Kiwis conned out of millions
$9m stolen in three months amid surge in online scam activity
The Government’s cyber security agency has recorded a “massive” jump in online fraud, with scammers draining nearly $9 million from unsuspecting victims in just three months.
Twelve victims lost more than $100,000 each as cyber criminals deployed a devious array of elaborate scams to trick people into giving over their money and personal details, or infiltrated their computers and bank accounts through malware or remote access trojan software.
Data obtained by the Herald from CERT NZ shows the agency received more than 10,000 cyber security reports in the last year relating to phishing attacks, scams and fraud, unauthorised access to email or bank accounts, denial of service attempts, ransom or malware attacks and compromised websites.
The agency admits such attacks are “widespread” with many more going unreported.
Cyber criminals obtained nearly $9m in the last quarter alone (July-September) — a significant increase on the previous quarter ($3.9m) and the quarter before that ($3.7m).
CERT NZ says the number of reported incidents has remained reasonably static in recent months, but the number of attacks resulting in loss through fraudulent criminal activity and unauthorised access to victims’ accounts has jumped about 30 per cent.
The figures include cases like the Invercargill pensioner who lost $134,000 when thieves infiltrated his SBS Bank accounts in July, changed his listed mobile phone numbers to skirt the bank’s two-factor authentication security checks, then drained the money in 11 unauthorised transactions.
SBS has refused to refund the victim and the matter is now under investigation by the Banking Ombudsman.
CERT NZ threat and incident response manager Jordan Heersping said the most common cyber security incident involved phishing attacks, when victims were contacted by malicious actors pretending to be from a bank, internet provider, government agency or financial institution, and convinced to hand over their usernames and passwords.
Phishing attacks could also involve victims clicking on suspect links which then download malicious software to a person’s device, harvesting their personal information and sending it back to the scammers to access bank or email accounts.
These attacks were a “constant threat”. The emails were often wellcrafted and difficult to spot, Heersping said.
CERT NZ has also recorded a spike in unauthorised access incidents. Victims may have approved a charge, for instance to receive a non-existent courier parcel, but criminals were then able to set up recurring withdrawals from the victim’s account.
Heersping said many attacks reported to CERT NZ originated overseas. The agency helped victims work with banks to recover stolen money and tried to educate people about the latest scams.
Victims typically lost between $100 and $1000, but elaborate romance or investment scams could see hundreds of thousands of dollars drained, at huge financial and emotional cost.
“For a lot people, the effect of a cyber attack will have quite a knockon effect on their mental health.
“We see everything from a couple of dollars to a lot of money, and that’s . . . across businesses and individuals.”
The Herald has reported on two recent cases where cyber criminals accessed pensioners’ online accounts to steal money and the banks refused to reimburse the victims, claiming they had not taken adequate precautions. Under the Code of Banking Practice, banks are obligated to refund customers for unauthorised withdrawals unless the victims acted fraudulently or were “wilfully negligent”.
Asked about liability, Heersping said scam victims had been “fooled”.
“You’re not deliberately giving your details to a malicious actor. You’re tricked into it. It can be quite hard to tell.
“I’d say they’re no more liable than if someone’s jimmied their window open and stole their TV. There might be things they can do [to keep themselves safe], but the reality is they’re victims of a crime and I wouldn’t put the onus on individuals for falling for a phishing attack.”
Heersping said compromised devices could be “cleaned”, which involved a forensic check for malware, often returning the computer or phone to factory settings.
However, most people did not know what to look for and may not realise their device had been compromised until it was too late.
The quicker fraudulent transactions were reported, the more likely the money could be recovered by banks, Heersping said.
It was crucial to educate people about what to look out for and how to protect themselves online.
Police insist they and other government agencies would never contact someone out of the blue asking for their password, credit card or bank details. Anyone who believed they had fallen victim to a scam, in person, over the phone or online should contact police.
“Police acknowledge the financial and emotional distress that falling victim to online scams can cause, and recommend taking a cautious approach to unsolicited emails and approaches online. Trust your gut instinct — if it doesn’t feel right, it probably isn’t,” a spokesperson said.
Consumer Protection NZ has information on how to prevent yourself, family and friends from being scammed, while the Financial Markets Authority provides advice to help avoid falling victim to online investment scams. CERT NZ also provides advice on how to respond to and avoid cyber security incidents.
The information security industry got a surprise the weekend before last when the Australian Government announced a permanent operation with about 100 police and defence officers from the Australian Federal Police (AFP) and the Australian Signals Directorate (ASD).
The operation will go after ransomware gangs, with attorneygeneral Mark Dreyfus and cybersecurity minister Clare O’Neil saying the police and signals-intelligence (sigint) personnel will gather intelligence on them, identify leaders and networks and infrastructure.
Government hacking back isn’t new as such, but it’s not been openly advertised in the past.
Anyone can see why. Australia’s move comes after a ransomware attack on private medical insurer Medibank in which sensitive information on almost 10 million people was stolen.
The AFP and ASD are now tasked with disrupting and stopping similar attacks.
Very sensitive information it is too: Medibank rightly refused to pay the extortion money to the BlogXX criminals who in turn have started to release records in public. This includes names of hundreds of people who’ve been treated for alcoholism or had abortions.
All the data is available in neatly comma-separated files, with patients’ birthdates, addresses, phone numbers and emails.
That ransomware raiders are a particularly scummy lot has been known for a while. Two years ago, Finnish psychotherapy provider Vastaamo was hacked and its patient database copied by criminals who extorted individuals registered with the mental health provider.
Punishing unscrupulous criminals who hurt vulnerable people without hesitating is a must. However, hacking back is a contentious proposition to say the least.
Cyber crims use compromised systems removed from themselves to obfuscate where the attacks originate and there’s a risk of causing collateral damage if the always-difficult attribution of who’s guilty is incorrect.
There’s also the risk of leaking hacking techniques and revealing vulnerabilities unknown to the outside world. Agencies tasked with hacking back also face the ethical conundrum of not sharing software and hardware exploit knowledge so that the flaws can be patched and make the world’s IT systems safer.
Even so, something had to be done beyond authorities’ sound advice to use strong passwords and apply updates. There is now an official political remit to go after hackers anywhere in the world. It’ll be an area to watch as many gangs are statelinked operations in countries hostile to the West.
For example, Russia has sheltered ransomware criminals and destructive hackers who have at times worked with its intelligence agencies. This is evident from simple things such as malware being coded not to activate in Russia.
As Russia continues to flail and come a cropper in its barbaric invasion of Ukraine, there is now an even more clear imperative for Western nations to protect critical IT infrastructure. This is to prevent damage and extortion money landing in Putin’s war chest.
Due to the war, Ukrainian authorities have also become strongly incentivised to crack down on digital criminals. Such as the JabberZeus banking Trojan gang, with Ukrainian and Russian members, which has stolen tens of millions of dollars worldwide.
Its leader Vyacheslav “Tank” Penchukov from Russia-annexed Donetsk was recently arrested in Switzerland. Penchukov had been protected by his connections with the family of former Ukrainian President Victor Yanukovich for more than a decade.
Ransomware is big business, which last year led to losses in the tens of billions for victims. With that kind of money and easy access to malware as a service, launching ransomware attacks is tempting for keyboard crims who think they can’t be traced.
A spate of prosecutions in recent years show that at best the criminals are pseudonymous.
Sigint agencies and police crews have a crucial advantage over ransomware crooks: the former have had to learn through investigating attacks and actively defending targets; the latter has usually not, and is often clueless about operational security (opsec).
Developers of ransomware and those who operate the payments system are aware of this, and try to stay out of the limelight, with associates lured to do dirty deeds in return for a cut of the extortion money.
Finding ransomware associates won’t be quite like shooting fish in a barrel, but not far off.
Killing as much of the ransomware-as-a-service industry is a great tactic that will hurt the criminals behind the operations.
People and organisations may become complacent, since there is now an official defence shield. “Outsourcing” information security and thinking it’s the Government’s job would be disastrous. Don’t let the guard down.