17 Dec Why most cybercrime doesn’t involve computer hacking
The weakest link
Hackers and scammers have always targeted people as the weakest link in cyber defences. But as security systems in digital networks, websites and applications become harder to crack, cybercrims are having to rely on ever more sophisticated ploys aimed at people to get the money or information they want.
“For the past few years, attacks have been focusing on people, not infrastructure,” Crispin Kerr, Australia and New Zealand manager at security firm Proofpoint, told a cyber-security conference in Wellington in October.
“The attackers are getting the people they are targeting to do the work for them.”
The simplest kind of attack, says Kerr, involves email fraud, which the FBI estimates has cost US companies US$26 billion ($40 billion) since 2016.
You might receive an email that appears to come from a well-known company or even a colleague in the firm you work at. It will have the familiar logo and be sent from an address very close to the real company name. A “phishing” scam that hit our shores recently tried to get Apple device users to log on to a website to verify their Apple ID credentials, such as username, password and even credit-card details.
On closer inspection, the web address users were sent to was applsigninaccount.com, with the “e” from Apple missing.
“What is perhaps the most depressing thing about the landscape today is just how spectacularly we’ve seen the rise of spoof emails,” says Kerr. “It’s an attack that doesn’t require any kind of malware or payload whatsoever.”
Instead, it taps into human psychology, adding cues to fool enough email recipients into parting with valuable information. Send 10,000 emails and you might suck in 20 people, which is enough to make the scam worth perpetrating.
Scams in the workplace
Alison Moore has seen all manner of scam attempts. As the IT manager at a large New Zealand media company, it is her job to keep the network and email accounts of 265 employees secure.
It is a job that is getting more difficult by the day. In the first two months of the year alone, employees sent out 139,000 emails and received 1.13 million.
“Of those received, over 10% had some sort of corruption to them that was dangerous to our system,” says Moore.
It is the same for most medium and large companies – a deluge of email, much of it filtered out automatically by email scanning software.
“What we look for are things like unusual email attachments, malware and code from spambots running in the background,” says Moore. “If you come into the office in the morning and you’ve got 150 emails, you’re going through them very, very quickly and you might click on one that you shouldn’t. Six out of 10 times, it’s something that a user’s done that’s going to create the problem.”
The inability of email scanning to catch every malevolent message and the security threats posed by phones, text messages and devices brought onto the premises have resulted in Moore’s company implementing security training for every employee.
These days, most professionals have a profile on LinkedIn, the Microsoft-owned social network that has become the default online CV for millions of people. But it is also used by cybercriminals to harvest details for scam emails.
“We’ve had emails come to our head of payroll, supposedly from an employee,” says Moore. “They say, ‘Could you change my direct debit details, I’ve moved bank accounts, here’s my new information.’ It is completely fake.”
Locking down identity
Applying multi-factor authentication to employees’ email addresses and log-in details can thwart attempts to use compromised credentials. Built into email systems such as Outlook and Gmail, it works by requiring the user to authenticate their identity using a method other than entering their password.
It can involve signing in via an app on your mobile or entering a code text messaged to you. Increasingly, biometrics are being employed – fingerprint and facial recognition on phones and laptops – to reduce reliance on passwords.
Kerr and other security experts look forward to a password-free world, given the inherent weaknesses in people choosing a password that is easy to remember. If it is memorable, it might be easy to crack.
According to the Government’s Computer Emergency Response Team (CERT), reported cybercrime incidents increased 205% between 2017 and 2018. The cost of reported incidents was put at $14 million last year, with scams and fraud making up $8 million. Government-funded not-for-profit Netsafe put the number even higher.
CERT was set up in 2017 to mirror centres in other countries established to tackle the rising tide of cybercrime. It received a funding boost in this year’s Budget.
CERT’s director, Rob Pope, says the threat categories are “pretty consistent” – scams and fraud, phishing and credential harvesting and unauthorised access.
The big data breach
The big trend internationally is the rise in data breaches. They happen with alarming frequency and have seen credentials for millions of people stolen from the systems of Yahoo, Marriott, Adobe, Dropbox and many others.
“Often this data is then sold or published freely online,” says Pope. “Once this happens, any number of attackers can use this information to target people for future attacks.”
Data breaches feed one of the fastest-growing scams – extortion emails, in particular, webcam blackmail emails – which CERT reports increased 28% between July and September.
The scam works with attackers sending an email informing you that they have used your webcam to record footage of you while you are visiting websites – often ones containing pornographic content. They then threaten to send the footage to all of your email contacts unless you pay up – often via a transfer in the anonymous bitcoin cryptocurrency.
“To make the threat seem real, the attacker includes a password that belongs to the recipient as ‘proof’ – in actual fact, the attacker will have found the details online in a data breach,” says Pope.
A hacker could hijack your webcam, but it is time consuming and technically difficult to pull off. Tricking people into thinking there’s a recording of them in the hands of a scammer is much easier.
“These scams play on people’s emotions and use the fear of embarrassment to get people to pay,” says Pope.
As the Christmas shopping season…