AFP’s bust of Malaysian cyber crooks points to the challenges of online security

If you live in Australia, the odds are very good that you’ve had a dodgy MyGov SMS message land on your phone recently. These things are like digital cockroaches, and while serious efforts are underway to try to minimise the impact of SMS scams on individuals and businesses, they’re still seriously plentiful.

One quick scam-spotting tip: If your MyGov Message contains any kind of URL to click on, it’s 100% always and automatically a scam. Frankly, if it doesn’t sound like it was written by a bored Canberran bean counter, it’s also probably a scam, because they mostly just take the form of telling you that you have a new MyGov message to read, full stop, no URL at all. The great Australian novel it is not.

Still, while the real things are dull, the fake ones are proliferating at a frightening rate.

Related reading: iPhone attacks: should you be using Lockdown Mode?

How do I know this? Not because I’m about to whip off my false disguise, Scooby-Doo style and reveal myself as a hidden MyGov scam mastermind, but because of the details that have emerged around the Australian Federal Police’s recent bust – in coordination with the Royal Malaysian Police and the FBI – of a scam operation that sought to hoodwink Australian MyGov users.

MyGov, if you’re reading this from outside Australia, is the Federal Government’s primary portal for providing services to Australian citizens, including the direct gateway to the Australian Taxation Office. It’s not strictly mandatory to have a MyGov account, but not having one removes a lot of your ability to use an array of government services digitally – and in this day and age who really wants to spend time in drab government offices filling out paper forms?

According to the AFP, the Malaysian group was advertising that it was selling phishing kits targeting MyGov, along with hosting space that was claimed to be “bulletproof”. In shock news coming from a group of criminals, that clearly wasn’t so, given they’ve been busted.

The bust included the seizure of four servers which allegedly contained more than 60TB of data. That’s not a small degree of criminal activity any way you count it, especially when you consider the small data size of user credentials that the group would have been seeking to acquire.

“Cybercriminals will use any tools and tricks to exploit people for their own profit – in this case, it is mimicking trusted government websites,” the AFP’s  Acting Detective Superintendent Darryl Parrish said.

“The AFP is committed to working with our valued law enforcement partners to track down cybercriminals and bring them to justice, regardless of where they are in the world. This case highlights how vital it is for law enforcement agencies to share intelligence and resources globally, as crime is borderless.”

You’re not the Federal Government – so why does this matter?

There’s no question here that Australians, individually and as businesses are better off with these kinds of scams shut down wherever they can be. While its figures are necessarily limited – because not everyone comes forward or in some cases even realised they’ve been scammed – ScamWatch’s statistics suggest that Australians have lost at least $429 million this calendar year to date to scams – and even the most optimistic view of under-reporting would have to tip the scales somewhere north of half a billion in reality.

Even if you’re not personally impacted by a scam per se, that’s half a billion bucks not floating around the economy that could be headed to your business. Probably not all at once, but it’s a significant quantity with considerable potential economic impact.

More widely, it points to how the online cybersecurity space is evolving. At one time, you were more likely to read headlines about criminal groups running the scams getting busted, but we’re now in a world where it’s a quite viable business simply being the middle man selling the software to enable others to run the scams. If you’re a small business and especially a sole trader, the impact of having your MyGov account compromised or cancelled due to this kind of scam-in-a-box business could be entirely devastating.

However, it does also point out one of the biggest challenges facing anyone considering the security of their businesses in the online space. If all you do is sell buggy whips to the farmer who lives down the road, then you only need to concern yourself with whether his coins are real or not.

But once you’re selling Buggy Whips online from London to Lahore, the game changes considerably – as do the risk, and the challenges even for the authorities who try to limit the impact of international crime syndicates like this one. While MyGov is a big, tasty target, it’s also one that can rather more easily call on the services of the AFP to investigate and shut down attacks. For smaller operations, while it’s feasible to report cyber criminal activity, your own resources are going to be significantly more constrained.