Defending New Zealand against phishing
Declan Ingram Deputy Director at CERT NZ •
Just as fishing is a popular Kiwi pastime, so too is phishing for cyber attackers.
Of course, phishing doesn’t involve rods and tackle. Instead cyber attackers use carefully crafted emails as hooks to reel people into sharing their personal information, particularly financial details. They do this by pretending to be a trustworthy organisation, like a bank or government agency, using similar designs, logos and language to appear legitimate.
But it doesn’t stop there. Phishing is often the first step cyber criminals take to launch other types of attacks, such as malware and ransomware.
Falling hook, line and sinker for a phishing scam can be detrimental to all those involved. People could lose money, or have their personal information stolen and used fraudulently. Organisations risk losing money, customer trust and damaging their reputation.
Tackling the phishing problem
Phishing is one of the most common and successful cyber security attacks. In 2019, half of the incidents reported to CERT NZ involved phishing emails.
Distinguishing a phishing email from a genuine email can be tricky. It might be that there’s something “phishy” about the email address, URL or domain name. Working this out can be difficult and take a long time – even for specialists.
CERT NZ decided to tackle phishing attacks head-on by creating an alert system – called the Threat Intelligence API - to help businesses protect themselves and their customers. The system works by identifying and sharing the “bad” characteristics of each phishing email. Knowing this allows organisations to block them.
How does it do this? Well, we receive information about potential phishing emails either from incidents reported directly to us, or from information provided by third parties. From there, our Incident Response experts investigate whether the email is indeed phishing, or if it’s a legitimate email from the organisation it claims to be. In the latter case we don’t take any further action, so there would be no impact on the organisation’s communication campaign.
When we identify a phishing email, we share the bad aspects about them with our Threat Intelligence API feed to notify organisations. Organisations can then use this information to protect themselves from an attack by blocking or detecting the indicators on their web proxies, domain name servers and mail services, and intrusion detection software.
Reaping the benefits
As well as giving organisations a boost to their cyber defences, the system provides an overview of the threat landscape, and gives us a greater understanding of indicators that are unique to New Zealand.
It also allows us to feed data about New Zealand specific attacks to international feeds, thereby increasing awareness of campaigns that might be unique to New Zealand.
Some of the indicators we identify will be in New Zealand systems, but the system owners may not know that they are affected. Our Incident Response team reach out to affected organisations and help them resolve the issue.
Declan Ingram is the Deputy Director at CERT NZ, New Zealand’s Computer Emergency Response Team. The organisation supports businesses, organisations and individuals who are affected by cyber security incidents. CERT NZ provides trusted and authoritative information and advice, while also collating a profile of the threat landscape in New Zealand.