Cyber crime levels generally stay pretty constant, but cyber criminals love tailoring their hacks and attacks to the news cycle, according to the Cyber Crime Unit at Immigration and Customs Enforcement (ICE). Over the past year, the unit saw a spike in COVID-19 and pandemic-related cyber crime, including counterfeit personal protective equipment, Payment Protection Program fraud and now fraud around vaccines.
As vaccine distribution ramps up nationwide, the Cyber Crime Unit is primed to respond.
“In the beginning there was a lot of fraud around counterfeit [personal protective equipment] products,” ICE Cyber Crime Unit Chief Matthew Swenson told GovernmentCIO Media & Research. “Whatever is going on in the media circle, they latch on and pivot to that. Income tax credits being sent out — there was fraud surrounding that in the U.S. and Canada. We noticed small business loans, trying to qualify for government relief — there was a lot of fraud around that. Now it's all vaccine related.”
The Cyber Crime Unit is one of three units that originally started out as the Cyber Smuggling Center in 1997 to focus on taking child pornography off the internet and arresting the perpetrators of child pornographic content.
Now the unit has grown into three: the Child Exploitation Unit, which focuses on all internet-related crimes against children; the Computer Forensics Unit, which focuses on extracting digital information for use in a court of law; and the Cyber Crime Unit, which handles all cyber crime not covered by the other two units.
Swenson said the Cyber Crime Unit’s work falls into two categories: cyber-dependent and cyber-enabled crime. Cyber-enabled crime includes dark web illicit drug marketplaces and much of the pandemic-related fraud. Cyber-dependent crime includes instances of hacking, like the SolarWinds breach.
“On the cyber-enabled side, one of the major focuses we have is the opioid epidemic,” Swenson said. “The importation of fentanyl has been really really damaging to a lot of states and communities. We've seen the rise of dark web marketplaces that exist on the Tor network, which is the largest darknet within the dark web. They'll have these huge marketplaces, like eBay, but solely within the dark web infrastructure, to remain anonymous. They use a moniker, they set up a shop for selling fentanyl or cocaine — basically you name it. It's a shop for any illicit good or service. If it's illegal, they're probably selling it; murder as a service, people's identities. It's basically the wild, Wild West.”
While the dark web is not illegal, it’s easy to anonymize activity. But ICE can catch those who make one mistake.
“[Bad actors] feed off their reputation, and once they've established themselves, they're less apt to use a different moniker. It's very heavy on reputation on there,” Swenson said. “We can use that against them because they only have to make one mistake for us to catch them — they have to be perfect all the time.”
Besides catching drug lords on the internet, the Cyber Crime Unit’s operations on all cyber crime relating to the pandemic are major focuses. Those include Operation Stolen Promise (OSP) and OSP 2.0.
“At the very beginning of the pandemic, we were targeting clear websites on the dark web who were trying to extort or trick people to going to legal websites affiliated with COVID-19, whether it be COVID-19 relief or making donations to the World Health Organization or going to Pfizer for information about the vaccine, so they were creating phishing sites and launching malware,” Swenson said. “We worked with GoDaddy in real time to suspend those sites before they could victimize people.”
Cyber criminals can easily replicate legitimate websites and change only “a little bit of data” that the average person won’t notice.
“Instead of putting a legitimate phone number, they'll put a scammer phone number and email address so that when you go to the site it looks exactly the same — even for me, someone who lives in the cyber world, it's very, very difficult nowadays to tell a scammer site from a legitimate site at first glance,” Swenson said. “The mechanism for tricking people to go to those is phishing emails, saying, 'Hey the vaccine is available in your community, go to the website to find more info,' so people will click on the link.”
By the time you click on the link, it’s too late.
“It shows you, even in a pandemic, cyber fraudsters have no scruples,” Swenson said. “For them this is the Super Bowl of cyber fraud, where a lot of people are teleworking, they don't know a lot about COVID-19, especially at the beginning, they were desperate for information and scammers were exploiting that.”
The Cyber Crime Unit relies on cyber threat intelligence vendors that pool lists of internet domains to comb through and verify, as well as customizable tools courtesy of the Department of Homeland Security’s Science & Technology Directorate.
“A lot of the work we do in law enforcement is very niche,” Swenson said in describing its relationship with the directorate. “There's not off-the-shelf products a lot of the time that do what we need it to do."
The Criminal Investigations and Network Analysis Center of Excellence (CINA), commissioned by DHS S&T, also conducts research to support the Cyber Crime Unit’s work.
“[CINA] is working with academia and universities throughout the U.S. to fund research that they think would be directly applicable to what we do at the Cyber Crime Unit,” Swenson said. “They've funded a lot of interesting projects to help us out on a bunch of topics that they think would be useful for us.”
All American adults over the age of 16 now have access to the COVID-19 vaccine, which means more people are going to look for vaccine information and run the risk of falling afoul of cyber criminals.
Swenson said the job is “very, very difficult,” but he’s optimistic.
“You have to watch the news cycle,” he said. “Fraudsters and cyber hackers are always looking for the next avenue to commit cyber crime. Staying on par means you really, really have to be diligent.”