Quarter Three Report 2019

This quarter, incidents are up 13% from quarter two, with 1,354 reports from businesses and individuals from across the country. This report shares examples of the security issues that are impacting people and organisations all over the country, and offers advice on how to best protect against them.

Quarterly Report: Highlights [PDF, 433 KB]

Quarterly Report: Data Landscape [PDF, 1.2 MB]

Highlights

1,354 incident reports in quarter three. The highest number of reports received to date.

In Q3, reported direct financial loss was $3.8 million

27% increase in phishing and credential harvesting reports from quarter two.

107% increase in vulnerability reports from quarter two.

Results by numbers

Number of incidents reported by quarter

CERT NZ graph showing number of incidents reported. In quarter three 2019, New Zealanders reported 1,354 incidents to CERT NZ.

We received 1,354 reports in the third quarter of 2019. This is the highest number of incidents reported in a quarter to date.

Results by incident

Breakdown of incident category

CERT NZ graph showing number of incidents reported. In quarter three 2019, New Zealanders reported 1,354 incidents to CERT NZ.

Scams and fraud, phishing and credential harvesting, and unauthorised access have consistently been the highest incident categories since quarter four, 2017.

Focus area: Phishing

Phishing overview

Phishing made up 38% of all incident reports this quarter. Since CERT NZ launched in 2017, New Zealanders have reported more than 3,000 phishing incidents.

Since CERT NZ launched in 2017, we’ve:

worked with organisations and individuals to help them recover
helped take down phishing websites and disrupted campaigns
investigated the software attackers use to distribute phishing campaigns and used the findings to develop preventions and mitigations to help protect against them.

Phishing may seem harmless, but it has a big impact on New Zealanders, the organisations they work for and businesses they run. It’s often a precursor to more serious attacks. Attackers use a variety of phishing techniques in an attempt to trick recipients into sharing their private information, make financial transactions, or to open malicious attachments or files.

Types of phishing

How well do you know the types of phishing out there?

Phishing emails are sent to large email lists to reach as many people as possible. They can be hard to spot as attackers often make them look like they’re from a well-known organisation. The emails usually replicate the organisation’s branding, use similar language and URLs, and spoof the email address to appear legitimate.

Spear phishing emails are more targeted than generic phishing emails and can be a precursor to business email compromise. Attackers often have specific knowledge about the recipient or their organisation—usually found by researching websites and social media—making them seemingly more legitimate and harder to spot.

Whaling is similar to spear phishing, but usually targets senior executives within a business to trick them into sharing high-level information and making financial transactions.

Vishing (voice phishing) is phishing attempted via a phone call. The attackers pretend to be from well-known organisations and usually say they are calling to help the recipient with a service like their computer software, finances or tax refund—you might have heard of the ‘Microsoft tech support’ vishing scams.

Smishing (SMS phishing) is phishing distributed via SMS or text message. These campaigns are low cost and low effort for attackers who send out masses of text messages to blocks of phone numbers. Like generic phishing, they’re large scale and less targeted— the SMS or text aims to trick recipients to click on a URL, visit the phishing website and enter their credentials.

Search engine phishing is when attackers use search engine optimisation techniques to ‘promote’ their phishing websites to the top of search results, where they can be mistaken for legitimate versions of websites. These can be difficult to tell apart from the real websites as they often copy the branding and use similar-looking URLs.

Phishing trends

At CERT NZ we see certain sectors and organisations targeted at different times by different phishing techniques.

The most reported type is generic phishing emails, likely due to the low effort required by attackers to target large numbers of people. In quarter three, there was an increase in phishing and vishing pretending to be from Inland Revenue and trying to trick recipients into sharing their financial information. Another campaign on the rise is courier phishing emails. These pretend to be about a pending parcel delivery and request the recipient to click a link to accept.

CERT NZ anticipates seeing an increase in this campaign over the upcoming holiday season due to the higher demand for courier services.

The holiday season is also likely to bring an increase search engine phishing, with scam websites pretending to be well-known retail brands to target online shoppers—one key indicator of these sites is high-value consumer goods offered at a fraction of the price.

Protecting yourself from phishing

As phishing techniques change over time, it’s a good idea to stay up-to-date with simple steps to help spot and protect yourself from them. These include:

Use unique passwords on all your online accounts (and password managers to help remember them)—that way if you lose your account information in a phishing attack, your other accounts won’t be impacted and you’ll only need to update the password for the compromised account.

Use multi-factor authentication (MFA) on accounts where possible. Including this additional login step provides an extra layer of security to help protect your personal and financial information. That way, even if someone got your password, they’d still need to get past this additional security.

Check the links. If you’re unsure about an email you’ve received, hover over the links in the email to check if they’ll go to a legitimate website. If the email looks to be from someone you know, check the sender’s email address is correct.

Ask someone. If you’re unsure about a message you’ve received, it’s a good idea to check it with a colleague, friend or family member. There’s no shame in asking for help.

Report it. If you’ve received a phishing email or you’ve responded to one, get help quickly by reporting it confidentially to CERT NZ. We’ll help you work out the steps you need to secure your accounts, and your report means we can get the message out to help protect others.

Report to CERT NZ External Link

Webcam blackmail scams steadily rise

Quarter three data shows that webcam blackmail scams continue to affect New Zealanders, with a 28% increase of reports from the previous quarter.

This email extortion scam variant, which claims to have accessed the recipient’s webcam and recorded them in the privacy of their home, first spiked in quarter three last year. Despite public awareness, reports of the scam continue to increase, with some incidents reporting of financial loss.

When the first surge of webcam blackmail scams hit in October 2018, CERT NZ released an advisory with preventions and mitigations to raise awareness and help New Zealanders protect against the scam.

Webcam and password blackmail scam advisory External Link

Case studies

CERT NZ works with researchers and vendors to resolve vulnerabilities

CERT NZ’s coordinated vulnerability disclosure (CVD) process helps researchers and finders communicate vulnerabilities with the affected vendors and have them resolved.

In quarter three, vulnerability reports more than doubled from the previous quarter, with a number being handled under the CVD process. In a recent case, a finder contacted CERT NZ reporting two vulnerabilities they’d found. The first was with an offshore company. Because the finder wanted to remain anonymous, CERT NZ contacted the business on their behalf and notified them that a critical flaw in one of their products had been reported.

The business was not aware of the flaw and as a result of the CVD process, the vulnerability was successfully resolved.

The second CVD reported was about a New Zealand-based company, which provides internet-connected devices. The finder had identified a critical flaw in one of their products. CERT NZ worked with the finder to gather information about the vulnerability and sent it to the business. This vulnerability was a high risk for the business and its customers, potentially allowing an attacker to compromise personal networks.

With CERT NZ acting as the information conduit between the parties, the business found a solution and fully resolved the issue.

Over 65s’ online resilience improving

This year, CERT NZ’s data has shown a positive trend for the over 65 age group. Since quarter one, there has been a 60% decrease in direct financial losses reported, while at the same time, a 20% increase in the number of reports about this age group.

This positive trend indicates that although cyber attacks are on the rise, the over 65 age group are taking the simple security steps to help build their online resilience and increase their ability to protect themselves and their finances from scams and attacks.

CERT NZ’s targeted awareness programmes like Get Password Smart and our partnerships with national organisations including SeniorNet have been one of the ways we’ve worked with this age group to actively engage them in easy ways to keep secure online.

Although this is good news for the over 65s, our data shows that cyber attacks continue to make a big financial impact on every day New Zealanders. Losses reported by the 45 – 55 age group have climbed this year from $271,279 (Q1) to $1,112,012 (Q3), an increase of more than 300%. We’ve also seen increases of more than 55% in direct financial loss from the under 18 and 18 – 24 age groups—with scams and fraud remaining the largest category for both incidents and direct financial loss reported.

Gathering data on age furthers our understanding of how cyber security incidents are impacting New Zealanders. It helps inform the focus of our upcoming campaigns and outreach programmes as we continue to engage all New Zealanders with simple security measures to help boost their online resilience.