Quarter Four Report 2019

This quarter, CERT NZ received 1,197 incident reports by individuals and businesses from all over New Zealand. This report shares examples of the incidents and advice on how to best protect against them.

There are two parts to the Q4 Report

There are two parts to the Q4 report; a highlights report focusing on selected cyber security incidents and issues, and a data landscape report providing a standardised set of results and graphs for the quarter.

Quarterly Report: Highlights Q4 2019 [PDF, 477 KB]

Quarterly Report: Data Landscape Q4 2019 [PDF, 943 KB]

Accompanying the Q4 report is the 2019 Report Summary, giving an overview of what CERT NZ has seen and done in 2019.

Read the 2019 Report Summary

Highlights

1,197 incidents were reported in Q4, down 12% on Q3.

$4.7 million in direct financial losses reported

11% increase in phishing and credential harvesting reports from Q3

27% decrease in scam and fraud reports from Q3

Number of incidents reported by quarter

A total of 1,197 incidents were reported in Q4 2019, down 12% on Q3.

Breakdown by incident category

The greatest number of reports received in Q4 were those in the phishing and credential harvesting, and scams and fraud, categories.

Long desription of graph

Breakdown by incident category

Phishing and credential harvesting
Q3 2019: 514
Q4 2019: 571

Scams and fraud
Q3 2019: 550
Q4 2019: 401

Unauthorised access
Q3 2019: 109
Q4 2019: 99

Denial of service
Q3 2019: 36
Q4 2019: 30

Malware
Q3 2019: 21
Q4 2019: 20

Ransomware
Q3 2019: 18
Q4 2019: 17

Website compromise
Q3 2019: 12
Q4 2019: 13

Suspicious network traffic
Q3 2019: 30
Q4 2019: 9

Reported vulnerability
Q3 2019: 31
Q4 2019: 5

Other
Q3 2019: 33
Q4 2019: 30

Focus area: SIM swapping attacks

SIM swapping overview

CERT NZ received a cluster of reports of SIM swapping attacks in Q4, where attackers were able to gain access to the victim’s online bank accounts. While the number of reports was small (less than 10), the average financial loss from these attacks was $30,000. Given the potential impact of this type of attack we want to share how to protect yourself and your business.

Long description of diagram

Attacker calls target's mobile provider and requests that the target's mobile number is transferred
Number is transferred to a different SIM, target unaware
Attacker tries to access target's account, either using stolen credentials or requesting a password reset
The 2FA code is sent via SMS to the attacker and they can access the account
Target only becomes aware when their phone is disconnected or they are locked out of an account

How SIM swap attacks work

SIM swap attacks (also known as SIM porting or SIM hijacking) are where an attacker uses social engineering techniques to manipulate a mobile phone provider into porting a mobile phone number from a genuine customer’s SIM card to the attacker’s SIM card. The attacker can then receive all SMS messages and voice calls intended for that customer.

Once the attacker has the victim’s mobile phone number on their SIM card, they try to access the victim’s accounts, such as bank accounts, using stolen or guessed credentials. When prompted for a two-factor authentication code, the attacker uses the stolen number to receive two-factor authentication by SMS, working around the security control.

Being compromised in this way represents a significant risk to the people and businesses targeted by these attacks because the attacker can perform sensitive tasks, like changing passwords or authorising financial transactions.

Anecdotal reports show that incidents of SIM swapping are on the increase, as motivated attackers find ways to circumvent additional security controls.

Reducing the impact of SIM swapping

It’s difficult for an individual to prevent or detect SIM swapping. Attackers can contact mobile phone service providers and have numbers transferred without the user’s knowledge. But, there are ways to prevent or reduce your chances of being a target of successful SIM swapping, including:

Be careful where you share identity information Your personal information can be used to impersonate you, particularly when it’s used as part of the identity confirmation process. If you know that your mobile phone provider confirms your identity by asking for personal information, make sure it’s hard to find online. For example, you may be asked for your date of birth so make sure you’re not sharing it on your public social media accounts.

Be creative with account recovery questions For some services, when you set up your account you’ll be asked to provide answers to a set of security questions. These are generally used as a way to identify you if you forget your password and need a prompt — like your mother’s maiden name. Unfortunately, these are also easy things for an attacker to find out, and could be used to gain access to your accounts without your knowledge. Where you can, make up something memorable but untrue that an attacker couldn’t find through a simple search of your name. You can use a password manager to store these answers too.

When there’s a choice, don’t use SMS two-factor authentication SMS two-factor authentication is better than a password alone, but there are stronger options available. Ask your bank or service provider if they offer other forms of two-factor authentication for account access. For example, this might be an app-based authenticator that generates a new code every 60 seconds or sends you a push notification.

Get notifications Check with your bank or service provider about whether they have a system to notify you about suspicious account activity – like sending you an email any time there’s a request for a transaction over a certain value.

What to do if you are affected

If you notice suspicious activity on your online banking or email accounts, such as unprompted password reset notifications, or if your phone suddenly loses connection to your mobile phone provider, you may be affected by a SIM swap attack.

If you’re affected, take the following steps immediately:

Report the incident to CERT NZ, we can help with advice to secure yourself. With your permission we can also work with the New Zealand Police.
Reset passwords for your important online accounts. Online banking and email should be a priority.
Report the incident to your provider of the affected account, for example your bank. They may be able to place more protection on your accounts and, if early enough, reverse any unauthorised transactions.
Report the incident to your mobile phone network provider and ask them to check if your mobile phone number has been transferred to another network.

Report an incident

Advice for businesses

Businesses that are responsible for customer accounts and data should consider the controls they have available. Attackers may try to compromise your customers’ accounts using SIM swapping attacks. Protect your customers by:

using our critical controls when designing and implementing your systems
using app-based or hardware two-factor authentication for customer access to your services where possible. If this isn’t an option, SMS-based two-factor authentication is still better than relying on a password alone.

If you use a third party vendor or provider for your IT, ask them about the secure authentication and access controls available for customer-facing services.

Read CERT NZ’s Critical Controls

Report an incident

Case study: SMS phishing on the hook

This quarter we saw a large SMS phishing campaign targeting the customers of a New Zealand bank.

The campaign used an online bulk text messaging service to send text messages to 27,000 New Zealand mobile phone numbers. Roughly 12,000 of these people were customers of the reporting bank.

CERT NZ coordinated a joint response to the incident with the affected bank, New Zealand Police and the Department of Internal Affairs. As a result of this collaboration, measures were taken to protect the bank’s customers and stop the campaign before further harm was done.

Because the incident report made to CERT NZ contained lots of actionable information, we were able to help the bank quickly identify how the attack was performed and mitigate some of the immediate threat. It also added important detail to our understanding of this type of attack in the threat landscape, and we use this information to keep more New Zealanders safe.

If you receive spam text messages, or text messages with suspicious links, forward them to the Department of Internal Affairs’ text message spam reporting number: 7726.

Insight: Scam calls spike in quarter four

CERT NZ has seen an increase in reports of scam calls trying to extract private information from people.

The graph below shows the numbers of scam call reports received over the last 12 months.

CERT NZ receives a wide variety of reports about scam calls. A large portion is familiar and well-documented tech support scams. Alongside these, robocalls are increasingly popular. These automated calls claim to offer credit card holders an increase on their credit limit or notify them of a supposed suspicious transaction. If you receive calls such as these, hang up immediately and contact your bank.

New in this quarter, are reports of a scam call campaign claiming to be from the ‘New Zealand Government Grants Department’ and advising the victim that they’ve been awarded a $10,000 tax refund grant, subject to confirming some security questions. This scam is designed to harvest personal details to gain access to their accounts.

Scam calls need a coordinated response; they impact New Zealanders from all walks of life and they’re hugely variable. To combat this, the Telecommunications Forum (TCF) has signed Memoranda of Understanding with key agencies, including CERT NZ and other government partners. By teaming up, and sharing information with the TCF, we are seeing scam call campaigns stopped early so fewer New Zealanders are impacted by them.

If you think you’ve received a scam call, you can report it to CERT NZ.

Report an incident