This quarter, CERT NZ received 1,197 incident reports by individuals and businesses from all over New Zealand. This report shares examples of the incidents and advice on how to best protect against them.
There are two parts to the Q4 Report
There are two parts to the Q4 report; a highlights report focusing on selected cyber security incidents and issues, and a data landscape report providing a standardised set of results and graphs for the quarter.
Accompanying the Q4 report is the 2019 Report Summary, giving an overview of what CERT NZ has seen and done in 2019.
Number of incidents reported by quarter
Long description of graph
Breakdown by incident category
The greatest number of reports received in Q4 were those in the phishing and credential harvesting, and scams and fraud, categories.
Long desription of graph
Focus area: SIM swapping attacks
SIM swapping overview
CERT NZ received a cluster of reports of SIM swapping attacks in Q4, where attackers were able to gain access to the victim’s online bank accounts. While the number of reports was small (less than 10), the average financial loss from these attacks was $30,000. Given the potential impact of this type of attack we want to share how to protect yourself and your business.
How SIM swap attacks work
SIM swap attacks (also known as SIM porting or SIM hijacking) are where an attacker uses social engineering techniques to manipulate a mobile phone provider into porting a mobile phone number from a genuine customer’s SIM card to the attacker’s SIM card. The attacker can then receive all SMS messages and voice calls intended for that customer.
Case study: SMS phishing on the hook
This quarter we saw a large SMS phishing campaign targeting the customers of a New Zealand bank.
The campaign used an online bulk text messaging service to send text messages to 27,000 New Zealand mobile phone numbers. Roughly 12,000 of these people were customers of the reporting bank.
CERT NZ coordinated a joint response to the incident with the affected bank, New Zealand Police and the Department of Internal Affairs. As a result of this collaboration, measures were taken to protect the bank’s customers and stop the campaign before further harm was done.
Because the incident report made to CERT NZ contained lots of actionable information, we were able to help the bank quickly identify how the attack was performed and mitigate some of the immediate threat. It also added important detail to our understanding of this type of attack in the threat landscape, and we use this information to keep more New Zealanders safe.
If you receive spam text messages, or text messages with suspicious links, forward them to the Department of Internal Affairs’ text message spam reporting number: 7726.
Insight: Scam calls spike in quarter four
CERT NZ has seen an increase in reports of scam calls trying to extract private information from people.
The graph below shows the numbers of scam call reports received over the last 12 months.
CERT NZ receives a wide variety of reports about scam calls. A large portion is familiar and well-documented tech support scams. Alongside these, robocalls are increasingly popular. These automated calls claim to offer credit card holders an increase on their credit limit or notify them of a supposed suspicious transaction. If you receive calls such as these, hang up immediately and contact your bank.
New in this quarter, are reports of a scam call campaign claiming to be from the ‘New Zealand Government Grants Department’ and advising the victim that they’ve been awarded a $10,000 tax refund grant, subject to confirming some security questions. This scam is designed to harvest personal details to gain access to their accounts.
Scam calls need a coordinated response; they impact New Zealanders from all walks of life and they’re hugely variable. To combat this, the Telecommunications Forum (TCF) has signed Memoranda of Understanding with key agencies, including CERT NZ and other government partners. By teaming up, and sharing information with the TCF, we are seeing scam call campaigns stopped early so fewer New Zealanders are impacted by them.
If you think you’ve received a scam call, you can report it to CERT NZ.