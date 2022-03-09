Image / Herald Network Graphic

Chris Keall is the technology editor and a senior business writer for the NZ Herald

Reported financial losses from cybercrime stood at $6.6 million in the final three months of 2021 - a record for the December quarter, and double the amount lost in the September quarter.

That's according to the latest quarterly report by the Government's Computer Emergency Response Team (Cert NZ).

While two-thirds of incidents involved losses of less than $500 to hackers or online scammers, ten people were taken for more than $100,000, versus seven in the prior quarter.

The larger picture is more mixed.

For the full year 2021, a total of $16.8m in financial losses were reported to CertNZ - actually a slight dip from 2020's $16.9m.

But the number of incidents reported to Cert NZ in the December quarter 3977 - was a record by any measure. It represented a 92 per cent jump on the September quarter, and a 13 per cent increase on the year-ago quarter.

Direct financial losses from cybercrime. Source / Cert NZ Quarterly Report Oct-Dec 2021

How many are actually being hit?

In the US, an FBI report estimated that only 15 per cent of cyber incidents are reported.

Here, threat analyst Brett Callow said there was likely to be "massive under-reporting" here, too. There is always sheepishness about commercial or reputational damage.

And on top of that, many simply don't know that Cert NZ exists, and that all cyber incidents should be reported via its website (cert.govt.nz) or via 0800 CERT NZ (0800 237 869).

Reported cyber security incidents. Source / Cert NZ Quarterly Report Oct-Dec 2021

CertNZ director Rob Pope told the Herald this morning:

"We know that our reporting numbers don't capture the entire picture of cyber threats in New Zealand.

"However, the large increase in reports is heartening, as it shows that every year more New Zealanders know that when they see or are impacted by an incident, they can report it to us and get help without their identity or organisation being revealed."

The largest threats and scams

Fallout from "Flubot" continued in the fourth quarter, with complaints about the text scam accounting for around two-thirds of incidents reported.

The scam began as a text message that purport to be from a courier company, asking you to click a link to receive a parcel.

It later morphed into a message saying you had been tagged in an online photo album and other variants.

But the scammers' intent is always the same: to get you to click on a link that purports to offer a service, but will actually download Flubot malware onto your Android phone (iPhones are not targeted) - which can steal details such as your bank account login.

Flubot also accesses your phone's address book, then texts a message to all your contacts.

Cert NZ director Rob Pope: "We know that our reporting numbers don't capture the entire picture of cyber threats in New Zealand."

The precautions remain the same: Be wary of any text that purports to be from an organisation if it comes from a regular cellphone number. It's a red flag. Phone the organisation involved - via the number you get from its website - to confirm the request. Banks, courier companies, and the likes of the Ministry of Health typically use a short messaging service platform that sends text messages from a four-digit code.

For example, if the Ministry of Health has sent you a text about collecting a RAT, you'll see it comes from 2328, not a regular mobile number.

Ransomware fell away in the fourth quarter, with just 13 incidents, while reports of direct hacking - that is, breaking into a computer network - remained low. Scams that rely on people having the gullibility to click on a dodgy link remain easily the largest threats.

Do we need to worry about Putin's hacker army?

Cert NZ overs individuals and small businesses, and steered the Herald to the GCSB for a response to this question.

Even before Russia unleashed waves of cyber-attacks on Ukrainian institutions a precursor to its physical invasion (according to Microsoft, which says it helped to repel them), our spy agency was warning about an increase in attacks from state-sponsored hackers.

The latest annual report from the GCSB-run National Cyber Security Centre (NCSC), for the year to June 2021, reported 404 attacks on the "organisations of national interest" (such as Government agencies and key exporters) who sit under the spy agency's umbrella of cyber-protection.

And of those 404 attacks, 110 were pinned on politically-motivated state-sponsored actors - a 28 per cent increase over the previous year.

Image / 123rf

On February 28, the NCSC said it "encourages Aotearoa New Zealand's nationally significant organisations to consider and strengthen their cyber security readiness in response to heightened tensions between Russia and Ukraine.

"Alongside heightened tensions, there is an increased potential for cyber attacks. These may have a serious impact, even for countries and organisations not directly targeted."

There have so far been no reports of any Russian attacks on NZ institutions.

Do everyday internet users need to be worried about Kremlin-controlled hackers?

While there is little percentage for Putin in disabling Mary Smith's iPad in Papamoa, there are a number of precedents for malware created to attack nation-states getting loose in the wild.

And regardless, it pays to follow good security practices, Pope says.

"Cert NZ's advice on how to protect yourself or your business doesn't change [with the Ukrainian invasion]," Pope says.

"The four basic steps of strong unique passwords, regular software updates, two-factor authentication, and keeping your personal information safe, do not change.

"And for companies, our 10 critical controls outline the areas that businesses need to focus on to better allocate assets."