Plenty of Kiwis exposed, especially via social media sites, says report.

Cyber-criminals are planning their "hits" more carefully and the attacks are lasting longer than ever - and many New Zealanders are leaving themselves exposed to cyber threats on their computers, mobiles and social networks.

An internet security report, released last night, by software company Symantec into cyber attacks has revealed the lengths some people go to to evade security to obtain personal information and devise new ways of breaching privacy.

Read the full report here.

These include targeted emails to unsuspecting people and increasingly using social media to pull the wool over people's eyes.


Mark Shaw, Technology Strategist for Symantec in the Pacific, said a recurring theme of the report, which applied to consumers and businesses, was the "mega-data breach".

"What we saw was huge numbers of data records being exposed in the latter part of the year. When we say mega breach that involves breaches which exceed more than 10 million data records, and that happens to a number of high-profile companies.

"The key for consumers is we are all doing business in many ways with these companies so there is a very good chance that our credentials have been exposed as well."

A worldwide breach of Adobe last year saw 150 million usernames and passwords breached. "I was one of those and many other New Zealanders would be as well, so this report went a long way in highlighting this trend is there and [puts] some guidelines around how we can protect ourselves."

The report showed targeted attacks were up 91 per cent last year following an increase the year before of 42 per cent.

"We've seen a huge number of incidents globally and the interesting thing about that is the campaign, the specific incident, is actually taking about three times longer."

That meant criminals were prepared to play a longer game while they had their eyes on a bigger prize.

Mr Shaw said organisations were now under "attack" for about eight days, often through emails carefully crafted and personalised to the recipient. "The intent being to say 'can you double click on this link about you or this topic you're talking about'. That kind of social engineering is what makes up the targeted attacks and is happening over about eight days or so on average."

Interestingly, the number of emails sent as part of the attack had reduced.

"What that says to us is the bad guys are actually more careful about being stealthy and not wanting to spray a lot of emails out there and get detected. If they can keep it to a smaller number and do more research and make sure they're crafted and targeted, their likelihood of success improves as well."

Last year also saw the emergence of ransomware as a force to be reckoned with.

Mr Shaw told the Herald there had been a "phenomenal" increase in ransomware, which is where a device is infected with malware and locks it alongside a message purportedly from the police that asks for money in order to remove a virus, or in some cases, child porn that doesn't exist.

Mark Shaw is a Technology Strategist for Symantec in the Pacific.

"They will require you to pay a certain amount of money to the attacker to ensure that can be unlocked and you can regain use of your computer. Hence the name ransomware because they are effectively holding you to ransom." The money ranged between $100-$400 - amounts Mr Shaw said were "palatable" to many who just wanted the problem to go away quickly.

But recently things had become more sinister.

"More concerning is crypto-locker viruses which doesn't just put up a lock but encrypts your data, so they are effectively encrypting your personal data ... and holding them ransom. It's concerning because it makes it more challenging to fix.

"If you cast your mind back a few years a lot of the malicious activity that was taking place was happening through email. So you were getting a lot of spam, there were links asking people to click on this ... But what we have seen is a real shift ... and that is towards cyber-criminals using social media."

That meant virtually any social networking site.

"The thought process behind this is that with social media if they [cyber-criminals] can get into your social circle it creates a greater level of trust than from someone you don't know. We see lots of retail-type scams [for example] 'there are 50 vouchers left out of 500' from a particular retail chain and it asks you to click on to a link now."

The "unwary consumer" might see that, share that with their friends and click on the link - unaware that when they're clicking on that link they are being taken to a survey which is giving up their personal information or downloading malicious software.

"New Zealanders need to be suspicious and keep all of this in mind and not just assume that because a friend has posted something it is genuine."


An area that is of increasing concern to cyber-security experts was around mobile phones.

A Norton report that surveyed 30,000 people found around half were not using basic precautions on mobiles. No passwords, no security software and no backing up of files.

"That's a real concern for us because we have seen the measures put in place around PCs - users are getting better at protecting themselves - but they aren't bringing those best practices across to the mobile arena, they are a bit slow on the uptake."

There were simple things that could be done to prevent an attack or at least make yourself less vulnerable.

"I guarantee the majority of New Zealanders will be using the same passwords and usernames across multiple sites because there is a convenience factor there. But the fact is when one breach occurs and those usernames and passwords are used then they can be used across many of those other sites. So that's a risk right there."

Passwords were often not strong enough with cyber-crims managing to easily guess them.

Mr Shaw said security software had to be updated so devices were protected against cyber-attack.

Above all, people just need to be aware.

"We do need to be suspicious. The old mantra [applies]: 'if it's too good to be true' it probably is."