There are a couple of reasons why phishing is so common.

First, phishing is low cost and easy to do. Unlike some types of cyber attacks, it doesn’t require significant technical ability to be successful. Instead, it relies primarily on social engineering to try to trick people.

This links to the second reason. While networks and systems are constantly being upgraded to keep attackers out, people can make mistakes. The attackers behind these campaigns are aware of this and sometimes use sophisticated methods to get the response they want. They are constantly evolving their approach and use social engineering tactics, like urgency, fear and opportunity to prompt the recipient to respond. In some cases, they’ll try to use authoritative language and emotional levers like a penalty or a fine to prompt action. In other cases, they create fake scenarios that reflect current events to make the communication seem more plausible. For example, CERT NZ saw an increase in phishing attempts focused on COVID-19 during the vaccine roll out.

Most phishing attempts aren’t targeted at a specific person or group. Attackers usually cast their net wide to include anyone who uses technology to communicate. This means campaigns will target thousands of people, so, even if only a small percentage of recipients are tricked into responding, the attackers’ gains can be substantial.

Incidents reported to CERT NZ this quarter have included both common phishing attempts, as well as some newer campaigns, from impersonation of government agencies and banks to messages posing as software retailers and charities.

In terms of tactics, in quarter one, CERT NZ received reports of email phishing attempts designed to prompt a strong emotional response. This ranged from fake relief efforts for Ukraine through to attempts at localised messages with phishing emails written in te reo Māori. Another new example is attackers using phishing to identify potential targets for tech-scam calls, as highlighted in the following case study.

However, no such subscription existed. It was a scam tactic using urgency and the fear of losing money to try to get the recipient to call the number.

If the recipient called the number, the call wasn’t answered. Instead, the attackers collected the caller’s number as someone potentially worth targeting.

Later, the attackers called the recipient pretending to be from a tech-support service or bank unrelated to the initial subscription-based phishing message. They would then attempt to get the recipient to provide banking information or remote access to their home computer.

If you are unsure about a communication you’ve received:

• Go direct. Type the URL into the address bar or use bookmarks to access websites rather than clicking links in emails or texts.
• Just ask. If you’re unsure about an email or text you’ve received, it’s a good idea to check in with the sender via another method like phone or text, or run it past a colleague, friend or family member.

Two steps that help keep your accounts secure

• Use unique passwords on all your online accounts (and a password manager to help remember them) that way, if you share your account information in a phishing attack, your other accounts won’t be affected. You’ll only need to update the password for the compromised account.
• Use two-factor authentication (2FA) on accounts where possible. It provides an extra layer of security on your account in case your password is compromised.

Non-fungible tokens (NFTs) are digital certificates of ownership that can only be bought using cryptocurrency. Each one is ‘minted’ to be unique. An NFT links to an item, such as a piece of digital art, and verifies who owns it using blockchain technology.

An NFT campaign is often related to the release of a certain art or game project with the minting of a limited number of individual pieces. Creators will offer these as pre-orders.

Like many online transactions, NFTs come with their own set of potential cyber security risks.

Types of incidents reported to CERT NZ range from unauthorised access to scams involving buying and selling NFTs and fake investments.

With eight reports about NFT-related incidents this quarter, and associated financial loss close to $50,000, CERT NZ anticipates attackers will leverage the increasing popularity of NFTs for their gain.

NFTs appeal to attackers because they are still mostly unregulated, and payments are difficult to reverse or retrieve. The NFT market can be heavily hyped with high-profile projects and the estimated resale values can create a fear of missing out. Attackers can use this to try to trick people into taking part in their scam.

NAS devices are computers designed to store large amounts of files, or to provide access to the files from multiple devices. NAS devices are set up for a variety of personal and business uses.

Attackers target NAS devices with ransomware because the data stored is often of high personal or business value. This can force those targeted to have to choose between losing their data permanently or paying a ransom and hoping the attacker will keep their word.

CERT NZ recommends not paying the ransom, because it doesn’t guarantee data will be recovered and attackers may target you again.

If a NAS device is exposed to the internet, attackers can use several different attacks to gain access and deploy ransomware. The most common attacks include exploiting vulnerabilities in the operating system and targeting of weak or default passwords. Once the attacker has access to the device, they can begin locking the files. The attacker then demands a payment or ‘ransom’ to have the files unlocked.

This quarter, CERT NZ received reports from small businesses that had their files encrypted with a ‘.deadbolt’ file extension. CERT NZ identified this as being part of a larger campaign actively targeting QNAP and Asustor NAS vulnerabilities.

Following this, CERT NZ published an advisory detailing the affected versions and mitigations to help protect from the attack.

QNAP and Asustor NAS vulnerabilities exploited to deploy ransomware