Putting the Cybercrime law to test in 2016
On a Christmas day in 2009, a Nigerian tried to bomb a United States bound commercial flight. The young man was badly burnt when the bomb sewn into his underwear failed to detonate. The rest is now history.
Then, suicide bombing was strange in Nigeria. Thus many Nigerians and the government of the day did not consider it a threat. Rather than look inward and establish control measures, the government slacked and the situation became worse.
Fast forward to 2015, suicide bombing is no longer news in the country. The next threat to Nigeria after terrorism is cyber attackS despite government’s efforts to stop them. The persistent assault can be attributed to little awareness or lack of it by organisations and government agencies of the security threats they face.
The lack of effective organisational accountability for the impacts of security breaches also contributes to the rising incidents of security failure, especially in 2015.
The possibility of procuring malware in the black market, activities of Hacktivists and the popularity of social media have contributed to the rise in cyber crime.
Looking ahead, the main challenges will be continued, expansion of the attack surface, increased attacker sophistication and the shortage of skilled cyber security experts to fight back.
In order to prepare Nigerians ahead of 2016, the Cyber Security Experts Association of Nigeria (CSEAN) identified top five cyber security threats that will confront Nigeria in the New Year. The list, according to CSEAN President, Remi Afon, will include, phishing—an attack that typically involves sending an email to a victim that looks to the unsuspecting recipient as if it comes from a legitimate source, for instance, a bank.
For phishes, an email is sent asking the victim to verify personal information through a link to a fraudulent web page. Once that’s provided, the hacker can access the victim’s financial information.
The year 2015 recorded high number of phishing emails from suspected cyber criminals in Nigeria, peaking when Central Bank of Nigeria (CBN) announced deadline for Bank Verification Number (BVN).
Cyber criminals swamped unwary bank customers with phish emails to warn them that their accounts were about to be blocked and consequently steal their credentials once they supply their details.
The year also saw home grown cyber criminals moving a step further by using Remote Administration Tools (RAT) and other malware tools as part of their phishing attack. In the same year 2015, a government agency was unknowingly serving a webmail phishing site from its own government (.gov.ng) domain.
The phishing content was based on a ready-to-go phishing kit that is distributed as a zip file. It contains easily-customisable PHP scripts and images designed to trick victims into surrendering either their Yahoo, Gmail, Hotmail or AOL passwords.
In 2016, phishing will continue to be the number one cyber crime in Nigeria and big threats to individuals and organisations considering that exploit tools are now readily available in the online black market.
Social media identity theft
This trusted-friend-based scam is becoming a common cyber crime in Nigeria and will continue to rise in 2016. It is common knowledge that between social and professional networking sites, many have posted more than enough information about their personal and work lives that enterprising identity thieves could easily compile it to create a fake profile that looks authentic to people who know them.
We have seen cyber criminals created fake custom and immigration officers’ profile, promising auction sales at ridiculous prices on social media, requesting account details for payments in order to scam unsuspecting social network users believing they are dealing with legitimate officers.
People’s social media login details are being stolen on a daily basis using malware, in other to send and solicit financial support from the contact list of the compromised user pretending to be them. These types of scams will continue to rise in 2016 with cyber criminals targeting individuals and creating bogus profiles and stealing people’s social media login credentials to scam unsuspecting social media friends.
An insider threat is most simply defined as a security threat that originates from within the organisation being attacked or targeted, often an employee or officer of an organization or enterprise. An insider threat does not have to be a present employee or stakeholder, but can also be a former employee, board member, or anyone who at one time had access to proprietary or confidential information from within an organization or entity.
Insider threat is common in banks and other financial institutions in Nigeria where staff collude with cyber criminals to defraud innocent customers.
Late 2014, an IT worker in one of the leading banks located in Abuja was involved in co-ordinating a 6.28 billion naira cyber-theft where he worked. He used his privileged position to siphon money into conspirators’ accounts.
This particular case was made public because EFCC declared the suspect wanted; most cases of compromises and cyber theft in banks have remained publicly unreported in 2015 since there is no law in Nigeria mandating public disclosure of cyber attack or compromise. Insider threat has been on the rise in 2015 and will continue to be a major cyber threat in 2016 in Nigeria.
Cyber terrorism vs hacktivism
In the year 2015, Boko Haram declared allegiance to ISIS, since then their propaganda materials have become more sophisticated, suggesting coordination or even that Boko Haram outsources some of its propaganda to ISIS according to a special report in April 2015 by BATBLUE, an American based cloud Security Company.
They claimed Boko Haram now use email scams to raise a small amount of fund, and seems to have outsourced some of its photoshop and video development to ISIS to further its online propaganda strategy. This pattern is expected to continue in 2016 as we have seen ISIS speaking for and on behalf of Boko Haram.
The year 2016 will also see the rise in hackivism in Nigeria – Hackivism is the act of hacking, or breaking into a computer system, for a politically or socially motivated purpose. The individual who performs an act of Hacktivism is said to be a Hacktivist.
A taste of what to expect in 2016 was served by some unknown hackivists just few days to Christmas; the official websites of the Lagos State Government and the Court of Appeal were hacked by an unknown group sympathetic to the Shiite Muslim sect. The hackers in a message posted on the two websites after the attack, described the Nigerian government as terrorists.
Lack of Cyber Security Awareness
Throughout 2015, Nigeria remains woefully unaware of the risks that cyber attacks pose to its economy, national security, and privacy. This problem is caused in large part by the fact that cyber attacks information ordinarily are kept secret to avoid backlash.
As a result, Nigerians do not have an appropriate sense of the threats that they face as individual Internet users, the damage inflicted on their businesses and the scale of the attacks undertaken by cyber criminals against Nigeria interests. This is a big threat as organisations and government sleep walk into cyber attack.
Effective cyber security starts with awareness at management level – the recognition that at some point your organization will be attacked. Organisations need to understand the biggest threats and learn how they can put the assets at the heart of their organization’s mission at risk. Lack of cyber security awareness is a threat that Nigeria will contend with in 2016.
On a positive note, the cyber crime bill was passed into law by previous administration in 2015. The next 12 months will see more tangible changes as a result of efforts to fight cybercrime by law enforcement agencies with more cybercriminal arrests and convictions.