On a Christmas day in 2009, A Nigerian tried to bomb a US-bound commercial flight, the young man was badly burned when the bomb sewn into his underwear failed to detonate fully, the rest is now history. As at then, suicide bombing was alien to Nigeria and Nigerians, majority including the government of the daydid not consider it as a threat, rather than look inward and put control measures in place to curb the emerging treat of terrorism, we waited for situation to get worst.Fast forward to 2015, suicide bombing is now business as usual in Nigeria. The next threat to Nigeria after terrorism is cyber security. Whether we admit it or not, thecyber security threat landscape is evolving rapidly in Nigeria. Cyber attacks and cyber crime are on the rise while government, law enforcement agencies and private sector all seem powerless to stop them. The persistent attack can be attributed to many organizations and government agencies not fully understanding or appreciating the security threats they face and placing other priorities ahead of effective Cyber Security – in the absence of any penalties or incentives to behave otherwise. The lack of effective organisational accountability for the impacts of security breaches also contributes to the mounting number of security breaches and failures.
In 2015, Nigeria experienced increased in the attack surface, the adoption of cyber crime as a service vis-a-vis malware procurement in the black market by cyber criminals, terrorism going cyberwith tenacious hacktivism andthe popularity of social media all contributed to rise in cyber crime.Looking ahead, the main forces will be continuing expansion of the attack surface, increased attacker sophistication and shortage of skilled cyber security experts to fight back.
In order to prepare Nigerians ahead of 2016, a forecast of top 5 cyber security threats that will dominate Nigeria in the New Year has been made.
A phishing attack typically involves sending an email to a victim that looks to the unsuspecting recipient as if it comes from a legitimate source, for instance aBank. The email will ask the victim to verify personal information through a link to a fraudulent Web page. Once that’s provided, the criminal can access the victim’s financial information.
2015 witnessed unprecedented phishing emails from cyber criminals in Nigeria, peaking when deadline for Bank Verification Number (BVN) was announced by Central Bank of Nigeria; cyber criminals swampedunwary bank customers with phishing emails to warn them that their account was about to be blocked and consequently steal their credentials once they supply their details. The year also saw home grown cyber criminals moving a step further by using Remote Administration Tools (RAT) and other malware tools as part of their phishing attack. In the same year 2015, a government agency was unknowingly serving a webmail phishing site from its own government (.gov.ng) domain. The phishing content was based on a ready-to-go phishing kit that is distributed as a zip file. It contains easily-customisable PHP scripts and images designed to trick victims into surrendering either their Yahoo, Gmail, Hotmail or AOL passwords. In 2016, phishing will continue to be the number one cyber crimein Nigeria and big threats to individuals and organisations considering that exploit tools are now readily available in the online black market.
- Social Media Identity Theft
This trusted-friend-based scam is becoming very common cyber crime in Nigeria and will continue to rise in 2016. It is a common knowledge that between social and professional networking sites, many have posted more than enough information about their personal and work lives that enterprising identity thieves could easily compile it to create a fake profile that looks authentic to people who know them. We have seen cyber criminals created fake custom and immigration officers’ profile, promising auction sales at ridiculous prices on social media, giving out account details for payments in order to scam unsuspecting social network users believing they are dealing with legitimate officers. People’s social media login details are being stolen on a daily basis using malware, in other to send and solicit financial support from the contact list of the compromised user pretending to be them.These types of scams will continue to rise in 2016 with cyber criminals targeting individuals and creating bogus profiles and stealing people’s social media login credentials to scam unsuspecting social media friends.
- Insider Threat
An insider threat is most simply defined as a security threat that originates from within the organization being attacked or targeted, often an employee or officer of an organization or enterprise. An insider threat does not have to be a present employee or stakeholder, but can also be a former employee, board member, or anyone who at one time had access to proprietary or confidential information from within an organization or entity.
Insider threat is common in banks and other financial institutions in Nigeria where staff collude with cyber criminals to defraud innocent customers. Late 2014, an IT worker in one of the leading banks located in Abuja was involved in co-ordinating a 6.28 billion naira cyber-theft where he worked. He used his privileged position to siphon money into conspirators’ accounts. This particular case was made public because EFCC declared the suspect wanted; most cases of compromises and cyber theft in banks have remained publicly unreportedin 2015 since there is no law in Nigeria mandating public disclosure of cyber attack or compromise. Insider threat has been on the rise in 2015 and will continue to be a major cyber threat in 2016 in Nigeria.
- Cyber Terrorism vs Hackivism
In the year 2015, Boko Haram declared allegiance to ISIS, since then their propaganda materials have become more sophisticated, suggesting coordination or even that Boko Haram outsources some of its propaganda to ISIS according to a special report in April 2015 by BATBLUE, an American based cloud Security Company.They claimed Boko Haram now use email scams to raise a small amount of fund, and seems to have outsourced some of its photoshop and video development to ISIS to further its online propaganda strategy. This pattern is expected to continue in 2016 as we have seen ISIS speaking for and on behalf of Boko Haram
2016 will also see the rise in hackivism in Nigeria–Hackivism is the act of hacking, or breaking into a computer system, for a politically or socially motivated purpose. The individual who performs an act of hacktivism is said to be a hacktivist. A taste of what to expect in 2016 was served by some unknown hackivists just few days to Charismas 2015;the official websites of the Lagos State Government and the Court of Appeal were hacked by an unknown group sympathetic to the Shiite Muslim sect. The hackers in a message posted on the two websites after the attack, described the Nigerian government as a terrorist.
- Lack of Cyber Security Awareness
Throughout 2015, we as a nation remain woefully unaware of the risks that cyber attacks pose to our economy, our national security, and our privacy. This problem is caused in large part by the fact that cyber attacks information ordinarily is kept secret to avoid backlash. As a result, Nigerians do not have an appropriate sense of the threats that they face as individual Internet users, the damage inflicted on their businesses and the scale of the attacks undertaken by cyber criminals against Nigeria interests. This is a big threat as organisations and government sleep walk into cyber attack.
Effective cyber security starts with awareness at management level – the recognition that at some point your organization will be attacked. Organisations need to understand the biggest threats and learn how they can put the assets at the heart of their organization’s mission at risk. Lack of cyber security awareness is a threat that Nigeria will contend with in 2016.
Finally, on a positive note, the cyber crime bill was passed into law by previous administration in 2015. The next 12 months will see more tangible changes as a result of efforts to fight cybercrime by law enforcement agencies with more cybercriminal arrests and convictions.