• On red alert

    Cybercriminals are increasingly targeting smartphones. How serious is the threat to the average African user? And what can businesses and governments do to stop it?

    On red alert

    More than 33% of Africans check their mobile phone every five minutes. We’re a distracted continent – and we love our phones. According to Deloitte’s Game of Phones mobile consumer survey, in excess of half of African smartphone holders regularly use their devices on public transport, at work and while shopping.

    ‘This must mean something for businesses as it is clear smartphones are becoming ever more embedded in our lives,’ says Mark Casey, Deloitte Global media and entertainment leader. ‘Usage indicates a serious shift away from just information and communication to virtually everything – from how we consume media, to banking, purchasing and gaming, for example.’

    That’s great news for business, but it’s even better news for cybercriminals. As cybersecurity giant Symantec spokesperson Mario Ballano warned in a 2014 blog post, ‘developers can monetise mobile apps by displaying advertisements on them. Many advertising networks pay content providers for each view and click when they display their ads, averaging around US$1 to US$2 per 1 000 impressions. Unfortunately, cybercriminals are capitalising on this business model using malicious applications with aggressive ad libraries, called madware.

    ‘Often attackers simply repackage or clone popular, legitimate games and include a mobile advertisement library registered to themselves. Every time the application is used and ads are displayed, the attacker generates advertising revenue. While in most instances adware is just a nuisance, it can also present a security risk depending on the ad library features the developer chooses to use. This can include leaking personal data on the phone or user’s behaviour through the ad library’.

    Nokia recently released its biannual Nokia Threat Intelligence report, revealing a sharp rise in the rate of smartphone malware infections in the first half of 2016. Infections nearly doubled in that period, compared to the latter half of 2015 (up from 0.25% to 0.49%), with smartphones accounting for 78% of all mobile network infections. In April, one out of every 120 smartphones had some type of malware infection. A massive 74% of mobile malware infections were found on devices using an Android operating system.

    In a Nokia press release, Kevin McNamee, head of the Nokia Threat Intelligence Lab, says: ‘Today attackers are targeting a broader range of applications and platforms, including popular mobile games and new IoT [internet of things] devices, and developing more sophisticated and destructive forms of malware.’

    This would have come as little surprise to South Africans. In September, Android users were alerted to a malicious banking trojan – Gugi – which can bypass new Android 6 security features designed to block phishing and ransomware attacks. The malware allows cybercriminals to overlay genuine banking apps with phishing apps and seize credit card details by overlaying the Google Play Store app.

    Ironically, this came in the midst of the South African Bank Information Centre’s (Sabric) ongoing cybercrime awareness campaign. In April, Sabric CEO Kalyani Pillay warned that cybercrime was costing South Africa about ZAR1 billion a year. ‘Social engineering is manipulating people so that they can provide certain information without being aware that they are providing it to criminals,’ she said. ‘As more bank consumers migrate to online banking platforms, the risk is that smartphones and handheld devices are being compromised.

    ‘You wouldn’t leave your house open, so you should be equally protective with your electronic devices.’

    On-Red-Alert_PQ

    According to estimates, cybercrime costs the global economy about US$500 billion a year – more than South Africa’s GDP. But the truth is, even that figure is a thumb-suck – the real cost is probably much, much higher.

    Cybersecurity company Kaspersky Lab inadvertently gave us a glimpse of the real picture in June this year when it cracked the case of xDedic. The news reports sounded like something out of a Hollywood movie script… Between 2014 and the middle of 2016, deep in the back alleys of the internet, cybercriminals would meet at xDedic, a Russian-language black market for cybercriminals. Here, hacked computer servers would be bought and sold – some for as much as US$6 000, with others for as little as around US$8. In May 2016, some 70 624 compromised servers in 173 countries around the world were up for sale, along with various crimeware products to help buyers get all the data they wanted from those servers.

    xDedic quickly went offline after Kaspersky Lab revealed its existence in June 2016. Tech commentators around the world sat back in their swivel chairs – we all knew places like xDedic existed, we just had no idea how sophisticated or accessible they were.

    One week later, the story took a twist. In the comments section of Kaspersky’s blog, an anonymous user – named AngryBirds – posted a much larger list of hacked servers. It turned out that Kaspersky’s initial total of about 70 000 was a massive underestimation. According to AngryBirds’ list, between October 2014 and February 2016, more than 176 000 servers were put up for sale on xDedic. ‘Nobody can confirm the authenticity of all of the data listed therein, so it should be taken with a grain of salt,’ said Kaspersky.

    ‘However, Kaspersky Lab’s experts think that there are reasons to believe that at least some portion of it is indeed authentic. Therefore, we highly recommend you check it out, regardless of whether your servers are in the list.’

    It’s well worth doing exactly that – some 2 438 of the servers on Kaspersky’s initial list were based in South Africa (making it the ninth-most affected country).

    If those numbers seem high to you, then consider the case of Nigeria. In March, IT expert Abdul-Hakeem Ajijola told a National Information Technology Development Agency workshop in Abuja that Nigeria loses about NGN89.5 billion every year to cybercrime.

    Ajijola cited a widely published report, which found that 0.80% of Nigeria’s GDP – about the same as the entire cement sector – is being lost to cybercrime. In 2015, he added, 45.3% of Nigeria’s internet users suffered widespread cyberattacks. ‘By implication, either you or the person next to you was hacked in some way.’

    User behaviour is, of course, part of the problem. A recent Norton Cybersecurity Insights report revealed that in South Africa alone, more than 8.8 million fell victim in the past year, with 67% saying they feel it is more difficult to control their personal information as a result of smartphones and the internet.

    Yet despite all that, about 20% of South Africans do not have a password on their smartphone or desktop computer, while the same number (about one in five) use passwords that are secure.

    To make matters worse, those same internet users are putting their companies at risk by bringing their mobile devices to work and using them to access the corporate network.

    According to Kaspersky Lab, big businesses are now facing an unexpected threat to their corporate cybersafety, namely a severe shortage of qualified and talented security staff. ‘Large businesses that feel confident about their IT security team development pay anywhere from US$100 000 to US$500 000 to recover from a single breach,’ the company wrote in a recent report.

    ‘Those companies that admit a certain insecurity in attracting new talent, end up paying from US$1.2 million to US$1.47 million. However, when this loss is compared to the cost of hiring new staff, it demonstrates how much more cost effective it is to employ experts before an incident, rather than bringing them in to pick up the pieces.’

    South Africa is set to introduce the new Cybercrimes and Cybersecurity Act later this year, aimed at improving citizen’s online security. Currently still a bill, it will consolidate the country’s cybercrime laws, improving the chances of successful prosecution. It defines more than 50 new offences and imposes severe penalties – including fines of up to ZAR10 million – on conviction.

    The proposed legislation has been met with some scepticism, with advocacy groups calling its provisions ‘vague and far-reaching’. Indra de Lanerolle, visiting research associate at Wits University, warned Bloomberg BNA that until South Africa has something similar to the disclosures about US surveillance made by Edward Snowden, ‘business and others will remain relatively uninterested and uninformed.

    ‘It’s one thing to discuss powers the state has to snoop with the most limited of scrutiny. It’s another when people discover how state actors actually use those powers’.

    Tanzania had similar issues when it introduced its own Cybercrime Act in September 2015. On paper, the new law is doing its job: by January, the government was claiming that cybercrime rates had decreased by 60%. But the arrests included a handful of people who were charged with insulting President John Magufuli on social media.

    An editorial in Tanzania’s the Citizen newspaper highlighted the problem. ‘The question is not whether the law was enacted in good faith or whether it protects the rights to privacy of individuals or even whether it protects minors from pornography and other abuses of the internet,’ it wrote. ‘The issue is … why should journalists, bloggers, activists or even politicians be jailed for doing their job? There are internationally accepted best practices that deal with things like publication of false information, and those don’t include jailing citizens.’

    While companies dither on investing in talented security staff and governments struggle to implement transparent cybersecurity legislation, cybercrime levels continue to climb. Global cybercrime has now reached a point whereby banking giant Merrill Lynch is factoring it into its investment suggestions.

    In a 2015 report, Merrill Lynch claimed there are now as many as 90 million cybersecurity events per year, with close to 400 new threats every minute and up to 70% of attacks going undetected. ‘All companies are being hit,’ it stated. ‘Finance and insurance is the most targeted sector, followed by ICT, manufacturing and retail.’ Chillingly, the firm sketched out a scenario where, within a few years, cybercrime could extract up to 20% of the total value generated by the internet.

    The report warns that the rise in disruptive technologies ‘means we are facing a potential worst-case “Cybergeddon” scenario, where the “bad guy”’ has the permanent advantage’.

    Think back to xDedic… The cybercriminal black market, with its long shopping list of compromised servers, may well be the first of many you’ll hear about.

    By Mark van Dijk
    Image: Gallo/Getty Images