Cert NZ finds NFT threat, Budget 2022 details remain elusive

A lurking threat? Photo / Getty Images

If that deal involving a jpg of a bored ape looks too good to be true, that's because it probably is, a cyber watchdog says.

The Government's Computer Emergency Response Team (Cert NZ) is warning about a rise in scams involving NFTs or non-fungible tokens, which have sold for stratospheric sums over recent months (although some buyers are now finding them hard to on-sell after the crypto crash).

"The sudden rise in popularity of NFTs [non-fungible tokens] has seen a rise in scams relating to them. Cryptocurrency scams are increasing in general, but we are now seeing campaigns specifically targeting those looking to buy or sell NFTs," Cert NZ director Rob Pope says.

"This new form of investment has created a rich avenue of opportunity for scammers, who are always looking for an edge."

NFTs appeal to attackers as they are still mostly unregulated, and payments are difficult to reverse or retrieve, Pope says.

The NFT market can be heavily hyped with high-profile projects and the estimated resale values can create a fear of missing out.

Scammers try to exploit this "fomo" with messages that emphasise urgency, Pope says.

Earlier this week, police said they were investigating Quwiex, a company operating with "falsified" New Zealand registration details, following multiple reports of people falling victim to a cryptocurrency investment scam.

Flubot persists

The Cert NZ director also warns that "Flubot" text scams persist, despite efforts by telcos and various agencies to stamp them out.

The scam sees a bogus text message purporting to be from a courier company (or another business) and asks you to click a link to download a form - which is actually the Flubot virus, which can steal details like your banking login, then spread itself to everyone in your address book (which is why the dodgy text messages come from regular cellphone numbers. Most organisations that send text messages en masse do so from services that use a four-digit code - which you'll see as the sender number. Most never include a web link or ask for personal details via text).

Cyber incidents, losses on the rise

Overall, reported cyber security incidents and financial losses from cyber-crime both appeared to increase in the first quarter - at least against the year-ago quarter, according to Cert's latest report.

Numbers seemed to drop from the fourth quarter of 2021, however. (see charts below)

"Seemed" is the operative word.

Pope has acknowledged a number of times that the stats reported by his agency are likely the tip of the iceberg.

There are two issues.

One is that many are still unaware that Cert NZ was founded in 2017 as a first port-of-call for individuals and small businesses hit by cybercrime. It can offer advice, and steer you to the right arm of law enforcement.

The other is that many hit by cybercrime or scams are too sheepish to come forward, even though Pope emphasises that the process is confidential.

Here comes the cavalry. Soon. Probably.

Budget 2022 seemed to go some way to addressing these problems.

It promised Cert NZ would get funds to support "a pilot victim remediation service, and fund the development of a technology solution to make it easier for individuals and organisations to report and respond to cyber incidents" and upgrades to other programmes.

The $550,000 allocated for these initiatives in the financial year just closed would be boosted to $7.3m for FY2023, with $6.4m, $5.6m and $5.5m allocations over the next three years.

As of today, however, there's no detail on when the new services will launch, or how they'll work. Communications and Digital Economy Minister David Clark is expected to offer a briefing in the coming weeks.

(We're also still waiting for more detail - or in fact any detail, including financial - on what Defence Minister Peeni Henare described in Budget 2022 documents as "an enhanced Defensive Cyberspace Operations (DCO) capability". Budget documents said a business case would be put to Cabinet in June. The project is still in a "definition stage". Our Budget 2022 also gave the GCSB an additional $14.3m, over four years, to boost its efforts to protect key government agencies and exporters from cyber attacks).

Don Christie, a director of local IT industry lobby group NZRise, told the Herald our cyber security spending was falling short. While there were incremental increases in spending, there was nothing like the A$1.2 billion boost to cyber defences delivered by Australia's 2020 Budget.

While the Ministry of Defence had scoped out a new ship costing up to $600m to patrol our ocean borders, "There's no equivalent of a patrol vessel being built for cybersecurity, which has far more far-reaching economic implications," Christie told the Herald.