Tuesday 12 April 2016 04:35 PM
NZ a soft target for growing cyber-crime threat, report says
By Fiona Rotherham
April 12 (BusinessDesk) - The incidence of computer-attacking software has exploded in the last six years, from 2.3
million new pieces of malware in 2009 to 430.5 million last year, according to the latest Symantec Internet Security
Threat Report, with New Zealand seen as a relatively soft target.
The report says cyber criminals are going corporate, establishing professional businesses with nine to five work hours
and holiday pay, and their skills now match those of nation-state attackers.
“We are even seeing low-level criminal attackers create call centre operations to increase the impact of their scams,”
said Symantec director Kevin Haley.
New Zealand was an increasingly popular target for cyber criminals, ranking second in the southern hemisphere in 2015
behind Australia and 21st globally for ransomware attacks – where cyber criminals put malware on someone’s computer and
hold their digital content hostage until they pay up.
The report estimates ransomware attacks in New Zealand averaged 108 per day, compared to 636 in Australia. They
increased 35 percent globally in 2015 and spread beyond PCs to smartphones, Mac and Linux systems, with attackers
seeking any network-connected device to hold hostage for profit. The Internet of Things is predicted to connect 20.8
billion devices by 2020, including medical devices.
New Zealand ranked 21st globally for social media scams and was one of several countries targeted for tech support
scams, which rose 20 percent last year, said Mark Shaw, technology strategist for Symantec, which sells the Norton
anti-virus software. Its annual report, which is commonly cited globally in the absence of more independent figures, is
based on data from its own network.
New Zealanders were fairly naïve when engaging on the internet, Shaw said, and the country needs legislation to force
companies to report data breaches to their customers.
Replacing the current voluntary data breach reporting law with mandatory reporting forms part of proposed changes to New
Zealand’s privacy legislation being drafted at present.
The draft legislation will need to define breaches, from deliberate access by a third party or accidental loss, to the
threshold for mandatory notification.
The Privacy Commissioner received 121 voluntary notifications of data breaches last year, mostly caused by human error
or carelessness, but how many go unreported is unknown.
The Symantec report says a total of 429 million identities were exposed by cyber crime, up 23 percent on the previous
year, that is estimated to rise to half a billion if unreported breaches were included. The report found an 85 percent
increase in companies choosing not to report lost records last year.
Shaw said just under half of data breaches in 2015 were the result of external hackers, often thanks to lost laptops or
USB sticks and some by malicious insiders.
The Dyre financial Trojan malware stole the credentials of thousands of customers worldwide before being largely snuffed
out by the end of last year, Shaw said. It targeted all of New Zealand’s major retail banks, triggered when customers
did internet banking, he said.
The number of discovered zero-day vulnerabilities – where an unknown hole in the software is exploited by hackers – more
than doubled to a record 54 in 2015, a 125 percent rise on 2014.
Spear-phishing attacks using apparently genuine email addresses rose by 55 percent in 2015. That included a growing
number of small to medium enterprises (under 250 employees) which accounted for 43 percent of spear-phishing attacks, up
from 18 percent in 2011. However, SMEs remain at the lowest risk of attack, with a 3 percent chance compared to 38
percent for a large organisation.
The NZ Fire Service and Te Wananga O Aotearoa were two local examples of companies hit by such attacks last year, Shaw
Breaches within the health services sector accounted for 39 percent of the total in 2015 and 36 percent of the
information exposed was medical records, which also fetch the most on the underground market – an average US$50 per
record. That compares to credit card details being sold for between 10 US cents to US$20, US$7 for personal information
from gaming platforms, and 25 US cents for information from Netflix accounts.