A report from the Australian Cyber Security Centre (ACSC) has outlined the most common cyber threats that individuals and businesses are likely to face.
The annual report, released yesterday, lists spear-phishing, ransomware and malvertising as the three most common cyber security threats to Australians.
Direct denial of service attacks and credential harvesting were identified as risks, with the ACSC also highlighting security holes in common programs like Adobe Flash Player.
SMEs should be wary of these threats, as businesses across all different sectors are commonly targeted in instances of cyber crime. Banking and financial services are a prominent target also, which can cause issues for businesses’ cash flow.
The ACSC broke down the areas of the private sector most commonly targeted by cyber attacks, finding the energy, and banking and financial services sectors were the most targeted, coming in at 18% and 17% of systems that have been compromised by attacks.
Following that, the communications and transport sectors are commonly under threat at 11.7% and 10.3%, while information technology comes in at 6%. Retailers can rest easy however; being targeted the least at 1.9%
MailGuard chief executive Craig McDonald told SmartCompany the ACSC’s report was welcomed, believing any effort to raise awareness is needed.
“The report is re-highlighting threat factors in plain language for people to understand. Any awareness from the government or organisations is welcome,” McDonald says.
McDonald believes all the methods mentioned in the report can be debilitating for businesses, claiming, “one click can undo a business”. Criminals using brands and services commonly trusted by Australians are the reason cyber attacks are so successful, McDonald believes.
“These cyber criminals are purporting to be brands that we as Australians trust, ones that are inherent in our society and upbringing,” he says.
“We also live in a busy digital society, and often we don’t have time to pause and question the legitimacy of what’s in front of us.”
McDonald believes educating staff on different forms of cyber attacks is a “key part” of reducing the impact of cyber crime, but believes workers will still “go through the motions”.
“Education can go a long way, but at the end of the day we’ve all got that curiosity about us, and so many attacks are very crafted and clever,” he says.
Despite sounding like a summertime activity to be enjoyed on holiday, spear-phishing is a targeted version of phishing emails, which attempt to trick users into downloading infectious software or transferring large sums of money without realising.
The users targeted are commonly higher-up industry professionals or workers in a business or organisation, and the emails are crafted to be familiar to that individual.
Phishing attempts are common and effective, with businesses potentially losing thousands of dollars at a time, or having data siphoned away for future hacking attempts. The ACSC warns these methods are becoming “more convincing and difficult to spot”.
“Adversaries are targeting industry personnel in order to gain access to corporate networks; individuals with a large amount of personal or corporate information online make it easier for adversaries to target that individual or their organisation,” the report says.
“Adversaries also make use of publicly available industry information such as annual reports, shareholder updates and media releases to craft their spear phishing emails, and use sophisticated malware to evade detection.”
Emails are the most common way for cyber criminals to complete spear-phishing attacks, with thousands of businesses coming under attack every month.
“It’s quite targeted, usually at a specific employee or division, and the attacker is looking to gain specific information for a purpose, sometimes for future attacks,” McDonald says.
“These sort of attacks are an easy payoff, attackers have many vectors of choice these days.”
Ransomware attacks are similar to phishing attacks, but typically are less targeted and can come from a malicious download or website. Ransomware acts in accordance to its name, holding data and files under ransom so users must pay to access them.
Software disguised as an invoice or other file type is sent en-masse to recipients, who are infected as soon as the file is opened. A recent scam sent to SMEs over email impersonated an Intuit QuickBooks invoice, which infected computers upon opening.
The ACSC says these attacks commonly target businesses, saying, “Individuals and businesses continue to be infected with ransomware via malicious emails and websites.”
“These campaigns are constantly evolving and highly successful,” the ACSC says.
“At a recent Regional Information Exchange hosted by CERT Australia, almost all of the attendees noted they were still being targeted and/or affected by ransomware campaigns.”
Amounts requested from hackers holding the data vary from $300 to $3000, but targeted attacks to some businesses can see ransom amounts upwards of $10,000. The ACSC states “almost all” ransomware attacks are delivered via email.
The third most common cyber threat is served to users through malicious advertising, known as “malvertising”. This advertising allows cyber criminals to target specific audiences by infecting certain advertising networks online, infecting users when they click the ad.
“Typically, either malicious code is inserted into an ad being presented to users in the course of their normal browsing or a benign ad is used to redirect the user to somewhere that will download malicious code automatically,” the ACSC says.
These ads can be hard to spot, as they are commonly scattered amongst legitimate ads served by a normal advertiser.
These attacks can target vulnerable yet essential software such as Adobe Flash Player or Java, which can aid interaction-free infection via malicious advertising.
“Cyber adversaries– predominantly cybercriminals – will continue to misuse advertising networks to exploit victims’ browsers and deliver malware,” the ACSC says.