SIMON BROWN: I’m chatting with David Emm, principal security researcher at Kaspersky. David, I appreciate the time. We’re seeing a rise in cyber threats. You’ve got a report out for Q2, and in Africa – South Africa, Kenya, Nigeria – we are seeing that rise. Phishing attacks, mostly. This is not like the old days in the movies where it was a kid in front of a computer screen trying to hack the password. This is social engineering and getting us to be the weak link.
DAVID EMM: Yes, absolutely. This is pretty organised stuff. And actually we’ve seen in general the world over a rise in financial phishing. It sort of goes up and down, [having] fluctuated over the last sort of six, seven years. But we’ve seen an increase, really, over 2021 and 2022 generally.
But you’re right, it’s not some opportunistic thing. This is becoming increasingly targeted. Therefore people are organising this, and they’re trying to push the buttons that they know people are likely to respond to in terms of the topics they choose and so on.
SIMON BROWN: For me, I get them. There are two I get a lot of. One is allegedly from my crypto exchange, the other is that there’s a parcel stuck in customs, and I must pay a small amount. They come at me via SMS. I’ve [a friend] who fell for the parcel one. She wasn’t expecting a parcel, but it was the excitement. They pull at those emotions. The crypto one says you’re going to lose your Bitcoin.
DAVID EMM: Exactly. Let’s face it, in the cold light of day few of us would actually respond to these phishing emails or phishing text messages or social media messages – but it’s never in the cold light of day. They’re always trying to get us to respond emotionally rather than rationally.
One thing that’s certainly happened – you mentioned about the delivery stuff – [is that] with the pandemic, of course, so many of us working from home were reliant on those deliveries, and therefore were expecting to get messages about these deliveries, and it’s not actually that ‘out of the blue’ as such. They’ve capitalised on that, with really every kind of aspect of that pandemic that they tried to hook on to in some way.
SIMON BROWN: Are we seeing a rise in using this personal phishing, this social engineering, to get into institutions? Of course you can attack me and you get my Bitcoin, you can get my credit card. It’s nice, but if you can get into an online retailer, a financial institution, there’s much bigger trove.
DAVID EMM: Yes, that’s absolutely right. We have seen that sort of shift to focusing more on corporates than on individuals. That said, we’re still talking about a 60:40 split – so 60% of it targeting consumers, close to 40% targeting corporate. But it’s clear from an attacker’s point of view that there are, as you’ve said, richer pickings if you go after an organisation, and actually we are seeing the same sort of trajectory with ransomware.
A few years ago this would’ve been distributed indiscriminately at anybody. Of course it’s nice if you can get $300 from lots of different individuals, but if you can score a million or you can score tens or hundreds of thousands from going after an institution, then it’s much more lucrative.
The same is true with the phishing stuff. If you can in some way gain access to an organisation, gain access to credentials that will let you get into that organisation and ideally access its money, then that’s going to be much more lucrative than just going after you or me.
SIMON BROWN: You mentioned ransomware. It has faded. I remember one of them, and I forget their name but they had a website, they had a support centre to help you un-encrypt your hard drive to get the Bitcoin. This is not, again, some script kiddies sitting in their mother’s basement. These are semi-organisations in some cases.
DAVID EMM: Oh yes, absolutely. And in terms of the ransomware guys, some of them are making millions. So no, absolutely. This is serious stuff, hence the kind of move towards targeting organisations; it’s a sort of an inverse scale because while on the one hand there are richer pickings on the other you need to be more organised. It’s not as easy to do.
But nevertheless, whether it’s going after you or me or going after the organisation we work for, in any case the human is typically the first port of call and tricking you or me into doing something gives them that initial foothold. So the human aspect of security is still a key element to this.
SIMON BROWN: Again, because it’s that human element, back in the day – I’m thinking the nineties, the early two thousands – it was the Love Letter virus and stuff. My software on my computer, my antivirus software, would pick it up and flash a great big ALERT! at me. The antivirus software is not necessarily going to help. This is around – particularly for organisations, but also individuals – education, awareness, just being technologically smart.
DAVID EMM: Absolutely. Our antivirus programs are great and increasingly they will be picking up sort of known phishing URLs and stuff like this. Nevertheless there is always the possibility of getting in via the human.
It has to be said that not everything is going to be related necessarily to malware, to malicious software. You could be looking at just text; there’s always the possibility that something can slip through the filters, and therefore our response to something like that is to a degree potentially flying under the radar. So that really is critical, whether it’s the more opportunist crime right through to the highly sophisticated, targeted, advanced persistent threats that we see.
Nevertheless, the starting point for many of those threats, one thing they have in common, is that they will pursue this kind of human aspect and try and trick us into doing something that jeopardises security.
SIMON BROWN: And it’s constantly changing. I mentioned the SMSes I’m getting; it was ransomware at a stage. I remember a few years ago it would be a telephone call from a call centre, telling me I had a Windows virus. I’m on a Mac. It was always a scam for me, but it is that evolution to it.
DAVID EMM: Definitely it is. One of the great things from the criminals’ point of view during the pandemic was that it was kind of the ‘gift that [keeps] on giving’. Normally with the topics that they rely on, they’re sort of here today, gone tomorrow. It could be the World Cup, it could be a natural disaster, it could be geopolitical worries, it could be Valentine’s Day, it could be Black Friday – but they’re here today and gone tomorrow.
[But] with the pandemic we had so many different aspects to that. You know, we had the issue of government schemes to help people out. We had the tax aspect of it, the health aspect of it, and delivery companies. Around every corner there was a new aspect that they could hook onto. And of course, as we all started to work from home, that too fed into their sights because here was another aspect – that we weren’t necessarily as protected as we would’ve been inside the corporate perimeter.
SIMON BROWN: A quick last question. We are making it sound like a horror show out there – and in some ways it is, in some ways it isn’t. Is there much success from the authorities in catching the people, in tracking them down? Of the ransomware folks, if I recall correctly, some were sitting in Russia. You might know who they were, but how did you get to them?
DAVID EMM: That does definitely make it tricky. That world is a joined-up place for the criminals. It’s a single entity. Obviously at a human level we’ve got geopolitics and cultural and other types of differences to contend with. They do have some successes, there’s no question about that.
But rather than look at it as a horror show, I think people need to think of it in terms of getting the inside track on how these guys operate so that we can actually take steps to deal with it. We’ve touched a couple of times on [this being] about education. Actually raising our level of awareness about the approaches that they take is really, really important. Obviously companies are going to look at putting protections in place, relying on threat intelligence from companies like Kaspersky or what have you, and doing the updates in a timely fashion, but actually raising people’s awareness so that they become less susceptible to these approaches is really vital.
SIMON BROWN: Yes, it is vital. I take your point. It sounds terrifying, but I think many people are smart. And I think we get smarter every time we get that SMS or that email – and we think nope, I’ve seen that before.
We’ll leave it there. David Emm and principal security researcher at Kaspersky, I really appreciate the time today.
Listen to the full MoneywebNOW podcast every weekday morning here.