By Dato’ TS Dr. Haji Amirudin Bin Abdul Wahab, Chief Executive Officer of CyberSecurity Malaysia
Today’s world is beset by new and complex cyber security threats. To aggravate the situation, cyber-attack trends are becoming increasingly difficult to predict. Cyber-attackers are now leveraging on latest technologies from Artificial Intelligence (AI) to Machine Learning to penetrate even the most fortified networks and systems.
The global Covid-19 pandemic has presented cyber criminals with yet another weak-link to exploit amidst uncertainties and vulnerable situations. Throughout the Movement Control Order (MCO) period, Malaysia Computer Emergency Response Team (MyCERT), a department within CyberSecurity Malaysia observed multiple malicious campaigns spreading malware through emails with attachments and links to phishing websites related to the COVID-19. Cyber actors preyed on public’s demand for information about the virus and possible cure. Some offered purportedly health advice from reputable organizations such as World Health Organization (WHO) in order to trick unsuspecting user to click on the malicious links.
As of September 2020, a staggering total of 8,366 incidents were reported to CyberSecurity Malaysia with fraud topping the list at 6,048 cases. Intrusion, also known as hacking was found to be the second most reported during the same period with 1,014 cases, followed by cyber harassment (449) and malicious codes (427). Incidentally, April 2020 was the worst month, coinciding with the MCO period.
These statistics are a stark reminder that despite continuous awareness and education, Malaysians are generally still complacent in matters related to cyber security. Interestingly, Malaysia is ranked as one of the most cyber-savvy nations in Asia. The Department of Statistics of Malaysia reported that household Internet penetration rose to 90.1% in 2019 as compared to 87% in 2018. The percentage of household’s access to mobile phone was 98.2% in 2019. About 97.1% of Internet users in Malaysia are also active in social networks.
Against a backdrop of high online exposure, cybercriminals are leveraging on social engineering that constantly preys on the only vulnerability that cannot be patched – humans like you and me.
Social Engineering Attacks
Social engineering is the art of manipulating people to reveal confidential information which includes passwords, bank details or giving access to restricted systems. These types of attacks take advantage of human vulnerabilities such as emotions, trust or habit to convince individuals to perform a certain action such as clicking a fraudulent link or visiting a malicious website.
Phishing is one of the most common digital attacks utilizing social engineering. It is an email-based attack that targets everyone or a specific person within an organization in order to entice individuals to click on malicious links or enter credentials or other personal information. Social Media Deception is where cyber attackers create fake profiles to befriend victims while posing as a current or former co-worker, job recruiter, or someone with a shared interest on social media. Its goal is to trick the victim into providing sensitive information or downloading malware to their device.
Other avenues for social engineering attack include pretexting where attackers focus on creating a good pretext, or a false but believable fabricated story as well as water-holing, an attack strategy where attackers gather information about a targeted group of individuals within a certain organization, industry, or region as to what legitimate websites they often visit. Attackers look for vulnerabilities in these sites in order to infect them with malware. Eventually individuals in the targeted group will visit those sites and become infected.
Apart from phishing attacks, many Malaysians are also tricked into various scams, particularly Macau scam and Love scam. Macau Scam is categorised as a telecommunication fraud whereby perpetrators from a syndicate would pose fake identities and contact victims by phone. In Malaysia, Macau scam chalked up RM94 million in losses in 2019. The scam has different modus operandi from lucky draw, fake kidnapping to spoofing. In particular, spoofing has claimed many victims in Malaysia whereby syndicate members appear as if they are calling from a local number, a trusted business, or a government agency through voice over internet protocol (VoIP). The victims would be notified that they have been accused of being involved in illegal activities such as money laundering and directed to transfer money to designated accounts to settle their problem.
Love scam is an Internet romance scam targeting mainly women. Cyber-criminals adopt a fake online identity to gain a victim’s affection and trust. The scammers use the illusion of a romantic or close relationship to manipulate and steal from the victim. Of the 1,303 love scam cases reported in Malaysia last year, 1,070 victims were female with total losses amounting to RM67.7 million.
Cyber actors also rely on mobile phone-based attacks such as text-based smishing which impersonates a legitimate source in order to lure a victim into downloading viruses and malware onto their cell phone or other mobile device. Vishing is another common technique in which adversaries call a mobile phone pretending to be from a legitimate source, such as a bank, as a means to try and convince the target into divulging sensitive information such as credit card information. Such scammers also rely on “caller ID spoofing” to generate phone calls that appear to be from a legitimate or local source.
Cyber Security is a community-wide responsibility
Everyone has a critical role to play in cyber security. Cyber security should not just be the concern of CIOs or an IT division of an organisation but rather the collective effort of the entire organisation and community. An organisation may have the best cyber security defence, but a mere click of a button by an unsuspecting employee could lead to dire consequences.
In order to build a culture of positive Internet use, CyberSecurity Malaysia continues to inculcate cyber safety and security awareness among Malaysians. For example, Cyber Security Awareness for Everyone (CyberSAFE) program is aimed at increasing awareness and nurturing best practices on safe and positive ICT usage amongst Internet users. CyberSecurity Malaysia has also been actively posting cyber safety awareness messages on our social media platforms such as Facebook, Instagram, Twitter, LinkedIn and Youtube.
Cyber-Distancing as a Preventive Measure
All of us have been practicing physical distancing for the past few weeks to protect against viruses. Likewise, we must cyber distance ourselves from our attackers. Keep a safe cyber distance by staying wary of suspicious e-mail requests, unknown contacts, and unsolicited information. This pandemic serves as a timely wake-up call for all Malaysians to remain vigilant against cyber-attacks.