This quarter, CERT NZ responded to 3,977 incident reports about individuals and businesses from all over New Zealand. This report shares information around these incidents as well as highlighting examples of work CERT NZ is doing to help. There are 2 parts to the report:
A Highlights Report focusing on selected cyber security incidents and issues.
A Data Landscape Report providing a standardised set of results and graphs for the quarter.
3,977 incidents were responded to by CERT NZ in Q4 2021
$6.6 million in direct financial loss was reported in Q4. 11% of incidents reported financial loss
Malware reports increased from 151 in Q3 to 1,707 in Q4
Scams and fraud reports increased by 16%
The average number of incident reports per quarter is 1,733 and average direct financial loss per quarter is $4.0 million. These figures are based on the previous 8 quarters.
A total of 3,977 incidents were responded to in Q4 2021.
Incidents responded to by CERT NZ
Breakdown of incident category
Malware is the most reported incident category, with 1,707 reports in Q4. A 1030% increase on the previous quarter.
Breakdown by incident category
Focus area: Log4j vulnerability
In December a critical security vulnerability in an open-source software component called Log4j was made public.
How the Log4j vulnerability works
What is Log4j
Log4j is a Java-based logging software component used to carry out numerous tasks, including recording and communicating warning or error messages. Common examples include recording what types of devices are accessing your website or when someone tries to access a missing file on your website resulting in a “404 error” message.
How does the vulnerability affect systems?
The Log4j vulnerability, known as Log4Shell, allows attackers to run their own malicious code on a system. The results of this attack can vary and could include a system being controlled remotely, data being stolen, or the system being locked down with ransomware. Once the system is infiltrated, other systems within the organisation can be targeted.
CERT NZ response
CERT NZ was the first government organisation internationally to release advice on the Log4j vulnerability. This information was quickly picked up and circulated by international agencies and media, helping raise awareness of the risk and share advice to help protect against compromise.
Our Incident Response team worked with local and international agencies, to establish an incident coordination and response function, and shared information about how the incident was progressing.
Log4j RCE 0-day actively exploited
How to protect your systems
As Log4j is widely used, you may not know if it’s part of your system. CERT NZ recommends that you talk to your IT team or IT service provider to make sure they’re taking the right security steps to help reduce risk.
Insight: Flubot fallout continues
In Q4, Flubot made up two-thirds of the 1,707 malware incidents reported to CERT NZ. Flubot (which we covered in Q3 2021) began affecting New Zealanders in September. It was sent through text messages containing a malicious website link that if clicked on, downloaded malware to the recipient’s phone. Reports of Flubot spiked in the first part of Q4, with a total of 1,107 reports across the quarter.
Insight: Financial losses from scams and fraud increase
This quarter, CERT NZ received 568 reports about scams and fraud with an associated direct financial loss of $5.9 million, an increase of 269% from last quarter. It is the highest direct financial loss from scams and fraud in a single quarter to date.
Of the scam and fraud incidents reported, the 3 scam categories with the highest direct financial loss in Q4 were ‘buying, selling or donating goods online’ ($2.3m), followed by ‘investment scams’ ($1.8m) and ‘a new job or business opportunity’ ($1.1m).
Buying, selling, or donating goods online
Scammers are opportunistic and always looking for ways to exploit New Zealanders’ uptake in online shopping, and this was reflected in the busy holiday season.
Reported financial losses from ‘buying, selling or donating goods’ online per quarter
What to look out for
To help work out if an online store is genuine, check:
- the domain name owners’ address is registered in New Zealand
Whois lookup External Link — New Zealand Domain Name Commission
- the store is a registered New Zealand company.
Search the companies register External Link — New Zealand Complanies Office
Be wary of websites that do the following.
- Don’t list a physical address or have unusual contact information
- Don’t display terms of trade (including return policies) or fully disclose costs (such as shipping and delivery).
- Have significantly lower-priced goods. This should raise your suspicion that you might not get what you expect. If a deal is too good to be true it, probably is.
- The URL doesn’t seem to match what they’re selling. For example, if Bob’s Sporting Goods (bobssportinggoods.co.nz) is selling luxury handbags.
- Negative online consumer feedback and reviews.
If you think you have been affected by a scam, please report it confidentially to CERT NZ and immediately notify your bank if you’ve made a payment or shared payment information.