Victorian government on alert over social engineering campaign

Public servants warned after a series of calls appeared to lay the groundwork for a targeted phishing campaign

Victorian government employees have been warned about what is believed to be a phone-based social engineering campaign targeting the state’s public sector, possibly ahead of a phishing campaign designed to collect employee credentials.

A spokesperson for the Department of Premier and Cabinet confirmed to Computerworld that a warning had been issued after a “small number of staff from some government departments” late last week received calls.

“The callers asked staff to confirm their name and workplace contact details,” the spokesperson said. “Staff deemed the calls to be suspicious and did not provide any information to the callers.”

Call recipients are understood to have been told that they would receive an email.

The Herald Sun in late December revealed that an unknown third party had downloaded the work details of “tens of thousands” state government employees. The breach involved the Victorian government directory, the paper said, and was reported to the police.

The breach was believed to have involved the compromise of an employee’s email account, the Herald Sun reported.

“There is no information to suggest a direct connection between these phone calls and the recent unauthorised access to a partial copy of the Victorian government employee directory,” the DPC spokesperson told Computerworld.

DPC said after the calls it had provided security advice to government departments and agencies and “reminded staff to remain vigilant when it comes to unsolicited communications, including phone calls and phishing emails.”

“We have also notified the Australian Cyber Security Centre,” the DPC spokesperson said.

“Scammers have long used social engineering to win trust by posing as a legitimate business or person as the technique generally has a very high success rate,” Ian Yip, chief technology officer, Asia Pacific, at security vendor McAfee told Computerworld.

“The result is that victims could accidentally infect their or their organisation’s machine, or share personal, company and financial information.”

“The financial costs of such attacks are significant,” Yip added.

“The Australian Taxation Office revealed that 25,000 reports were made in December alone and 222 taxpayers lost more than $540,000 to scammers in December, bringing the total volume of reported tax-related scam losses to $2.8 million for 2018.”

Yip said that McAfee research revealed 900,000 new phishing URLs were detected in Q3 of 2018, which the CTO said was a significant increase from Q2.

“To mitigate against these kinds of attack methods, organisations must be vigilant in educating employees on the key markers of deception and how to take steps to confirm the validity of the communication,” Yip said.

“For instance, such advice might include never responding directly to a request for sensitive or private information, even if it appears to come from a trusted source. It is usually a good idea to message, email, or call the sender directly from one’s saved contact details, or speak to them in person to confirm their request.”

Victoria in late 2017 appointed its first whole-of-government chief information security officer (CISO) as part of an effort to boost cyber security across the public sector.

The former senior manager, information and technology risk, at ANZ, John O’Driscoll, was tapped to be the state’s first CISO, with the role sitting within DPC.

The creation of O’Driscoll’s role was part of the state’s cyber security strategy, launched in August 2017, which envisages a more coordinated cross-government approach to information security.

The strategy argued government at all levels was facing increasing security threats.

“While our approach to date has worked to some extent, Victorian Auditor-General reports and departmental in-house testing regularly uncover vulnerabilities that must be addressed,” the strategy said. “The time for an agency-by-agency (only) approach has passed. We need to address these risks strategically, and where it makes sense, holistically.”

Last year the state government pledged $17.6 million over four years to help implement the strategy.

“Funding will be provided to implement the Government’s cyber security strategy to improve detection and prevention capabilities, and responses to cyber-attacks on Victorian Government IT systems,” a budget document outlining the funding stated.

“This funding will ensure we have the strong cyber security capabilities we need to protect the delivery of public services across the whole of the government,” the document said.