Search Results

Share Article:

Facebook Twitter Linkedin Mail

Tag: cyber-security

How to identify, avoid and recover from a phishing attack

Cyber Security

Posted on January 16, 2020

5 min read

Getting snagged by a phishing scam is never pleasant. It usually involves a cybercriminal using emails, texts, social media or phone calls to lure someone into handing over sensitive information. And as we become more and more dependent on technology and digital alerts, this scam builds up its confidence. Thankfully, there are ways to identify, avoid and recover from a phishing attack if it happens to you.

Cyber attacks in Australia are more common and pervasive than ever before. The Telstra Security Report 2019 reported that 65% of Australian businesses have been affected by some kind of cyber security breach. What’s more shocking is that close to 90% of them went undetected.

At the heart of Australia’s cyber security problem is phishing (pronounced ‘fishing’): frauds devised to steal confidential information – such as passwords, credit card details and banking details – from unsuspecting recipients. In 2018, the Australian Competition and Consumer Commission (ACCC) received over 24,000 reports of phishing. And the numbers are getting worse. In 2016, around $370,000 was lost to phishing scams in Australia, while in the first nine months of 2019, that number exceeded $1 million.

Be aware of the bait

You’re probably familiar with classic 419 ‘Nigerian Prince’ scams – emails with fanciful promises to get you rich quick if you just help transfer some money. Amazingly, this hustle is still working long after it first appeared: in Australia in 2018, close to $1.4 million was stolen through this type of scam. For the most part, though, these are fairly easy to sniff out if you know to be wary of anyone pleading for help in exchange for some kind of financial reward.

Phishing, on the other hand, is far harder to detectAccording to the Australian Cyber Security Centre (ACSC), the poorly written, unofficial-looking phishing scams that first appeared in Australia in 2003 are a thing of the past. Today, these scams are far more sophisticated. They come in the form of emails, text messages and even social media direct messages that masquerade as correspondence from legitimate organisations or institutions, like banks or government departments, and request personal information or prompt you to click on a pernicious link.

Phishing scams are designed to look legitimate, and predominantly go after people via phone (in 2018, 41.2% of phishing scams were phone-based), email (29%) and SMS (24.6%).

5 common phishing scams

  • Spear phishing: individualised messages from a seemingly trustworthy sender, such as a bank or employer, and usually targeted at employees in an organisation
  • Whaling: targeted spear phishing, where a senior person in an organisation is phished by a cybercriminal masquerading as someone trusted, like a colleague
  • Pop-up phishing: deceptive pop-up ads that contain malware
  • Clone phishing: messages that closely resemble previously received legitimate ones – for instance, a phisher might send a fake promotional email from a brand to a known customer of that brand
  • Voice fishing: also known as ‘vishing’, where a phisher will attempt to solicit sensitive information over the phone

Identify, avoid and recover

Fortunately, while phishing scams can be well disguised, there are red flags you can watch out for. Grammar errors, misspelt names and incorrect facts are common giveaways. You might receive an email from ‘@combank.com’; a strange ‘competition winner’ alert SMS from JB Hi-Fi, when you haven’t entered a competition; or a cold call from a foreign or private number.

An organisation or institution will generally never ask a customer to share sensitive information through unsolicited correspondence. So as a rule, never give out personal details unless you are 100 per cent sure you know who you’re dealing with – in other words, you called them or have verified their identity. Likewise, never click on a link or open an attachment from an unsolicited message unless you are confident it’s legitimate – for example, you know you’ve safely received correspondence from this brand or person in the past.

According to ACSC, the best way to prevent phishing scams in the workplace is to “educate employees at all levels”. This includes instructing people to not click on links or open attachments on their work phone or computer, or through their work email, that have come from unknown parties.

If you’re unclear about how legitimate an email, text or phone call is, play it safe and simply delete or ignore it. You can always offer to call the institution back – after a thorough vetting.

If you have become the victim of a phishing scam, it’s important to act quickly. Change any compromised passwords across all your accounts, contact relevant parties (like your bank), and report the incident to the ACCC or ACSC.

Further protection tips

Do you know how secure your digital workspace is? Take our cyber-security quiz to see where you stand.

Looking to secure your digital workspace? Check out our range of business security apps.

Businesses urged to address Citrix vulnerability immediately

Cyber Security

Posted on January 15, 2020

2 min read

Citrix is advising customers that cyber attackers are performing scans to find organisations vulnerable to a security flaw in the Citrix Application Delivery Controller (ADC) and Gateway products. It is important that customers are aware that a working exploit to this threat has been published on the internet and to take immediate action.

If exploited, the vulnerability permits threat actors to conduct Remote Code Execution (RCE) attacks. This means it could give an attacker direct access to the local networks behind the gateways without the need for an account or authentication. This could result in attacks via Malware, Ransomware, a denial of service or facilitate the theft of information. 

According to iTNews more than 3500 Australian companies may be vulnerable and more than 80,000 companies in 158 countries could also be at risk.

Citrix has worked quickly in releasing mitigation steps and is urging administrators to immediately apply it to their configurations. A full patch is not yet available.

According to a Citrix security advisory, these products are affected:

  • Citrix ADC and Citrix Gateway version 13.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.1 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 11.1 all supported builds
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

What should you do:

Citrix is advising customers to immediately apply the mitigation and then upgrade all their vulnerable applications to a fixed version of firmware when released towards the end of the month.

All the information you need is on the Citrix Support website so if you think you are impacted you should take action immediately.

From computer game fan to cyber security lead – meet Tara

Telstra Careers Inspiration

Posted on December 5, 2019

3 min read

Tara Dharnikota has been working in the cyber security sector – or CySec – for more than a decade.

For the last five years, she’s led Telstra’s Open Source Intelligent (OSINT) unit, a specialist team that uses digital technologies and scours openly available sources of information, to find intelligence that helps protect our people and assets from malicious cyber threats and help us better understand threats to Telstra or our customers.

When many of us think of cyber security we focus on the defensive side, and how it’s about protecting us from hackers who access our online information to use against us.  

But there’s another side to hacking, and for Tara, it started with her love of the computer game Prince of Persia. 

“I wanted to somehow be able to play Prince of Persia on my old Nokia mobile by changing the internal code,” she says.

“I succeeded after a few days of persistence and persuasion.”

From there, her path was set.

“I started off my career with Network Engineering, but I noticed that my curiosity or hobby was more in how technology works and what happens if I break it,” she says. 

“My critical thinking and problem-solving skills in breaking and fixing technology led me to look into careers in CySec.”

Tara Dharnikota says her love of computer games led her to work in cyber security.

Recently, as part of Cyber Week 2019, Tara and 353 ethical hackers joined forces with the Australian Federal Police and AustCyber Canberra Innovation  in a global hackathon to see if they could find 12 missing persons identified by the AFP.

Almost 4,000 qualified leads were generated and shared with AFP for further investigation – about their homes, friends, employment, family, and the last day they were seen. 

“Our OSINT team came third in Australia and first in Victoria. It was a proud moment for all of us,” Tara adds. 

She’s also competed successfully in international open source intelligence hacking competitions, coming in the top 10 per cent, and she’s been a judge in others.

But just how do you ethically hack?

“OSINT uses passive techniques to find information publicly available on surface web and Deep Dark Web (DDW) using search engines and open source tools covering places such as social media platforms, websites, forums and marketplaces, government and real estate data,” she explains.

“We then analyse that data to form intelligence.”

For Tara it’s a career full of twists and turns, daily achievements and always hope.

“Cyber Security is ever-evolving, and each day is different. It’s a bit unpredictable, although the goal is the same – to protect and defend. 

“Waking up every morning with zeal and passion to do your work can be very rewarding and satisfying knowing that you work to protect the people and the network and go home with a sense of achievement.”

Are you a cyber security whizz? Great news – we’re looking for talented people to join our team. You can search and apply for jobs here or you can sign up for our job alerts here.

STEM themes to inspire teens at this year’s Wired for Wonder

Cyber Security

Posted on November 22, 2019

3 min read

We’re helping to inspire the next generation of creators and change makers to explore new ideas and be curious about their career possibilities ahead. ‘Inspire’ was the theme of this year’s Wired for Wonder learning conference and here’s what you need to know about how we’re exploring new ideas with the next generation.

What do you get when you bring together 230 13-16 year-olds, their teachers, technology experts and thought leaders at our Customer Insight Centre in Sydney? The opportunity to engage these young minds with bold ideas, different ways of thinking and the possibilities of what STEM can offer them.

Together with our partner Commonwealth Bank, the day is part of our ongoing commitment to work with students, schools and higher education partners to inspire future generations and build their curiosity in technology.

Here’s what we learned from this year’s conference.

How to make a career in cyber security

Brendan Hopper, CommBank’s General Manager of Cyber Security & Applied Research Centre, spoke about the need for many more people to study cyber security as the use of AI, machine learning and IoT continues to rise.

Brendan shared that kids can gear themselves towards this kind of career by teaching themselves to continually learn new concepts and techniques.

While students always need to be curious about new methods during their education, they always need to remember the guidelines – never break the law or hack without permission! Instead, use good creative outlets like Bugcrowd to learn on real apps.

The world needs defenders, and Brendan is a true advocate for inspiring the next generation to take up the charge.

Discovering your purpose, unlocking your power

Our Chief Technologist for Strategic Accounts, Fawad Nazir, shared a moving and personal story from his youth: growing up in a middle-class family in Pakistan where being the only son meant that expectations on him to ‘succeed’ were high.

Under the weight of these expectations, however, Fawad found that he struggled to succeed in the way his family asked of him. At school especially he struggled, adding that he was “merely surviving”.

Fawad ultimately discovered that being comfortable with being uncomfortable can unlock real change in your approach to life. Watch his talk above to see how he combines his purpose with his belief to yield unstoppable power.

Saving our oceans, three pieces at a time

Tim Silverwood, co-founder and CEO of Take 3 for the Sea explained how his organisation has built a movement to save our oceans.

Our oceans cover 71 per cent of the Earth’s surface and contain 97 per cent of the Earth’s water. But every minute a garbage truck full of plastic ends up in the ocean – equating to 8 million tonnes of plastic each year. Yet there’s a simple way we can all contribute to help fix the problem.

Tim’s organisation, Take 3 for the Sea, inspires participation in simple actions – if each person removes three pieces of waste or plastic from every beach, park or public space they visit they’ll greatly reduce the amount of waste ending up in our oceans.

Tim demonstrated that anyone can be a change maker, even when the problem is as big as an ocean. Small impacts can make a big impact when multiplied.

To learn more about Wired for Wonder, and see videos from previous years, head to their website.

Businesses warned to defend against evolving cyber threat

Cyber Security Consumer

Posted on October 28, 2019

2 min read

The Australian government is warning businesses to harden their cyber security controls in the wake of the evolving Emotet malware.

Emotet exposes infected computers to a host of attacks including ransomware and data theft, and can spread to a victim’s friends and contacts using their email account.

The Australian Cyber Security Centre (ACSC) says it knows of dozens of victims the malware has claimed in recent weeks, including critical infrastructure providers and government agencies.

This victim count is small relative to the hundreds of victims claimed by conventional phishing cyberattacks over the same time, but could rise if Emotet’s popularity rebounds to former levels.

The malware’s most popular feature – raiding a victim’s bank accounts – meant that it was used in 75 percent of banking crime campaigns in the last year.

Emotet spreads through phishing emails. The contents of these vary, but researchers have seen often poorly written emails requesting readers open Word documents that request the macro feature be activated in Microsoft Office.

There is little preventing Emotet’s phishing emails, and those linked to other cyber attacks, from being convincing and fluent.

“Emotet malware is spread when unsuspecting email users click on links or open files containing malicious code,” the ACSC warned. “This campaign uses targeted and untargeted phishing emails to spread the virus.”

Recent versions of Microsoft Word warn users of the threat of activating macros. Macros, an automation feature, are a decades-old favourite for delivering malware, and continue to be so in the face of Microsoft’s much-improved technical and user defences.

Emotet, like most cyberattacks, is best fought through the rapid application of software updates (patching), and use of current operating systems like Windows 10 which contains significant defences and in-built antivirus.

Organisations of all sizes should ensure they are creating regular backups as a priority and confirm they have business continuity plans in place, and review the Australian Signals Directorate’s Essential Eight security controls to limit the impact of cyber security incidents.