Quarter Three Report 2017

The latest quarterly report for CERT NZ is for quarter three (1 July – 30 September) 2017.

In this quarter, CERT NZ received 390 incident reports. 43% of incident reports were about businesses and organisations from a range of sectors.

Financial loss from cyber security incidents continues to increase, with over $1.1million of loss reported this quarter. 29% of people who reported to CERT NZ experienced some form of loss.

Reports of ransomware have dropped by over 50% in this quarter compared with the previous quarter. This decrease may be the result of heightened awareness following the widespread coverage of WannaCry and NotPetya ransomware in quarter two. 

Quarterly report July - September 2017 [PDF, 2.3 MB]

Summary report July - September 2017 [PDF, 678 KB]

Results: Incidents reported by sector

The four sectors that reported the most incidents were:

Results: Incidents reported by type

 There has been a 50% decrease in ransomware reports.

Phishing & credentials harvesting 
Unauthorised access
Scams & fraud
Reported vulnerability
Website compromise
Command & control server hosting
Suspicious network traffic
Botnet traffic
Denial of service


Results: Highest reported incidents by region

Graphic of highest reporting regions in NZ [PNG, 118 KB]

The highest reporting regions were:

- Auckland (90),

- Wellington (82),

- Canterbury (19),

- Waikato (16), and

- Otago (16).

Case study - Avalanche clean-up underway

CERT-BUND (Germany) alerted us to New Zealand hosts that were infected by the Avalanche botnet. CERT-BUND was part of a joint operation with international law enforcement agencies to take down the Avalanche botnet server infrastructure in 2016 .

The Avalanche botnet was used as a delivery platform to launch and manage mass global malware attacks and money mule recruitment campaigns. The takedown operation involved law enforcement agencies seizing the command and control servers for the network, disrupting their operations.

As part of the on-going clean-up operation, a number of infected hosts in New Zealand were identified. We have been contacting the relevant ISPs to notify them of the affected computers on their networks to help them clean up the infection.



  • Over $1.1 million in direct financial loss reported.
  • 29% of people who reported incidents suffered some form of loss.

Focus on scams and fraud

Scams and fraud can be categorised as a single incident in itself or part of a wider attack. CERT NZ and Netsafe are working together to align reporting to create a better picture of the scams and fraud landscape.

(figure) 2619Scams and fraud reports received by CERT NZ and Netsafe

(figure) 242Scams and fraud reports were received by CERT NZ

Types of scams and fraud reported

Types of fraud and scam reports in NZ 2017 [PNG, 74 KB]

Invoice scams

Graphic of invoice with hazard signInvoice scams were identified in 39 (16%) of scams & fraud reports.

A basic invoice scam involves scammers sending out fake invoices disguised as invoices for well-known services.

If recipients pay the bill, they lose their money. If they enter into contact with the scammers, the scammers will usually use a variety of social engineering tactics ranging from persuasion through to bullying to try and convince them to pay the fake invoice.

There are also more sophisticated campaigns, where scammers send emails to businesses and organisations that appear to be from a senior executive (such as a chief financial officer) asking the recipient to pay an urgent bill. These emails can come from fake email addresses intended to look legitimate.

Scammers also try to use phishing techniques to gain access to businesses email addresses, making the fake invoices much harder to detect.

Businesses with overseas suppliers have received fake copies of the suppliers invoices. In some cases these suppliers were compromised by attackers, who altered invoices from them in order to steal money from legitimate transactions.

Case study - Invoice scam costs company over $300k

CERT NZ received a report from a small company in the retail, trade and accommodation sector, who had lost a lot of money to an invoice scam. The NZ company had a supplier in China they used regularly. Scammers had managed to get enough information about the Chinese supplier to imitate their emails, including using a very similar email address, and even copying the signature in the email.

The scammers then sent fake invoices to the NZ company, at a time they were expecting to pay and as a result, paid the fake invoices, resulting in losses of over $300,000. The case was referred to the NZ Police for investigation.


Quarterly report July - September 2017 [PDF, 2.3 MB]

Summary report July - September 2017 [PDF, 678 KB]