Search Results

Share Article:

Facebook Twitter Linkedin Mail

Tag: cyber-safety

For kids, spotting scams in Fortnite is child’s play


Posted on October 18, 2018

4 min read

Staying safe online is hard. The average person has little understanding of the many ways they can be targeted, or of the controls they can use to make themselves harder to hack.

But I was pleasantly surprised last month to find the younger generations a little savvier. Dozens of year five and six kids threw up their hands to recount stories of how scammers had tried to con them during a presentation I gave to a primary school in Melbourne’s south.

Most of those stories are related to Fortnite – a video game that seemingly counts every other kid in Australia among its 125 million players – and that was the context in which I spoke of cyber security. These digital natives are growing up in a world where amorphous digital thieves plying for their personal information and passwords is normal.

Click to download our kid-friendly Fortnite security tip sheet

Flashing banner ads, pop-ups, and scammy direct messages and posts that confound some of us seem boring and obvious to them.

Take Dylan – this switched on fifth-grader was targeted by scammers while playing Fortnite.

The bad guys spoke to him over in-game voice chat in a bid to convince him to disclose his game account details, promising to deposit a free stash of the in-game Fortnite currency known as V-Bucks.

I asked him what he did next. “I ignored them, played a few rounds, beat them, then left.”

Dylan was just one of the many kids who appeared cool and unflustered in the presence of such attacks.

Children are by no means immune to compromise; I’ll bet my last dollar that a targeted attack would net all of them (except perhaps for remarkable six-grader Annabelle, who spotted and called bluff on a tailored social engineering effort).

This means they, like us, must take the time to learn how to use the cyber security defences at their disposal to help protect themselves.

These defences can make the user experience a little more clunky, but they are immensely powerful and will send all but the most dedicated hackers looking elsewhere for victims.

A great defence to start with is switching on two-factor authentication for any of your accounts that offer it. I also recommend using a reputable password manager such as LastPass or 1Password.

The best defence is inside your head

Online defences are easier to use than ever thanks to concerted efforts by the cyber security industry over the last decade. But they are still more stick-and-clutch than driverless car.

Ultimately, you are your best defence.

As the driver, you need to look out for threats on the road. This requires a mindset that is likely much more skeptical than what you employ in the physical world.

This mindset requires distrusting the unexpected, regardless of its source. Consider phishing messages – these can bear few hallmarks of a scam, and almost perfectly replicate trusted brands and organisations.

They can be fluent and free of typos and appear to come from organisations you know, use, and trust. They may even start as a benign conversation (such as romance scams) in a bid to build rapport with victims.

Your best defence here is to adopt the skeptical mindset and worry less about the classic hallmarks of a scam.

This means ensuring messages with links, attachments, bank accounts, and phone numbers are expected before using them, and verifying those that are not using official websites or trusted search engines such a Google or Bing.

This advice seems unwieldy because it is. There is no glossing over this fact. But it is the best way to defend yourself against continually evolving online threats.

And with it you will build experience and cyber security savvy – something our kids seem to already have in spades.

Tags: cyber safety,

‘You got me’: Woman busts romance scammer after six month stint

Cyber Security Consumer advice

Posted on May 25, 2018

6 min read

It took six months for Kathryn to fall in love with Michael, but only minutes to reveal him as a romance scammer.

Accusing Michael of being a scammer was an unusual act of assertiveness for the reserved 55-year-old healthcare worker from the NSW Central Coast.

It was an unlikely act too; Kathryn (not her real name) had every reason to believe Michael was the caring, genteel man he presented as. They spoke regularly over the phone and, from his would-be London apartment, Michael arranged gifts of flowers, chocolates, and movie tickets.

Kathryn, divorced from a decades-long marriage and facing an intimidating and foreign dating scene, thought she had found in him a diamond in the rough. He was worth the long-distance relationship.

Through friends, she tells us how her relationship with Michael, which began on a dating site in late 2016, before quickly switching to email and social media, became possessive in its latter weeks. Facebook messages appeared more regularly in a tone that, with the benefit of hindsight, seemed more demanding: “what are you doing online”, “who have you been speaking to” they asked.

Michael was set to travel to Australia mid last year. They were both excited. Days before he was set to fly, he sent an exasperated message claiming he bought the wrong non-refundable plane ticket and that his passport was cancelled for elaborate reasons. He needed $7,450 to cover fares and fines.

Kathryn’s online sleuthing about his predicament gave her pause to reflect on his frantic request for money, and his escalated messages.

He called again, and she answered. “I think you’re a scammer,” she told him. A beat, then, a laugh. “Yeah, you got me,” he said. “But you know what? I’ve got 12 of you on the go.”

High-pressure sales

It’s impossible to know how Michael operated. He may have been a lone wolf. Or he may have worked in a call centre alongside other scammers.

“I’m convinced [romance scamming] is their day job,” says Sean Lyons, director of technology and partnerships at Netsafe, an online safety non-profit based in Auckland, New Zealand.

Lyons has not seen evidence of romance scammers operating in coordinated international networks, but says he sees indications – business hour operations and consistent messaging structures for example – that some scammers work in call-centre style environments.

“There may be much larger operations where you have [scammers] working in shifts and handing off to each other,” he says. “They may have CRM (customer relationship management) systems and work an account (a victim) in the same way that staff in high-pressure sales do.”

In such an environment, text messages to victims could be written by any scammer while voice calls would be made by a consistent perpetrator.

There is further evidence of romance scammers coordinating their operations. FBI Special Agent, Christine Beining, said in February last year that romance scammers typically work together sharing intelligence on vulnerable victims.

“From what we can tell, these are usually criminal organisations that work together,” Beining says.

“And once a victim becomes a victim, in that they send money, they will oftentimes be placed on what’s called a ‘sucker list’ [where] their names and identities are shared with other criminals [for] future recruitment.”

Lyons agrees that romance scammers are likely to organise. At present, evidence from Netsafe’s now shelved Re:scam artificial intelligence-like chat bot – which sent more than a million email replies to scammers in a bid to waste their time and energy – indicates a scattergun mass-email approach to targeting victims.

Reach out

Victims of romance scams are not stupid or gullible. They can be anyone.

Romance scams are deliberately ‘hyper-personal’, meaning they are of an overly intense nature that is designed to capture and isolate victims.

University of Warwick professor, Monica Whitty, in a paper published in February this year revealed victims are typically “middle-aged, well-educated women” who “tend to be more impulsive, less kind, more trustworthy, and have an addictive disposition”. Whitty’s work is designed to assist in the development of scam preventive and awareness programs.

Defence against romance scammers is tough for those involved in online dating. The Federal Government’s Scamwatch site has good advice which centres on not sending money to partners and provides clues to help spot fake social media profiles.

More broadly, experts agree that those in online relationships should keep trusted friends abreast of significant events including any plans to travel or requests for monetary loans.

“Talk to someone not connected to the romance before a major event,” Lyons says.

“A dog dying in surgery, a passport not coming through, or bribes to corrupt regimes; talk to someone who isn’t in love with the person before you put pen to paper on that Western Union slip.”

As a last resort, Lyons says, those intent on wiring money to their love interest should stick to official and local credit card networks which can offer traceability that Western Union and other non-conventional payment providers cannot.

Academics have examined other hallmarks of romance scammers. They reveal psychological manipulation as a universal tool in romance scams which includes techniques akin to domestic violence.

Queensland University of Technology academics, Cassandra Cross, Molly Dragiewicz, and Kelly Richards, describe the four signs of this manipulation including isolation, monopolisation, degradation, and withdrawal.

If this story has raised any issues for you and you’d like to speak to someone, call Lifeline on 13 11 14 or Beyond Blue on 1300 224 636.

Businesses held to online ransom

Cyber Security Business tips

Posted on May 24, 2018

5 min read

Ransomware last year brought to a halt a chocolate factory, a metropolitan council, and an accountancy firm among scores of other Australian organisations by turning mission-critical data into an unreadable mess. But much of the impact from the events could have been reduced with a well-oiled business continuity plan.

Ransomware is a class of malicious software that encrypts data so it cannot be read or used by applications. Its perpetrators often promise to supply a decryption key to return the data to a normal state only after a ransom is paid.

The number of organisations impacted by ransomware is unknown since victims are often unwilling to report incidents to authorities, however, security companies claim in surveys that almost half of Australian businesses have been impacted by ransomware.

Some businesses are hit multiple times; Exchange knows of one accountancy firm that was hit three times by ransomware losing data each time, despite having attempted to recover and mitigate after each attack.

The financial impact to businesses can run into millions of dollars per incident with much cost ascribed to downtime and recovery efforts. Ransom demands by those behind the most effective ransomware forms is regularly tens of thousands of dollars.

Risky click and a mean trick

Ransomware is delivered through a wide variety of mechanisms. The most common forms of ransomware such as Cryptolocker may be sent by criminals in phishing emails, or woven into booby-trapped downloads or websites which then infect the computers they are exposed to.

Other ransomware forms such as the global cyber attacks known as Wannacry and NotPetya spread without the need for people to open email attachments or dodgy downloads. They did this by targeting vulnerable functions of computers and networks that were left turned on, loosely akin to thieves slipping through open doors.

Much of the defence against ransomware comes down to good security practice. This includes not running software from untrusted sources like unofficial websites and unknown email or chat conversations, and in ensuring systems are set to automatically apply updates (patches) when they are available.

Security vendors including ESET have created jargon-free guides for technical defences against ransomware which recommend patching, disabling a function called RDP, and filtering executables in emails.

However, business continuity plans are some of the more overlooked yet simplest controls that can help mitigate the large cost of business downtime from ransomware infections.

Lights on

Ransomware can and has stopped global shipping supplies. It has thrown hospital emergency rooms into chaos, brought down the biggest Hollywood movie studios, and forced countless businesses back to pen and paper.

“Business continuity planning might not save you from ransomware but it may save your reputation or your share price,” says Mark Cohen, a Melbourne-based business continuity manager at Telstra. “It will show you can operate in a crisis.”

Cohen says business continuity planning applies to all organisations, from the “fish and chips shop to a doctor’s surgery to enterprises” and helps in a large number of disasters, beyond ransomware.

To avoid disaster in ransomware incidents, all businesses must back up their critical data on a regular basis on different mediums following the 3-2-1 rule. This means the original copy should be backed up on two different mediums, say a cloud service and a disk drive, with the disk drive stored in a physically separated location. Cloud services and any drive connected to business computers via cables or WiFi can be affected in ransomware attacks.

“With back-ups in place, the mindset of how to operate when tech systems go dark and data is inaccessible is key”, Cohen says. Business owners and staff should think about where their critical data is, and whether it is readily and immediately available offline in the form of offline and isolated storage like USB sticks and external disk drives, or on paper documents.

“Ask yourself what are you going to do in a disaster to continue to provide service to your customers?” Cohen says.

Restoring from back-ups can take a long time. And, while some major ransomware forms are as-yet impossible to unravel and are sent by attackers who honour ransoms with decryption keys, other forms are poorly-built and can never be decrypted.

It is the expensive downtime between the restoration of back-ups or the wait for decryption keys that Cohen’s planning hopes to reduce.

“[Recovering from] ransomware is more than just file retrieval – it’s about what you are doing when that is happening and how you are addressing your customers,” Cohen says.

“Plans must be tested too. The first test run is the most arduous with each iteration becoming easier with small tweaks added to the central plans,” Cohen says. “It is there that you discover your recovery time capability (RTC).

“Business continuity planning clauses are written into major contracts so having one, practicing it, and demonstrating its effectiveness will help you win and retain business – along with helping you, your manager, and your shareholders sleep well at night.”

The marathon scam phone call

Consumer advice

Posted on May 23, 2018

4 min read

When the phone rang on the morning of April 11, Neil and Beryl Kennedy had no idea that their day’s plans would be waylaid by a marathon five-and-a-half hour scam phone call.

By the end of it the pair had only narrowly avoided losing $4400 of their life savings.

The retired married couple from Eaglemount Heights were surprised when an unexpected caller – who told them he was from Telstra – said the company owed them $440, and offered to repay it. He gave them instructions on how to download a program called Team Viewer that would provide him remote access into their computer so he could transfer the money.

The couple wasn’t suspicious at this point because as far as they knew, scammers call to tell you that you owe them money, not the other way around. They’d also had a legitimate bill query with Telstra a few months ago for a similar amount, which the scammer seemed to be aware of.

Once the Team Viewer program was installed, the caller got the Kennedys to access their online banking, where he “accidentally” deposited $4400. He told them they had to hand back the overpayment immediately or they would face investigation by the Australian Federal Police.

But a simple bank transfer would not suffice – the Kennedys were told to go to a nearby shopping centre to buy iTunes cards to the value of $4400, and then relay the codes to the caller. The couple was also told to stay on the phone while they made their way to the shopping centre.

The first two stores the caller directed them to proved unfruitful: one was permanently closed, and the other didn’t have enough iTunes cards in stock to reach $4400. Staff at the second store raised suspicions that the phone call was a scam, but fear of prosecution by the AFP had taken over the couple and they were convinced they needed to repay the money.

Before trying a third store, the Kennedys made a detour to a nearby branch of their bank. They thought that if they could just transfer the $4400 it would save all the running around.

But bank staff were immediately suspicious and checked the couple’s accounts. After spotting unauthorised activity, the bank shut the Kennedys’ accounts and informed them it was a scam. The couple then hung up – five-and-a-half hours after the phone had first rung.

“We’re very lucky we didn’t lose anything, apart from the cost for the laptop to get fixed and a lot of heartache,” Neil said. “We’ve learnt our lesson. We’re not giving anyone access to our computer or personal information again.”

The Kennedys are still receiving calls from scammers, but now, they hang up immediately.

If you have fallen victim to a scam call, report the matter through the Australian Cybercrime Online Reporting Network (ACORN) and your local police. If you are a Telstra customer, you can reach out to us through our security reporting service.

A silent cyber crime blitzkrieg as Aussie businesses robbed of millions

Cyber Security Business tips

Posted on May 22, 2018

5 min read

Business email compromise devastates Australia, but a few simple steps can foil attacks.

It was a mundane email sent to a delinquent client: “Payment of your invoice is overdue”. Nothing about it alluded to the deep financial and personal pain the owners of the small Melbourne construction business were set to endure at the hands of online criminals who had just fleeced them of more than $100,000.

But perpetrators of business email compromise (BEC), a form of cyber-crime described by seasoned security experts as “out of control” and operating on a “phenomenal” scale costing businesses billions of dollars a year, rarely offer victims clues of their crimes until it is too late.

The scams, experts agree, are on an epidemic scale with businesses in each Australian state and territory losing thousands of dollars every day. Criminal investigators say Australian businesses regularly lose “often more than $100,000 per incident”.

Yet public reports of these attacks have been minimal.

These attacks are a world apart in their technical complexity from the type of advanced state-sponsored hacking that captures headlines; BEC is mostly textbook swindling with an occasional click of automated hacking platforms.

It take different forms, all of which criminals deploy to devastating effect. Criminals, in an example known as whaling, will impersonate a company director in an email to a subordinate financial controller ordering them to pay money to their bank account.

In another, known as doctored invoicing, scammers will use automated tools to break into a business’ email inbox and alter the payable bank accounts on client invoices.

A brazen online criminal apparatus means criminals need not even hack email accounts and can simply buy that access from other criminals.

Chain of events

This is what happened to the Melbourne-based Buildr (we are concealing the victim’s true identity).

Buildr staff discovered they had been robbed only after their client informed them the invoice was paid two months earlier.

This chain of events made little sense to Buildr. Emails showed their project manager had sent the invoice to the client, along with a thank you note and glib wishes for the weekend.

There was no reply and the exchange fell silent for the next three months.

Follow up phone calls revealed the invoice the client received contained a bank account number that did not match that sent by Buildr.

A Buildr IT technician suspected foul play and appealed to trusted information security contacts, finding Kayne Naughton – a Melbourne-based threat intelligence expert at Cosive, with a much-exercised history in computer forensics and combatting financially-driven cyber-crime.

“This isn’t even my day job, it’s barely my side job, and I’ve handled about $2 million in losses across Australian businesses in the last few years,” Naughton says.

“It’s out of control”.

The same attacker who targeted Buildr is thought to have stolen hundreds of thousands of dollars from more than a dozen Australian businesses using the same BEC techniques.

Rising tides

Business email compromise is exploding in growth and financial impact across the world. The FBI in October last year estimated BEC had cost businesses in all countries some US$5.3 billion.

The Australian Federal Government says businesses here have lost more than $20 million to BEC between 2016 and 2017, up from $8.6 million the previous year. It had in the three years to December received more than 2000 reports of BEC.

Government numbers on BEC attacks have steadily increased but remain it says “only a small percentage of total activity” thanks to “misreporting and underreporting”.

Source: Telstra’s Security Report 2018.

Losses from BEC are high. Multiple Australian organisations in the last three years have each lost millions of dollars in single unreported BEC attacks, security responders with first-hand knowledge of the incidents tell us.

Typical losses incurred by businesses vary between experts. Some find BEC victims lose about $10,000 an incident, while others handle cases between $25,000 and $50,000 each. Well-placed crime investigators say losses of $100,000 per incident in Australia are common.

Many of these losses are likely absent from government registers. Security experts working in private and public sectors agree that total of all cyber-crime losses reported to government is significantly less than the true costs because many victims, especially businesses, are reluctant to report incidents for fear of public exposure.

Security incident responders contracted to assist hacking and BEC victims are often made to sign non-disclosure agreements that can prevent them from supplying even anonymised crime data to the Federal Government. Many well-intentioned contractors try and fail to convince their clients to lift the reporting ban.