Cybercriminals are using fake QR codes or sophisticated artificial intelligence scams to trick Australians into giving up their private details or downloading dangerous files, the nation’s signals intelligence agency has warned, as fraudsters take advantage of the technology’s popularity.
The Australian Signals Directorate also sounded the alarm on the “shifting tactics” of state-sponsored hackers and cybercriminals, who they said are burrowing into computer systems of businesses and other organisations and then sitting quietly to avoid detection until they choose to strike.
“State-sponsored cyber operations increase as geostrategic tensions change, while cybercriminals and hacktivists also … remain an ongoing and persistent threat,” the ASD director general, Abigail Bradshaw, said.
ASD released its annual cyber threat report on Tuesday, drawing attention to trends in hacking, cybercrime and security issues. The agency received 87,000 reports of cybercrime over the 2023-24 financial year, responding to 1,100 incidents. The defence minister, Richard Marles, whose portfolio has responsibility over ASD, said the number of reports was similar to the previous year, but that the impact and costs of cybercrime were increasing, with the average cost of cybercrime for small businesses rising to nearly $50,000 for each report, and to $30,700 for individual reports.
“This is our fastest-growing threat and we need to use all the tools available to government and business to confront it,” said the cybersecurity minister, Tony Burke.
The ASD report said critical infrastructure like electricity, gas, water and transport were targeted in 11% of cybersecurity incidents, including systems being compromised by intruders, malware infections, and denial of service attacks.
The report called Australian critical infrastructure an “attractive target”, giving anonymised examples of hospital and water infrastructure targeted by criminals including through ransomware for extortion, manipulation of water systems and data theft.
Bradshaw warned of a trend in “living off the land” strategies, where criminals enter a private system, blend in with its normal activities, and use its own administration tools to achieve their goals, rather than using “traditional” disruptions. In February, ASD joined partners in the United States and around the world in criticising China-sponsored criminals who had gained and maintained access to American critical infrastructure, amid claims some hacker groups were “pre-positioning” for potential future attacks.
“The 2023-24 report highlights an evolution in cyber threats aimed at Australia’s most critical networks and the shifting tactics of both state-sponsored cyber actors and cybercriminals to target these networks,” Bradshaw said.
The report also highlighted criminals employing widely used technology like AI and QR codes to scam victims. ASD warned criminals could use AI to quickly create content for phishing or scam emails, or for more sophisticated operations like deepfake videos or audio clips.
after newsletter promotion
ASD pointed to one example of a “vishing” – video phishing – scam where a company employee was invited to a video conference call where all other participants in the call were AI-generated deepfakes. The employee, after recognising colleagues’ faces on the call, was convinced to transfer millions of dollars from the company accounts.
“All attendees at the conference call, except the employee, were deepfake recreations,” ASD said.
Another form of scam, “quishing” – or QR code phishing – operates in a similar way to well-known email scams with malicious links, instead convincing users to scan a QR code. The technology, widely used for restaurant menus or quickly accessing information in the public domain, is being exploited by criminals to trick users into giving away their personal information or downloading malicious files. ASD called it “the unseen threat” for QR code technology.
The agency’s example was of a faked email from the Australian Tax Office, purporting to be a legitimate security alert and recommending the recipient use the QR code in the email to update their details – led to a fake login page for the MyGov government services website.
Bradshaw said in the current “cyber threat environment”, all technology users needed to stay aware of emerging risks: “cybersecurity is everyone’s responsibility”.
