The weakest link
Hackers and scammers have always targeted people as the weakest link in cyber defences. But as security systems in digital networks, websites and applications become harder to crack, cybercrims are having to rely on ever more sophisticated ploys aimed at people to get the money or information they want.
“For the past few years, attacks have been focusing on people, not infrastructure,” Crispin Kerr, Australia and New Zealand manager at security firm Proofpoint, told a cyber-security conference in Wellington in October.
“The attackers are getting the people they are targeting to do the work for them.”
The simplest kind of attack, says Kerr, involves email fraud, which the FBI estimates has cost US companies US$26 billion ($40 billion) since 2016.
You might receive an email that appears to come from a well-known company or even a colleague in the firm you work at. It will have the familiar logo and be sent from an address very close to the real company name. A “phishing” scam that hit our shores recently tried to get Apple device users to log on to a website to verify their Apple ID credentials, such as username, password and even credit-card details.
On closer inspection, the web address users were sent to was applsigninaccount.com, with the “e” from Apple missing.
“What is perhaps the most depressing thing about the landscape today is just how spectacularly we’ve seen the rise of spoof emails,” says Kerr. “It’s an attack that doesn’t require any kind of malware or payload whatsoever.”
Instead, it taps into human psychology, adding cues to fool enough email recipients into parting with valuable information. Send 10,000 emails and you might suck in 20 people, which is enough to make the scam worth perpetrating.
Scams in the workplace
Alison Moore has seen all manner of scam attempts. As the IT manager at a large New Zealand media company, it is her job to keep the network and email accounts of 265 employees secure.
It is a job that is getting more difficult by the day. In the first two months of the year alone, employees sent out 139,000 emails and received 1.13 million.
“Of those received, over 10% had some sort of corruption to them that was dangerous to our system,” says Moore.
It is the same for most medium and large companies – a deluge of email, much of it filtered out automatically by email scanning software.
“What we look for are things like unusual email attachments, malware and code from spambots running in the background,” says Moore. “If you come into the office in the morning and you’ve got 150 emails, you’re going through them very, very quickly and you might click on one that you shouldn’t. Six out of 10 times, it’s something that a user’s done that’s going to create the problem.”
The inability of email scanning to catch every malevolent message and the security threats posed by phones, text messages and devices brought onto the premises have resulted in Moore’s company implementing security training for every employee.
These days, most professionals have a profile on LinkedIn, the Microsoft-owned social network that has become the default online CV for millions of people. But it is also used by cybercriminals to harvest details for scam emails.
“We’ve had emails come to our head of payroll, supposedly from an employee,” says Moore. “They say, ‘Could you change my direct debit details, I’ve moved bank accounts, here’s my new information.’ It is completely fake.”
Locking down identity
Applying multi-factor authentication to employees’ email addresses and log-in details can thwart attempts to use compromised credentials. Built into email systems such as Outlook and Gmail, it works by requiring the user to authenticate their identity using a method other than entering their password.
It can involve signing in via an app on your mobile or entering a code text messaged to you. Increasingly, biometrics are being employed – fingerprint and facial recognition on phones and laptops – to reduce reliance on passwords.
Kerr and other security experts look forward to a password-free world, given the inherent weaknesses in people choosing a password that is easy to remember. If it is memorable, it might be easy to crack.
According to the Government’s Computer Emergency Response Team (CERT), reported cybercrime incidents increased 205% between 2017 and 2018. The cost of reported incidents was put at $14 million last year, with scams and fraud making up $8 million. Government-funded not-for-profit Netsafe put the number even higher.
CERT was set up in 2017 to mirror centres in other countries established to tackle the rising tide of cybercrime. It received a funding boost in this year’s Budget.
CERT’s director, Rob Pope, says the threat categories are “pretty consistent” – scams and fraud, phishing and credential harvesting and unauthorised access.
The big data breach
The big trend internationally is the rise in data breaches. They happen with alarming frequency and have seen credentials for millions of people stolen from the systems of Yahoo, Marriott, Adobe, Dropbox and many others.
“Often this data is then sold or published freely online,” says Pope. “Once this happens, any number of attackers can use this information to target people for future attacks.”
Data breaches feed one of the fastest-growing scams – extortion emails, in particular, webcam blackmail emails – which CERT reports increased 28% between July and September.
The scam works with attackers sending an email informing you that they have used your webcam to record footage of you while you are visiting websites – often ones containing pornographic content. They then threaten to send the footage to all of your email contacts unless you pay up – often via a transfer in the anonymous bitcoin cryptocurrency.
“To make the threat seem real, the attacker includes a password that belongs to the recipient as ‘proof’ – in actual fact, the attacker will have found the details online in a data breach,” says Pope.
A hacker could hijack your webcam, but it is time consuming and technically difficult to pull off. Tricking people into thinking there’s a recording of them in the hands of a scammer is much easier.
“These scams play on people’s emotions and use the fear of embarrassment to get people to pay,” says Pope.
As the Christmas shopping season ramps up, so too will the scams. Websites and emails are being crafted by scammers to look more professional and leverage off trusted brands, such as banks, airlines and phone companies. But the scam that comes into its own during the festive season is the courier-company phishing attack.
“The emails usually replicate the branding of a well-known courier company and pretend the recipient has a pending parcel delivery,” Pope says.
The email asks the recipient to click a false link to accept delivery of the parcel. Sometimes they will be asked to enter their details, which could be used for identity theft or another attack. Often a payment will be required for the delivery to be made – for a non-existent parcel.
“It’s always exciting being notified you have a pending delivery, but we recommend a couple of checks,” says Pope. “If you’re not expecting a delivery, don’t click, and take simple precautions such as searching the courier company online and calling to check that the delivery notice is legitimate.”
CERT has received 5000 reports of cybercrime incidents this year, but those are the tip of the iceberg. The majority of attacks, successful or not, go unreported.
The most painful scams to read about are the ones that manipulate people the most. There’s the “Windows technician” calling pensioners and convincing them to transfer money to have their computer “fixed”. Then there’s the most pernicious scam of all – the romance scam. Last year, a Kiwi farmer known in the media as “Mark” told the embarrassing tale of how he lost $1.2 million after being sweet-talked by a woman who contacted him through Facebook.
“This woman, Connie, told me her parents had been killed in a car accident. I talked to her for about two or three months,” Mark told Newshub in February.
“Then she told me she had inherited some gold and needed money to pay fees to have it released by the American government, and I went along with it.” Mark lost the farm he had inherited from his parents as a result of the scam.
However, such cases are extreme and rare, says Pope. “This all sounds pretty scary, but there are things that people can do to keep themselves safe. Most of the measures we can all take to be safer online aren’t complex tech solutions, they’re little things such as making sure you use a different password on each account, or turning on two-factor authentication,” he says.
As we begin to be bombarded with Christmas and New Year sales adverts, Pope has another piece of advice for when you see the prices slashed on high-value products such as electronics, clothes or limited-edition sneakers.
“As the old adage goes, if it’s too good to be true, it probably is.”
This article was first published in the December 14, 2019 issue of the New Zealand Listener.