Despite its small size, Hong Kong ranks third in the world and first in Asia as a target for cybercrime. Honey Tsang reports.

The grim picture came clear in the conference room at the Hong Kong Computer Emergency Response Team Coordination Center (HKCERT). Since last year, cases of extortion, using sophisticated "ransomware", to hijack corporate computer data jumped more than a thousand percent. Throughout 2015, the center recorded a scant 18 cases. In the first seven months of this year, 211 reported ransomware cases were investigated, an increase of roughly 1,072 percent year on year.

The causes for unease grew when the next graphic appeared, revealing a pattern of consistent surges in the valuation of bitcoin - the barely traceable digital currency which often figures in the ransom demands of cyber criminals.

Leung Siu-cheong, senior consultant to HKCERT, noted the correlation between jumps in bitcoin valuation and a spate of attacks involving Locky, a strain of ransomware that renames files then scrambles computer data. Victims are forced to pay a price for a key to decrypt and restore their data. Leung's role is to observe the cyber attack terrain in Hong Kong in search of solutions.

"The cases reported to us represent a small part of the cyber threat. There're substantial unreported cases in town, still hanging," Leung told China Daily.

"We have reliable sources in local schools, telling us that many academies have fallen prey to ransomware, without ever reporting breaches to us," Leung said.

His colleague Wally Wong, security analyst of HKCERT, once said in a seminar themed "Web Security Starts from Health Check" earlier in August, that many computer systems in schools were infected by someone's clicking a malicious URL (web address), often embedded in ROM discs used as teaching resources.

When valuable files are locked with indestructible encryption, Leung said, most victims have no option but to pay a ransom in bitcoin, so they can be directed to the decryption key that will restore their data.

This year, things are getting more complicated. Along with ransomware attacks, Hong Kong is on the frontlines of another form of cyber-attack, known as the Business Email Compromise scheme, also known to city police as the CEO email scam. BEC scams spread like most others by using an internet ruse to heist a tidy sum and ultimately to cripple a large organization.

At the end of August, data security experts from around the world converged at CLOUDSEC, the annual internet security conference held in Hong Kong. The expert consensus was that ransomware and BEC proved the two most menacing cyber threats during the first half of 2016.

"It seems that in Hong Kong, despite its size, they (ransomware and BEC) are emerging as major concerns right now," Myla Pilao, marketing director of TrendLabs at Trend Micro, a global internet content security provider, told China Daily.

True enough, Hong Kong has been the third most affected region hit by email scams attacks, with 226 email scam cases recorded during the first six months of 2016, Trend Micro's findings showed. The United Kingdom placed second with 595 recorded incidents and 2,496 cases in the United States.

Business email scams are a highly sophisticated stratagem for targeting large enterprises. Perpetrators send phishing emails, appearing to be from company executives. Recipients are directed to execute wire transfers to "alternate" accounts. From January 2015 to June 2016, email scammers poached more than $3 billion, affecting 22,000 firms around the world, according to estimates of law enforcement agencies.

Asked why Hong Kong has risen to third place among countries and regions targeted by cyber criminals, Pilao answered: "The email scam targets routine transactions involving trade, commerce and transfer of funds. In Hong Kong, there's plenty of that."

Detective inspector Dicky Wong is in charge of the collaboration team of the Cyber Security and Technology Crime Bureau (CSTCB). The CSTCB is an official watchdog in the fight against cybercrime. Wong suspects that criminals identify email addresses of business executives on social media accounts, like Facebook, Twitter or LinkedIn.

"You put your email on it. Criminals find it. That's how it works," Wong told the guests at CLOUDSEC conference.

The two malign cyber threats mean double trouble for Hong Kong. Police statistics bear that out. The tally of financial losses due to computer crime in the city amounted to about HK$1.83 billion in 2015. That represented a 52 percent increase from the HK$1.2 billion reported in 2014.

"The losses (caused by cybercrime) outweigh any other single crime category in Hong Kong," confirmed Wong. "The figure for 2016 isn't out yet, but I can tell you that the figure is not getting lower."

Ill-prepared local businesses

Over the past two years, HKCERT has attempted to alert the community to the dangers of ransomware. It has held press conferences and mounted public seminars. Despite that, the number of incidents has been growing, reaching two peaks in March and in May, when the city was beset by attacks from the ransomware viruses, Locky in March and CryptXXX in May.

Michael Lai, senior security sales engineer of Rapid7, a global data security company based in Boston, said in a phone interview to China Daily that public awareness of cyber risks in Hong Kong is relatively underdeveloped when compared to other modern metropolises.

Local large enterprises conduct vulnerability scans largely on a sporadic basis - to identify weak points in their systems capable of being exploited by cyber criminals. They seldom adopt these scans into regular, better-guarded infrastructural practice, Lai added. "Many local companies aren't squaring up to cyber threats. When there's damning evidence that cyber hazards have been pervasive, most still turn their backs on it."

In the past six months, small and medium-sized enterprises (SMEs), with limited resources and manpower, have proven most vulnerable. HKCERT's records showed SMEs were the most frequent victims paying ransom to recover data from cyber attacks, Leung confirmed.

Among them, ransomware had taken a heavy toll on the retail and trading sectors. It's natural for users from these sectors, who handle invoices daily, to be less suspicious of attachments in anonymous emails that may contain malicious code, Leung explained.

Knowing isn't enough

The existence of computer threats has become common knowledge. That does not mean, however, that people are taking the steps necessary to protect their businesses from cyber attacks.

A recent cyber security survey released by Trend Micro found that fewer than one in 10 companies in the Asia Pacific region thoroughly grasps how cyber attacks are carried out. Around 50 percent of surveyed companies had failed to install any security awareness programs. In conclusion, the company declared that data security awareness among Asian enterprises was still dangerously undeveloped.

Technical security tools are able to circumvent some threats lurking online but not all of them, said Patrick Ho, principal consultant of Maximus, a corporate-wide information security management firm. "After all, the real crux lies on the alertness of staff."

The way business email scams have played out echoes Ho's remarks.

Among email schemes reported to the police, inspector Dicky Wong said, attackers could cash in on the failure of employees to read fabricated email addresses correctly. Frequently the address would have a single character added or deleted.

Worthwhile investment

Having seen that local SMEs have no surplus capital to invest in web security, HKCERT launched the SME Free Web Security Health Check Pilot Scheme last March. The program offers free vulnerability scanning of websites, as well as remediation advice for 35 participating companies. The first round of scanning revealed that 76 percent of website vulnerabilities identified were classified as "severe".

Leung said most participants have found the scheme useful. Employees, however, are still stuck in the mire of not knowing what to do when a crisis occurs. "Even after the vulnerabilities are identified, some participants confess they have insufficient resources to rectify problems."

On average, the elemental data security measures, including installing anti-spam email filtering software and web proxy to block access to malicious websites, might cost a small company around HK$100,000 a year. This, Leung said, could consume a "significant" portion of an SME's annual revenue.

Data security measure shouldn't be viewed as trivial, however. The cost might be significant but it's not a waste, said Michael Lai. He recommends enterprises set employees' awareness training high on their business agenda. Undercover security drills should be carried out two or three times a year. These entail efforts by ethical hackers sending out fictitious ransomware or phishing emails that test employees' alertness. Lai argued it's a better solution for employers than learning "the hard way".

As e-commerce evolves and expands, traders and their customers will be exposed to a wider range of cyber risks. The information technology research company Gartner predicted that by 2020, 60 percent of digital businesses will experience major service breakdowns as a result of poor management of cyber risks.

"Cyber threats work like an epidemic. When one wave fades, a new wave will surface," Leung called on the public always to be wary of rambunctious cyber perils. "The success of cyber attacks isn't a fluke. The attackers are computer whizzes, prying into people's lives and implementing well-researched shakedowns."

To develop a good practice, Leung suggested an enterprise should make offline backup of computer files and update system software to sew patches into known flaws and to block employees from opening malicious webpages regularly.

It has always been an aphorism across the cyber security industry, which is what inspector Wong described as worth spreading: "Always assume you've been hacked, unless you can prove you haven't."

Contact the writer at

honeytsang@chinadailyhk.com

(HK Edition 09/27/2016 page8)