Quarter Three Report 2018

This quarter, CERT NZ received 870 incident reports. This is the highest number of reports to date. The reports show that a broad cross section of New Zealanders and organisations are impacted by cyber security issues. They also show a significant increase in both incident type and financial impact compared to Q2.

Some examples include:

financial losses increased by 35% to $2.9 million
reports related to scam and fraud were almost double what we saw in Q2. This was due to a large number of webcam scam reports
reports of unauthorised access increased by 28%
although we received reports across all age groups, the 65+ age group experienced the highest value of direct financial loss. The total loss for this age group was $930,000 this quarter, compared to $123,000 in Q2.

Quarterly Report: Highlights [PDF, 721 KB]

Quarterly Report: Data Landscape [PDF, 2.6 MB]

Results in numbers

Number of incidents reported by quarter

We received 870 reports in the third quarter of 2018.

This is the highest number of incidents reported to CERT NZ since its establishment.

870 incidents

We received 870 incident reports this quarter. This is up 18% from the previous quarter.

Direct financial losses

Direct financial losses increased by 35% this quarter, to $2,993,518.

Results by type

Scam and fraud had the highest increase in number of incidents reported this quarter. This jump was led by a large number of webcam scam reports.

198 scam and fraud reports

There were 198 scam and fraud reports in quarter three, a 90% increase from quarter two.

Phishing

Phishing remains the largest category of incidents reported. Reports of these have remained steady compared to last quarter.

Breakdown by incident category

Bar graph showing number of different incident types

Unauthorised access reports

Bar graph showing number of unauthorised reports this year

Reports of unauthorised access continue to increase. We received 91 reports this quarter, a 28% increase on quarter two.

More than a third of these reports related to attackers being able to access business and personal email accounts through weak account passwords.

Case study: Business compromise leads to advisory

An IT provider noticed that one of its clients was receiving emails pretending to be a recognised supplier.

The emails contained fake invoices and were attempting to trick the client into paying the invoiced amount into the attacker’s account.

The affected business investigated and discovered that the emails and fake invoices had been sent to people within the business and to some of its external customers.

The emails seemed legitimate. For example, they included knowledge of recent goods requests and costs. However, there were small differences in the email addresses which staff picked up on before any payments were made.

The business discovered that an employee’s email account had a simple password, making it easy for the attackers to gain access and forward emails containing words like 'account', 'invoice' and 'pay' to an external address belonging to the attacker. These emails allowed the attackers to gather information about the business’s billing cycles and behaviours, helping the attackers to create invoices that looked legitimate.

The compromise went unnoticed for at least six months as the attacker was deleting the forwarded emails from the employee’s account.

CERT NZ analysed the detail from this report and others, and published an advisory about:

the extent and nature of invoice scams
how to protect against them, and
what to do if you’ve received a fake invoices.

Advisory: Invoice scams affecting New Zealand businesses

CERT NZ recommends these simple steps to protect your business:

Strengthen your email account security – by keeping your software and systems up-to-date and using strong, unique passwords for each account.
Secure your network – especially when using systems that can be accessed remotely (including remote desktop protocol (RDP). Use strong, unique passwords and enable two-factor authentication (2FA) where you can.
Review your business processes – ensure that your processes don’t rely solely on email. Verify payments to new or different accounts by phone before making the transaction. This can help prevent losses.
Protect against email spoofing – this is when attackers send you emails pretending to be from legitimate businesses. Protect against this with solutions such as DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC).

CERT NZ’s top 11 cyber security tips for business