/ 2 April 2020

Beware, the cybervirus criminals want you

Graphic Biz Cyber2 Twitter
(John McCann/M&G)

This week the owners of the popular video chat app, Houseparty, offered $1-million to anyone who has evidence that downloading the app has led to other services being hacked.

The United States-based firm, Epic Games, said “hacking rumours were spread by a paid commercial smear campaign to harm Houseparty” and assured its users that none of its data had been breached.

During a time when most governments around the world, including South Africa, have implemented partial or full lockdowns in a bid to curb the spread of Covid-19, Houseparty has been a useful app for those who want to connect with their families and friends. The BBC reported that “downloads of the app rose from an average of 130 000 a week mid-February to two million a week in the middle of March”, according to Apptopia.

Although Epic Games has denied that its app is behind the hacking of  many social media users accounts on other platforms such as Netflix and Spotify, the data breach scare is an illustration of many people’s heightened awareness of the possible unauthorised access and use of their information.

The clampdown on social and work life has seen people increasingly working from home. This, coupled with children being at home and requiring home-streaming videos and other digital entertainment has made securing data even more critical. Companies, households and individuals are all at increased risk of cyberattacks as the move to digital and voice communication increases.

During times of crisis, people turn to trusted sources for accurate information. This leaves them vulnerable to cybercriminals who “exploit human weakness to penetrate systemic defences”, the World Health Organisation (WHO) has warned.

With an increased reliance on technology during lockdowns, there is a greater risk of a company’s network being accessed from any location. Employees are also vulnerable while they work away from the office.

Aside from complying with the law, securing data is critical given the financial implications that a breach may have.

According to the latest annual Cost of a Data Breach Report, by the US-based Ponemon Institute, the average cost of a data breach for South African companies is about R43,3-million. This is almost twice the international benchmark, which is about R22-million.

Methods used by cybercriminals include impersonating official websites such as the WHO and South Africa’s National Institute for Communicable Diseases to steal email credentials and even request Bitcoin donations claiming they will be used to fund research for a Covid-19 vaccine, says Eric McGee of Deloitte Risk Advisory Services.

[td_block_text_with_title tdc_css=”eyJhbGwiOnsibWFyZ2luLWJvdHRvbSI6IjEwcHgiLCJzaGFkb3ctc2l6ZSI6IjIiLCJzaGFkb3ctY29sb3IiOiIjZDhkOGQ4Iiwic2hhZG93LW9mZnNldC1oIjoiMSIsImJhY2tncm91bmQtY29sb3IiOiIjZmZmZmZmIiwiZGlzcGxheSI6IiJ9fQ==” f_post_font_size=”16″ f_post_font_family=”fs_7″ f_post_font_spacing=”0.9″ f_post_font_weight=”400″ block_template_id=”td_block_template_8″ border_color=”#e60000″ f_h4_font_transform=”uppercase” f_h4_font_size=”18″ f_h4_font_weight=”400″ f_h4_font_spacing=”0.8″ f_h4_font_family=”420″ custom_title=”covid-19 in sa”]

[/td_block_text_with_title]

McGee says cybercriminals may also use phishing schemes to trick their victim into acting on their request. This comes in the form of messages about loved ones and often requires the victim to act with a sense of urgency.

On Monday, the security awareness company KnowBe4 said it had discovered a new phishing scheme in which people are told that they’ve been in contact with a  loved one who has contracted Covid-19. The email instructs them to download an attachment and proceed immediately to the hospital.

“The victim is instructed to fill out a pre-filled Excel form, which is actually a macro-laden Office document that serves as a trojan downloader and is currently only detected by a handful of anti-virus applications,” KnowBe4 said.

Lize Barclay, a lecturer in futures studies and systems thinking at the University of Stellenbosch Business School, says fraud reports related to Covid-19 may have increased by as much as 400% in March alone

To protect employees from possible cybercrimes, Barclay says businesses should reinforce cybercrime awareness among their employees. Setting up a VPN (virtual private network) would add an additional layer of security.

“With people working from home, the border between company property and personal property has been blurred, from the perspective of the employee, and it is that blurring of the lines that are being exploited,” she says.

Although South African law does not specifically impose a duty to implement cybersecurity measures in an organisation, Barclay says the Protection of Personal Information Act might provide guidance  to deal with specific data breaches.

“The Cybercrimes Bill of South Africa might provide additional recourse as well. However, with all viruses, be that COVID-19 or cyberviruses, prevention is much more prudent than trying to find a cure.”

Thando Maeko is an Adamela Trust business reporter at the Mail & Guardian