Cyber attacks: Negligence, poor systems make South Africa cyber crime heaven

Criminals are taking advantage of the negligence and weak control systems in South African organisations to mine sensitive data in the country, where cyber attacks are on the rise.

The South African government and companies can no longer sweep cyber hacking incidents under the carpet, thanks to the Cybercrimes Act of 2020. The act forces organisations to comply and report cyber attacks, to enable authorities to investigate.

Also Read: Dis-Chem investigating after hackers access people’s personal information

Prior to signing the bill into law, there was no clear definition of what a cyber offence was.

Along with the Protection of Personal Information (POPI) Act of 2020, the cyber law is key in the fight against mobile device and internet offences.

Online safety as important as real safety

Director of the University of Johannesburg (UJ) Centre for Cyber Security, Basie von Solms says online security is becoming as important as personal security in South Africa.

He said companies are beginning to take data security seriously and in some instances, encourage end users in the company, such as an administrator, to become anti-hacking “soldiers” in and outside the work space.

“The problem we have today is that these attacks have become more sophisticated and encroaching in our daily lives.

“The criminals are getting more clever, prompting companies to get employees to be vigilant, because in most instances, organisations are attacked through hacking of just one device owned by an employer or even a supplier.”

Solm added that in the case of Dis-chem’s data breach last week, the company was attacked via a supplier, through whom criminals were able to access Dis-chem’s data.

“You will find that subcontractors, suppliers… SMME’s actually, are targeted because they have less money and no proper skills compared to big companies to implement proper data security.

“The criminals are able to easily access small businesses’ systems and take it from there to attack the richer and big companies they work with.”

‘Failure to verify’

Negligent users who mishandle company information and apply easy to guess passwords are the ones most successfully targeted online.

In some cases, employees fail to verify emails requesting them to change important information such as banking details, thus enabling criminals to cash in.

According to cyber security expert John Mc Loughlin, there has been an increase in an evolved method of payment fraud in the past month, where the trend involves an internal change of bank details, mostly for a company director or even the CEO.

Through this method, the criminal impersonates the CEO by using an external email address, claiming that it is their private email address, and requests that their banking details for payroll be updated.

The emails use similar wording and are usually sent a week before payroll closes to stress the urgency, said Mc Loughlin.

“Traditional payment fraud has been rife for some time, where the cybercriminal impersonates the CEO, or other senior member of staff, to convince the finance department to make an urgent payment to either a new supplier or update their banking details.

“The change of banking details fraud uses fake banking confirmation letters and the trust of finance people to update an existing supplier’s details. The growing number of successful attacks have proven to be very costly to businesses of all sizes,” Mc Loughlin said.

When receiving such a request, said Mc Loughlin, make sure to call and speak to the correct person on the other side of the email.

“Verify changes only from contact details that are already on the system; do not rely on something purely in the email.

For the organisation, it important to review and strengthen internal change of bank details processes. This should include secondary validation of the request in the same way external parties are treated.”

He said some of the fraud attempts were done on official company paperwork and letterheads, showing a likely insider threat from a malicious or disgruntled employees.

“To make sure that they pay their CEO, many of these changes have been successful. The finance or HR team update the details and the cybercriminal is paid, after which they rapidly get the money out before anybody notices.”

Offences under the Cybercrimes Act

Some of the offences that constitute cyber crime under the Cybercrimes Act include:

• Unlawful access to a computer system or computer data storage medium
• Unlawful interception of data and/or processing of unlawfully intercepted data
• Unlawful use or possession of a software or hardware tool
• Unlawful interference with data or computer program
• Unlawful acquisition, possession, provision, receipt or use of password, access code or similar data or device
• Cyber fraud
• Cyber forgery and uttering
• Cyber extortion
• Malicious communications – data messages which incite damage to property or violence or which threaten persons with damage to property or violence, and including unlawful distribution of intimate images.

Dis-Chem just the latest in a string of corporate victims

Apart from Dis-chem, credit bureau company TransUnion SA was hit by hackers in March. The criminals accessed 54 million personal records and demanded a R224 million ransom from the company.

The hacker did this through the misuse of an authorised client’s credentials, TransUnion SA said.

Another credit bureau, Experian, was also targeted recently in a similar fashion., with consumers’ data being widely shared across criminal networks online.

Also Read: Consumer data leaked from Experian last year still being shared

Last year, work at the Office of the Master of the High Court and court proceedings countrywide grounded to a halt after a ransomware attack at the Department of Justice and Constitutional Development.

Hackers encrypted the department’s IT systems during the attack, and the system was thus unavailable to officials and the public, causing disruptions and delays throughout the department.

State-owned enterprise Transnet also beard the brunt of ransomware attack last year, resulting in a force majeure.