Email at your own risk: Major Australian brands and institutions vulnerable to hacks
The Australian Signals Directorate is working with the Department of Parliamentary Services to investigate the issue. Photo: TND/Getty
From a Chinese state-sponsored cyber attack on Australia’s Parliament and the three biggest political parties to a ransomware attack that caused chaos at Victorian hospitals, cyber crime has proved to be a major – and often underestimated – threat.
Last week, the nation was shocked by news the Australian National University (ANU) had been compromised by a brazen email hack.
ANU vice-chancellor Brian Schmidt said the hack was not “a smash and grab” but “a diamond heist”, describing it as “shocking in its sophistication”.
Now experts have revealed that 86 of Australia’s 100 biggest companies and only one of the nation’s top 10 universities are not even using one of the most basic forms of email protection.
With the number of attacks rising – a cyber crime is reported every 10 minutes across the nation, the Australian Cyber Security Centre announced on Monday – Australians are being warned to be cautious about how they use email.
Why email can’t be trusted
Email has enjoyed extraordinary longevity as a tool for digital communication, despite many attempts to replace it.
It can be exploited by even the most novice cybercriminals, said Ryan Kalember, an executive vice president at global cybersecurity firm Proofpoint.
“You can’t necessarily trust email as a communication mechanism,” he said.
The fraudsters have capitalised on that.’’
However, major organisations – from ASX100 companies to educational institutions, well-known consumer brands and even government – have failed to heed the warnings, Mr Kalember said.
Proofpoint researchers found that only a handful of Australia’s major firms and universities were using one of the most basic email authentication tools – DMARC – to prevent against “identity deception” – fraudulent emails purporting to be from a trusted source.
- Read more: Consumers vulnerable as Australian organisations fail to fend off ‘inevitable’ and costly cyber attacks
Cyber attacks generally use one of the following three methods:
- Phishing email: An email designed to look legitimate to snare the receiver in a scam, typically tricking them into providing information or be directed elsewhere on the internet where credentials will be taken
- Malware: Refers to a range of viruses and custom software designed to get around IT controls, and give someone access to damage a system
- Ransomware: When attackers want to get into a system to either make data unreadable by turning it into code, or lock it up and refuse to give it back unless a ransom is paid.
“Most people don’t realise that the email in their inbox, there’s no technical reason that they should believe that it’s from who it says it’s from,” Mr Kalember said.
“There are obviously ways to make that more apparent and provide some technical basis for trusting email, but very few Australian organisations do that.”
Proofpoint looked at the ASX100, and found that only 14 of Australia’s top 100 publicly listed companies were authenticating their email.
This included “some of the biggest retail brands out there”, Mr Kalember said.
We’re continuing to see everything from the telcos to the retail brands abused to target ordinary Australians.’’
Of Australia’s top 10 universities, only Monash University is “actually authenticating their email”, Mr Kalember said.
“The email can come from a university’s own domain and look exactly like it was sent legitimately, with whatever link the attacker wants. And it won’t be blocked. It will just get delivered,” he said.
“And that is counter to everything we’ve tried to teach people. But all the classic advice we give people is completely undermined if the email can look exactly like it’s supposed to.’’
The problem is exacerbated by the fact that for many students, university is the first time they are “really having to depend on email to do anything important,” Mr Kalember said.
That makes them perfect targets.’’
The global losses reported due to “identity deception” emails continue to skyrocket, tallying more than $38 billion over the past financial year.
The ANU email hack
ANU revealed last week that a single email was responsible for the cyber hack that compromised its systems.
The attack occurred in November, and began after a staff member was sent an email infected with a virus.
The email only had to be previewed – no link was clicked and the message didn’t have to be opened – for the hackers to access ANU’s network.
While ANU is withholding technical information about the attack, Darren Hopkins, a cyber security industry veteran of two decades, said the community needed “absolute clarification” over how it happened.
I don’t know how any of us are going to do business if we can’t open our emails,’’ he said.
“The way we’re being attacked now is designed to make it really difficult for us to detect it.”
On average, in cases he’s seen, hackers spend about four to six weeks undetected in a network, while about $700,000 is lost. $10.8 million was once swiped in one transaction, Mr Hopkins said.
Cyber crime is estimated to cost the global economy $2 trillion, while $600 billion is spent on protection.
Mr Hopkins said people should check they’ve activated existing security settings on their computer and email.
He urged people to also think about how they deal with information, saying anything unnecessary should be deleted.
“What do we leave in our mailboxes when we probably shouldn’t?” he said.
“How do we save things when we shouldn’t even keep them?”