12 Apr 2016

108 cyber crime attacks per day in NZ

5:07 pm on 12 April 2016

Cyber criminals are targeting New Zealand at a growing rate and there are warnings it will get worse without tougher laws.

A hand enters account details on a laptop (file)

Photo: TEK IMAGE / SCIENCE PHOTO LIBRARY / ABO / Science Photo Library

Tech company Symantec's latest Internet Security Threat Report revealed cybercriminals were setting up their own call centres to run scams, and a new class of professional cybercriminals was extending its reach and fuelling the growth of online crime.

Last year, New Zealand's global rank rose in five out of six threat categories; spam, phishing hosts, bots, network attacks and web attacks. It also had the eighth-highest proportion of global phishing traffic.

Symantec's Mark Shaw said the increase in ransomware attacks in New Zealand was a growing problem.

"We saw that increase by 163 percent over the last year. In New Zealand that is around 108 attacks per day.

"When we talk about ransomware, that's malicious software that ends up on a machine and will encrypt all of your personal documents and require a ransom to be paid before you can get the key to decrypt it."

Symantec technology strategist Mark Shaw

Symantec technology strategist Mark Shaw Photo: Supplied

Mr Shaw said individuals might be asked to pay up to $400 but businesses or organisations like hospitals could be demanded ransoms of tens of thousands of dollars to decrypt files.

"The reason New Zealand is targeted is that we are an affluent nation, but certainly they recognise that there is a lot of monetary gain to be made out of both ransomware and the specific markets that they target.

"So we see New Zealand and Australia - Australia actually came in number one, we came in number four - as being consistent and continual targets for ransomware campaigns."

The report detailed a new class of professional cybercriminals, well resourced and highly skilled, who operated during business hours and took weekends and holidays off.

And low-level criminal attackers were creating call centre operations to increase the impact of their scams.

"What we've seen in the last couple of years is cybercriminals actually buying advertising that will pop up in a browser or on Facebook - and within that, advertising putting up a prompt that appears on your PC that says, there's a problem with your PC, call this toll free number to speak to someone to assist.

"So rather than the cybercriminals calling you, they are no enticing people who might get sucked into that particular scam to actually call them at their call centre, and they'll talk you through a number of steps to fix your machine. Of course, what they are doing is installing fake anti-virus software or they might be malicious software.

"We actually blocked, last year, 100 million attacks. That was a 200 percent rise in the number of attacks that we saw."

The report said malware had risen at a staggering rate with 430 million new malware variants discovered in 2015, showing that cybercriminals were "leveraging vast resources" to try to overwhelm defences and enter corporate networks.

Stolen data kept secret in NZ

Mr Shaw said more than half a billion personal information records had been stolen or lost last year, but that was conservative because a number of countries, including New Zealand, were not required to report breaches.

"New Zealand and Australia are two countries where we don't have mandatory laws, so if I'm an organisation and I lose your data as a customer I have no obligation [to report] that it's taken place even though you could be impacted by that.

"Your data could end up in the hands of somebody else, it could be traded on the underground economy, those credentials could be used in other services.

"One of the things that Symantec is trying to do is grow awareness of the need for mandatory data breach notifications."

Mr Shaw said laws were effective in reporting data breaches in the US and the UK and they should be introduced in New Zealand.

"It makes so much sense that now we're doing a lot of our business online that the organisations holding our data are held accountable."