Phishing a key threat for S'pore, warns cyber security company in report

SINGAPORE — In tandem with the benefits of technological advances, cyber criminals are adapting and coming up with more effective methods to exploit vulnerabilities.

Singapore ranked 10th in the Asia-Pacific region for global detection of cyber security threats last year, moving up by a place from 2017, said cyber security company Symantec in its Internet Security Threat Report released on Wednesday (Feb 20).

The report stated that phishing is a key threat here, making up 2 per cent of phishing cases globally.

“Singapore is an increasingly targeted country, given its mature economy (and) technology-savvy people who own an array of devices,” said Symantec Asia Pacific’s chief technology officer Nick Savvides.

“A lot of Singaporeans own (credit) cards and opt for online transactions. Criminals go to where the money is.”

RELATED STORIES

• The Big Read: As more cyber attacks loom, Singapore has a weak ‘first line of defence’
• The Big Read in Short: Singapore’s weakest link in cyber security

COMMON CYBER SECURITY THREATS

• Phishing

Phishing attacks mainly use fraudulent methods, such as the spoofing of Internet addresses and emails, to obtain sensitive information.

Unsuspecting victims may be led to a bogus identical website where information can be stolen.

According to PayPal’s head of Information Security, Asia Pacific, Mr Phoram Mehta, over 95 per cent of all successful attacks have their roots in phishing because it is “easy, both from an execution mode, but more importantly, from the cost (side)”.

• Hacking

Hacking is an intentional attack by someone with unauthorised access to a protected system. Hacking may deface a website or steal data, which may then be sold.

Notable cases in Singapore include the defacement of websites belonging to the Prime Minister's Office and the Istana in 2013.

However, not all hacking activities are malicious, as there are “white-hat” hackers — ethical hackers who conduct penetration testing for organisations, with their permission.

A grey zone exists, lawyer Bryan Tan from Pinsent Masons explained. “These (grey-hat) hackers may do penetration testing on companies without being asked to do so, and then demand payment for discovering any flaws. And these hackers can claim that they are doing it for ethical reasons,” he said.

• Cybercrime-as-a-Service

Hiring cyber attackers used to be an activity confined to the “dark web”, or a collection of websites that could only be accessed through encryption and beyond the reach of traditional search engines.

In recent years, Cybercrime-as-a-Service has emerged on the surface web, accessible to anyone with a working email.

Mr Righard Zwienenberg, senior researcher at IT security company ESET, said that for US$500 or less — usually paid in bitcoins — cyber criminals can be hired.

• Cryptojacking

Mining is akin to "minting" cryptocurrencies, yet a great amount of computing power is required. Hackers may tap into victims’ central processing unit (CPU) power, without their knowledge, to mine cryptocurrencies. Despite falling cryptocurrency prices, cryptojacking incidents are still significant globally, said Symantec.

• Malware

Malicious software infects computers, which can then be manipulated for information (spyware), Denial of Service attacks, or “locked” for ransom (ransomware).

• Denial of Service attacks

A Denial-of-Service attack, commonly known as DoS attack, typically uses computers infected with malware to flood its target with superfluous requests, temporarily or indefinitely overwhelming the system and preventing its services from being delivered.

• Data breach

Data breaches occur when an unintended recipient gains access to data intentionally, or through negligence.

The biggest data breach to date happened in 2013 when 3 billion Yahoo accounts were hacked, while 500 million accounts belonging to hospitality company Marriott were compromised between 2014 and 2018.

• Catfishing

Catfishing scams involve manipulation, usually through fake social media accounts, to fish out information or monetary benefits from unsuspecting users.

A report published last month by the North Atlantic Treaty Organisation’s Strategic Communications Centre of Excellence revealed how a group of researchers, with the military’s blessing, were able to use fake social media accounts and groups to identify 150 soldiers, influence their behaviour, and track confidential military information.

• Formjacking

Using a form of JavaScript code embedded in the checkout web pages of e-commerce sites, victims’ credit card details as well as other information on the payment forms can be stolen and misused, much like the digital version of an ATM skimmer. This threat became increasingly popular from last year, said Symantec.

• Internet of Things (IoT) attack

Targeted attack groups are now focusing on IoT products as vulnerable entry points, said Symantec. IoT products such as smart light bulbs and voice assistants make good targets due to their accessibility to the internet, as well as its interconnectivity with other devices.

Sign up for TODAY’s newsletter service on any of these platforms. Tap here:

WhatsApp  Telegram Email

WHY DOES THIS MATTER?

Last year, sophisticated cyber attackers breached the IT systems of public healthcare cluster SingHealth and stole the personal data of 1.5 million patients. About 160,000 of these patients, including Prime Minister Lee Hsien Loong, also had their outpatient medication information stolen.

The incident happened after a SingHealth front-end workstation was infected with malware, creating a vulnerability for hackers to gain access.

Given the adaptability and speed of cyber criminals today, every individual should take personal responsibility in ensuring that he is adequately protected from cyber threats, said Mr Savvides.

STAY SAFE IN THE CYBER WORLD

• For businesses:

In Singapore, cyber attacks were more often aimed at businesses last year, with an increase of 180 per cent in malware detections among businesses, said Mr Akshay Bhargava, senior vice-president for products at Malwarebytes.

With the increasing integration of IoT in businesses, artificial intelligence technologies can also be used to manage security protection more efficiently.

• For individuals:

Always keep your software up-to-date to prevent your devices from being compromised

As much as possible, enable two-factor authentication for security

Do not use the same password across different accounts

Own an effective security product

Be aware of relevant cyber threats and stay updated on preventive measures