cl-nz logo
Story image

DDoS campaigns, BEC scams & Emotet: CERT NZ reports top security threats

25 Nov 2020

It has been yet another tumultuous quarter for New Zealanders and their wallets, with almost $6.4 million in reported financial losses due to cybersecurity incidents.

CERT NZ today released figures from its Quarterly report, which analysed incidents reported between 1 July and 30 September 2020.

CERT NZ received 2610 incident reports during the quarter, a 33% increase compared to the same quarter last year - but also a 255% increase compared to the relatively quiet Q2 2020.

Most of the incident reports were related to phishing and credential harvesting (1064 reports); malware (886 reports); scams and fraud (423 reports); and unauthorised access (112 reports).

The $6.4 million figure isn’t too surprising to CERT NZ director Rob Pope, who says that there has been a spate of distributed denial of service (DDoS) attacks, ransomware attacks, and scams over the last three months.  

One of those DDoS campaigns took down the NZX and Metservice websites, and even privacy company websites belonging to firms including Ruapehu Alpine Lifts.

Another malware nasty was the return of Emotet, which accounted for a 34% increase in the number of malware attacks compared to the previous quarter. The Emotet malware is spread via email attachments. Users who open the attachment will let the malware into their systems, which then steal data, passwords and other sensitive information.

“Email is widely used and trusted both in business and our personal lives. This, unfortunately, makes it an easy target for cyber attackers who are looking to make a quick buck,” says CERT NZ’s Director Rob Pope.

There was also a massive surge in business email compromise (BEC) scams, which rose 101% from Q2 and caused $944,000 in direct financial losses.

In one example, a New Zealand company in the wholesale trade sector fell victim to a BEC attack. The CEO’s email account, which had previously been compromised in a phishing campaign, was used to create email filters and divert invoice payments. The attacker stole $180,000 from the firm. The payment was not recovered.

The Q3 Highlights report also includes a section on changes to New Zealand’s Privacy Act, which come into effect on 1 December.

“The upcoming changes are a timely reminder to check your business or organisation’s databases and make sure you’re doing all you can to secure customer information,” the report notes.

The advice for keeping computers, networks, and devices secure remains the same: 

“Updating your operating systems and software, having long strong unique passwords, and installing antivirus software can go a long way to help keep you secure online,” says Pope.

If you or your organisation experiences a cybersecurity incident contact CERT NZ at www.cert.govt.nz, or call 0800 CERT NZ (0800 2378 69), Monday to Friday, 7am – 7pm.