On a Christmas day in 2009, a Nigerian tried to bomb a US-bound commercial flight, the young man was badly burned when the bomb sewn into his underwear failed to detonate fully, the rest is now history. As at then, suicide bombing was alien to Nigeria and Nigerians, majority including the government of the day did not consider it as a threat, rather than look inward and put control measures in place to curb the emerging treat of terrorism, we waited for the situation to worsen.
Fast forward to 2015, suicide bombing is now business as usual in Nigeria. The next threat to Nigeria after terrorism is cyber security. Whether we admit it or not, the cyber security threat landscape is evolving rapidly in Nigeria. Cyber attacks and cyber crime are on the rise while government, law enforcement agencies and the private sector all seem powerless to stop them. The persistent attack can be attributed to many organisations and government agencies not fully understanding or appreciating the security threats they face and placing other priorities ahead of effective cyber security.
In 2015, Nigeria experienced increase in the attack surface, the adoption of cyber crime as a service vis-a-vis malware procurement in the black market by cyber criminals, terrorism going cyber with tenacious hacktivism and the popularity of social media all contributed to rise in cyber crime. Looking ahead, the main forces will be continuing expansion of the attack surface, increased attacker sophistication and shortage of skilled cyber security experts to fight back.
In order to prepare Nigerians ahead of 2016, a forecast of top 5 cyber security threats that will dominate the country in the new year has been made:
First is the phishing attack that typically involves sending an email to a victim that looks to the unsuspecting recipient as if it comes from a legitimate source, for instance a bank. The email will ask the victim to verify personal information through a link to a fraudulent web page. Once that’s provided, the criminal can access the victim’s financial information.
2015 witnessed unprecedented phishing emails from cyber criminals in Nigeria, peaking when deadline for Bank Verification Number (BVN) was announced by the Central Bank of Nigeria; cyber criminals swamped unwary bank customers with phishing emails to warn them that their account was about to be blocked and consequently steal their credentials once they supply their details.
The year also saw home grown cyber criminals moving a step further by using Remote Administration Tools (RAT) and other malware tools as part of their phishing attack. In the same year 2015, a government agency was unknowingly serving a webmail phishing site from its own government (gov.ng) domain. The phishing content was based on a ready-to-go phishing kit that is distributed as a zip file. It contains easily-customisable PHP scripts and images designed to trick victims into surrendering either their Yahoo, Gmail, Hotmail or AOL passwords. In 2016, phishing will continue to be the number one cyber crime in Nigeria and big threats to individuals and organisations considering that exploit tools are now readily available in the online black market.
Another point is the Social Media Identity theft which is a trusted-friend-based scam becoming very common cyber crime in Nigeria and will continue to rise in 2016. It is a common knowledge that between social and professional networking sites, many have posted more than enough information about their personal and work lives that enterprising identity thieves could easily compile to create a fake profile that looks authentic to people who know them.
We have seen cyber criminals create fake custom and immigration officers’ profile, promising auction sales at ridiculous prices on social media, giving out account details for payments in order to scam unsuspecting social network users believing they are dealing with legitimate officers.
People’s social media login details are being stolen on a daily basis using malware, in other to send and solicit financial support from the contact list of the compromised user pretending to be them. These types of scams will continue to rise in 2016 with cyber criminals targeting individuals and creating bogus profiles and stealing people’s social media login credentials to scam unsuspecting social media friends.
In addition is the insider which is defined as a security threat that originates from within the organisation being attacked or targeted, often an employee or officer of an organisation or enterprise. An insider threat does not have to be a present employee or stakeholder, but can also be a former employee, board member, or anyone who at one time had access to proprietary or confidential information from within an organisation or entity.
— Afon wrote in from Abuja