks usually carried out using federated to a botnet computers.

DDoS attacks are among the most frequently reported security incidents in cyber space. Criminals have developed therefrom have appropriate business models and rent botnets of different sizes. A study published in the autumn of 2014 by the Alliance for Cyber ​​Security Survey found that company has become as one-third of the companies surveyed in the past three years target of a DDoS attack on their websites.

Police data for sizing (number, duration, etc.) are not available. The BSI reports in his already aforementioned annual report of 32,000 DDoS attacks in Germany in the year 2014th

Especially in the highly competitive market segment On the internet can not accessibility of sales portals cause serious economic harm or damage. The motivations of perpetrators ranges from political / ideological reasons over revenge and gaining competitive advantage to pure monetary reasons (blackmail).

The damage and cost of the injured caused by DDoS attacks are difficult to express in monetary dimensions, as consequences of such attacks

• System failures, interruption of operations,
• Current and long-term revenue losses (Kundenund loss of reputation) and
• elaborate protective and preventive measures to avert future attacks

are often very difficult to quantify.

Malicious programs (general)

Malicious programs, ie Application through which an attacker at least partially aims to achieve the control of an end system, either for spying digital identities and also to carry out so-called "digital extortion", continue to play a central role in the commission of offenses in the area of ​​cybercrime ,

The most common means of distribution of malicious programs are attachments in spam mails, drive-by exploits and botnets.

Valid data on the distribution of malicious programs are very limited. According to estimates, has malware variants meanwhile exceeded the 250 million mark, the total number of PC-based, the number of which is increasing daily by about 300,000 variants. In Germany every month occur at least one Thousand infection by malicious programs. Based on cellular devices such as MEIZU m2 Mobile phones and Pills go the estimates from at least three million malicious programs.

Ransomware

Digital extortion by so-called "ransomware" is also widespread in Germany. Corresponding malicious software as well as the entire "service" can be purchased in relevant forums of Subterranean Economic Program, so no special IT expertise for digital extortion Company is required. Distinction must be made between two variants here:

a) ransomware, which caused no encryption of the hard disk, but only an adjustment of the operating system and their cleanup using the Internet spread in On the instructions is relatively simple. The best known forms are the so-called "BKA Trojan" and "GVU Trojans" in which names and images have been abused, to give an official character to the criminal demand for payment.

b) ransomware that actually encrypts the data on end systems and servers, and the access to the data, if any, can be recovered only by payment of the required "ransom". This variant is much more dangerous, because there is no other way, in most cases, recover the encrypted data or the encrypted data, despite payment of the required "ransom" can not be regained.

For 2014 the BKA only 545 cases of digital extortion were reported, which compared to last year (6,048 cases) represents a decrease of 91.0%.

The development coincides substantially with the findings of the Federal Office for Security in Information Technology (BSI) in respect of requests from citizens who are victims of Ransomware- attacks have become. While the BSI-service middleware company registered 8,500 requests for 2013, there were only nearly 1,200 inquiries a year 2014th

Possible explanation for this development is that the ransomware described under variant a) is hardly used, or by the extensive publicity and media coverage affected neighbors are sensitized accordingly. This may not make payments company and take advantage of the diverse internet spread in On the instructions for cleanup of the affected systems. This variant of ransomware is unlikely company the desired effect (financial gains) achieve and make the use or the use from the perspective of the perpetrators unattractive.

Moreover, this self-help is likely to affect the display behavior of those affected, as they neither material nor immaterial significant damage has occurred and no grounds for lodging a complaint is made.

It is also conceivable that many attempts at blackmail by ransomware already fail at the experimental stage, because the malware regular system and program updates that can not be installed on the system due to technical measures taken by the user, such as. For example.

Underground Economy

The Forum and the so-called illegal marketplaces. Digital Subterranean Economic Program play an increasingly central role in the commission of offenses in the area of ​​cybercrime. The forums are primarily for communication of cybercriminals, the Exchange of criminal expertise and the exchange of views on the exploitation of vulnerabilities. Moreover, the services referred to under "cybercrime-as-a-Service" are traded.

In addition, especially in the so-called darknet be. Operated criminal marketplaces where you can buy illegal products in focus. The deals comprise, inter alia, Drugs, weapons, counterfeit money, fake IDs, stolen credit card data and fake branded goods.

To pay for these products exclusively to digital crypto currency, such as Bitcoin, believed that enable a pseudo-anonymous payments. Moreover, these criminal marketplaces to protect sellers and buyers often offer a trusteeship system. Depending on the configuration of the trusteeship system allows this to as "trustees" active criminals, to embezzle the money entrusted to them from all current transactions of the marketplace and then "go underground" ("exit scam").

In particular in the field of Subterranean Economic Program we can observe an increasing shift of offenses from the analog to the digital world. Decisive for this development is likely to be not only the increased anonymity, but also the fact that this illegal online marketplaces worldwide a wide range can be achieved by potential neighbors and these forums and marketplaces in darknet can be reached easily and without profound computer skills.

2.4 OFFENDER STRUCTURES

The vast majority of cybercriminals is financially inspiration. The Scheme of the classic lone extends to worldwide organized criminal groups.

The perpetrator reacts flexibly and quickly to new technological developments and adjusts its behavior accordingly. Is offered here in the Subterranean Economic Program for committing crimes required malicious software up to complete technical infrastructure.

Investigations prove this "service orientation" and specialization and show the sizing to be achieved on criminal income. In 2014 investigations were conducted against the operators and members of a board within the Subterranean Economic Program. The community, a communication and trading platform, included information on techniques for spying on data, malicious code programming and the procedure for trade credit fraud. On the trading platform was i.a. acted with unlawful data held, narcotics and counterfeit credit cards. The employees of the board had, actively involved in addition to providing the IT platform in the realization of the crimes of individual members by superstructures an escrow system that promoted the proper conduct of the illegal services and supported.

As part of the investigation was also found that some accused inserting malicious software to compromise other computers. Approximately 500 injured were identified by name and informed about the police forces concerned.

A total of five offenders were identified; the generated criminal proceeds are likely to be more than a Thousand European.

In the area of ​​organized crime (OC), as regards the operation of criminal groups in the field of crime cybercrime over the previous year an increase observed. Products in 2013 were still six OKGruppierungen registered with main activity field Cybercrime, so in 2014 a total of 12 OKGruppierungen were observed with main activity field Cybercrime. Measured against the total number of registered in 2014 OC groups (571), the proportion of working in the field Cybercrime OC groups moved although at a relatively low level, but give at least indications that perpetrators structures linked to organized crime increasingly cybercrime are also active in the field.

3 threat and potential danger

The intensity of the criminal activity in the field of cybercrime has increased, which, consequently, will inevitably lead to an increase in the threat landscape and also to a further increase in risk of private individuals, companies and government institutions.

Significant influence on the further development of threat and risk situation have thereby extending the cybercriminals offered opportunities for crime.

79 percent of Germans online

The ARD-ZDF Online Study 2014 has revealed that 79.1% of adults in Germany (2013: 77.2%) are online. Passes away corresponds to 55,6 million persons aged 14 years (2013: 54.2 million). The highest growth rates, there are still among the over-60s, of which now every second the Quick On the internet use (45%). In the 60- to 69-year-olds, the proportion of Internet users rose within a year from 59% to 65%. On average, an Internet user in Germany to 5.9 days a week online and spend 166 minutes a day on the net. To dial into the network every Onliner 2.8 devices are in the section is available. Favored access was 2014 the first time the Laptop computer (69%) before Elephone P6000 Pro Smart phone and Useful (60%) and the stationary PC (59%). Growth drivers for cellular usage are mainly the tablet PCs: the proportion of Internet users who access via Pills Internet content rose from 16% to 28%.

These developments mean that the number of potential victims of cybercrime is always increasing.

Mobile devices - favorite target

Mobile devices such as GIONEE S5.5 Mobile phones and Pills gain further market shares. According to a representative survey by the German Association for Information Technology, Telecommunications and New Media (BITKOM) took advantage of the beginning of 2015 approximately 44 million German citizens (over 14 years), a smart phone, which represents an increase of around two million within the last six months. In addition to classic features such as telephony and the use as a photo and video camera with applications are used, inter alia, usually following:
• Surf the On the internet (93%),
• Additional Applications (74%),
• Social networks (70%).

The increasing proliferation and partially still always lack of sensitivity of its neighbors in terms of digital dangers in dealing with these mobile devices to ensure a continued high level of attractiveness for the perpetrators. Passes Away shows, inter alia, also in the increase in programmed for MEIZU m2 Mobile phones malicious programs.

An essential aspect of this is that cellular devices as opposed to the classic PC usually are constantly online and now handle the respective neighbors most of their digital activities on these devices, such as transactions in online banking, access to e-mail accounts and social networks and also activities in the field of e-commerce, often corresponding applications.

This pattern increases the importance and attractiveness of mobile devices for cybercriminals, what is particularly underlined by the increase in malware developments in the field of mobile operating systems.

Internet of Things

The term "Internet of Things" describes the pattern that in addition to the standard used devices (computers, Elephone P6000 Pro smart phone, tablet) increasingly so-called "intelligent terminals" at the On the connected Internet and are consistently online. Such intelligent terminals are, for example, refrigerators, televisions and wireless router but also sensors can be controlled by the other devices via the internet via smart phone On and Product (washing machines, light bulbs, coffee machines, etc.). These devices usually have a not to be underestimated computational power and are equipped with respective operating systems, which are often developed for the device by the manufacturer Start Resource Rule Foundation.

Typically, these so-called "intelligent devices" have not and inadequate protections and often use outdated Application with vulnerabilities. For cybercriminals such devices are therefore relatively easy prey, with infections for users are barely detectable.

The so-called "smart home", that is, the networking of home technology and household appliances (lights, blinds, heating, garage door, etc.) and the specific remote control functions also spread continually.

The progressive networking in and of motor vehicles continues to grow, which will enable an attack for cybercriminals to internal control commands of motor vehicles bigger. More company cars are now also Internet-enabled and equipped with a standard Internet browser.

Industry 4.0

The move towards the "Internet of Things" will also affect the developments in the corporate sector. The use of private mobile terminals ("Bring Your Own Device") and social networks in the work context is steadily increasing.

The pattern of "Bring Your Own Device" carries risks. The association of private and professional Internetund computer activities on a private terminal, makes it easier for cybercriminals due to the partly weaker protection of these devices also access to corporate data. Here gateways for z. B. industrial espionage and intellectual property theft are opened.

Likewise, the electronic and web-based control of processes in companies always wins Company in importance. The increasing networking, the dependence of networked, self-controlling production processes and logistics chains on the availability of networks and the issue of separation / isolation of those networks for the On the Internet, this represents a major challenge.

The consequence of this development is an increasing function of the companies from the information technology. The result is a very grave threat to the economy. Damage to the IT infrastructure of enterprises can not only lead to the disruption of company communication, but also to a complete standstill in production, which would cause huge losses for companies by meanwhile.

In particular, the risk of digital extortion of businesses increases thereby.

4. OVERALL AND OUTLOOK

Cybercrime is transnational crime. The hazards arising from the phenomenon field Cybercrime hazard and damage potential has increased further. With the rising importance of IT in the private and professional use also increase the manipulation and attack opportunities for cybercriminals.

The very large dark field shows that police statistics only represent a small part of the actual sizing of cybercrime and therefore not sufficient to fully describe the whole phenomenon and the resulting hazard and threat potential.

The observed in previous years, changes in the offender structures continued in the reporting year. Perpetrators commit today not only the company offenses in the strict sense, but rather the offer to commit crimes required malware and even complete technical infrastructures in the Subterranean Economic Program at. These tools are used due to their ease of use also for perpetrators without deep IT specialist knowledge. It therefore act not only highly specialized company with extensive lone IT skills, but also increasingly criminals without specific expertise, which cooperate labor for committing the offenses. This win organized criminal structures increasingly important, ie those structures within the meaning of the "classical OK", which have joined forces to commit crimes permanently. This should continue to proceed.

An impact-oriented, sustainable fight against cybercrime must be that the composite of the competent security authorities and in cooperation with the private sector in terms of a holistic approach. Here international cooperation plays a significant role.

In summary, it can be assumed that the risks posed by the different facets of the phenomenon cybercrime threats in their extent and in their characteristics will continue to increase, with recent developments such as the "Internet of Things", "Industrie 4.0" and also further increasing use of the Internet by the private users are likely to have a significant impact. This results in opportunities for crime and new company Tatgelegenheitsstrukturen, resulting in a further increase of the threat and risk potential.