Cyber threats multiply as use of smart gadgets continues to grow

Technology is increasingly becoming the backbone of almost every aspect life in Kenya, ranging from the work place, the smart home, banking to everyday conversations and operations conducted over smartphones and other internet-enabled devices.

While this has made life vastly more convenient, the widespread use of these smart gadgets has spawned new forms of threats and vulnerabilities, with the latest statistics from the Communication Authority of Kenya showing that the number of cyber threats in Kenya more than doubled in the three months to December 2018.

The sector data showed that during the quarter, there was an increase in the number of cyber threats targeted at Kenya’s cyber space with over 10.2 million cyber events detected during the quarter, compared to 3.8 million in the previous quarter.

“The cyber threat events detected varied from Denial-of-Service (DOS) attacks which hampered the availability of computer services; online abuse which included online fraud, hate speech, incitement to violence and fake news; online impersonation via social media accounts and domain names; web application attacks which included website defacement and illegal access to online applications,” said the report.

This comes barely a fortnight since cyber security firm Kaspersky Lab named Kenya on its list of top 10 countries by share of users attacked by mobile malware.

Kenya saw 29.7 percent of its mobile users have their devices attacked by a range of malware including adware, Risk Tool and Trojan-Dropper, according to the Kaspersky research.

Most mobile malware is downloaded onto mobile devices from dubious applications on the App Store which are embedded with the malicious programmes. Once installed by the users, the software takes over the device.

According to experts from CheckPoint Software Technologies, the apps on the Android Playstore are the largest threats to the mobile user. This includes Fakesapp designed to look like popular messaging applications but are embedded with malware or phishing codes designed to intercept and alter messages sent through the app.

The Flashlight apps are some of the leading malicious applications in the various app stores. The fake apps will request permissions to access messaging, email, call records, photos and even memory, all of which are not needed for the running of the app.

The unnecessary permissions are the beginning of the compromised devices resulting in compromised data.

Ironically, antivirus applications are on top of the list of malicious applications — a Gartner report indicates that 70 per cent, meaning seven out of 10 apps on the playstore, are malicious.

Pay apps are susceptible to key loggers which store anything typed on the phone and they are scraped and used to divert funds or make dummy purchases remotely.

“Malware attacks mainly included phishing attacks; and attacks perpetrated through the exploitation of misconfigured systems,” said CA in its report.

The report comes less than three months after a malware dubbed Emotet hit 11 Kenyan institutions, accessing confidential information of Kenyans using online banking and payment systems.

The increase in attacks targeted at financial institutions has been worrying with data showing that they lost Sh21 billion due to attacks on cybersecurity in 2017.

Digital products

Such attacks are riding on the fact that Kenyan banks are increasingly investing in mobile and digital products as an efficient and cost-effective way of reaching customers and growing market share. This is largely buoyed by rising Internet penetration as well as growing acceptance of mobile- and app-based products, which have in turn become a target for cyber criminals.

Directorate of Criminal Investigations (DCI)’s Economic Crimes Unit on January 30 issued warrants of arrest for 130 suspects said to have engaged in banking fraud between June last year and January this year.

Central Bank of Kenya Governor, Patrick Njoroge has previously stated that cases of ICT-related frauds have been on the rise in recent years, calling on banks to tighten their systems.

In 2017 and 2016, Kenya lost an estimated Sh21 billion ($210 million) and Sh17 billion ($170 million) to cybercrime respectively, an increase from a loss of about Sh14 billion ($140 million) in 2015.

In the latest case, it is believed banks lost more than Sh7 billion.

The CA report further indicated that during the quarter, 12,197 cyber threat advisories were issued to the affected organisations, a 91 per cent increase from those sent out to affected institutions in the previous quarter.

Kaspersky Labs says in 2018 they detected 151,359 installation packages for mobile banking Trojans, which is 1.6 times more than in the previous year.

Kenya however, was not as adversely affected by this as it was by mobile malware. Phishing attacks locally were high enough to be flagged with 14.38 per cent of users attacked by phishers.

“2018 showed that cybercriminals continue to keep a close eye on global events and use them to achieve their goals. We have seen a steady increase in phishing attacks on cryptocurrency-related resources, and expect new scams to appear in 2019,” says the Spam and Phishing report in 2018 by Kaspersky.

“Despite the fall in value and the lean times for the cryptocurrency market as a whole, phishers and spammers will try to squeeze everything they can out of this topic.”

The report further indicates that there is also a trend toward transition to new channels of content distribution: Cybercriminals in 2018 used new methods of communication with their “audience,” including instant messengers and social networks, releasing wave after wave of self-propagating malicious messages.

Hand in hand with this, as illustrated by the attack on universities, fraudsters are seeking not only new channels, but new targets as well.