NetSafe warns New Zealand charity websites are being targeted by credit card fraudsters

NetSafe is warning New Zealand charities taking online donations to be on the alert after receiving two reports this week of cyber criminals launching automated attacks that attempt to validate large numbers of stolen credit cards.

In the first incident, almost 50,000 attempts were made to rapidly submit fake donations through a website form with the aim being to test which credit cards could be used for subsequent online fraud or sold on to other internet scammers.

More than 2000 successful donations were made resulting in the charity having to enlist the help of their bank and merchant account provider to refund the fraudulent payments. They also spent time dealing with enquiries from cardholders around the world questioning the transactions.

A second incident yesterday saw another charity website hit with 11,000 payment requests resulting in more than 250 donations to their bank account.

In both cases, the automated attacks had been launched from a Brazilian IP address and NetSafe is encouraging charities and other small businesses that take payments online to take steps to secure their websites and contact their bank or payment provider about ways to prevent online fraud.

Online fraud a global problem

“Credit card fraud is an ongoing issue for any organisation that takes payments over the internet,” said NetSafe’s Digital Project Manager Chris Hails.

“The American security company PhishLabs warned that charity websites were being targeted by cyber criminals to validate stolen cards in November last year[1] and they believe that these smaller organisations have fewer internet defenses in place than larger retailers and are thus an easy target.”

“Being the target of such an attack can mean hours of staff time cleaning up afterwards and could potentially cost your organisation money or find you blocked from taking future donations online,” said Hails.

The warning comes just a week after New Zealand’s Banking Ombudsman predicted that complaints to her office about scams would increase in 2015[2]. Auckland-based NetSafe recorded more than 8000 incidents in 2014 including a wide range of cyber security issues ranging from phishing attempts to ransomware.

Protect your business online

NetSafe offers the following advice for charities and website owners:

  • Talk to your bank or merchant provider about how their payment systems can be used to protect against online fraud
    Enquire about options for monitoring payments and blocking such large scale automated attacks. If you can, consider using third party card verification services from Visa and MasterCard to add a second layer of protection.
  • Talk to your website developer, IT staff or a security specialist about ways to protect your site and any payment forms you host
    Using SSL to encrypt information submitted is essential so that forms operate at an https:// address. Discuss testing your systems for signs of common vulnerabilities and your options for fixing them.
  • Use a CAPTCHA on your web form or require an account be created
    Technical solutions like these can potentially slow down automated software ‘bots’ that are designed to validate card numbers in quick succession.
  • Limit transaction volumes or website sessions by IP address or pre-screen payments from high risk countries if you are seeing fraudulent attempts to donate
    Many New Zealand charities may only wish to accept donations from Kiwis using credit cards issued by NZ banks. Ask if you can filter payments by Bank Identification Number (BIN) to prevent overseas cards being accepted.
  • Consider monitoring traffic volumes to your website
    Talk with your website host about establishing an alerts services so that you’re aware if you receive a sudden unexpected spike in visitors.
  • Investigate using a specialist online fraud management service
    Sift Science offer an online service to assess transactions before handing them on to your merchant provider and may be an additional way to reduce fake donations.
  • Weigh up the benefits of outsourcing your online donation process
    Explore options from third parties with secure systems and dedicated resources to manage fraud such as PayPal or Givealittle. allows NZ charities and schools to register for a free fundraising page.

“Monitoring any payments received is an important way to detect fraud on your website. Be on the lookout for a series of small donations for odd values or random amounts. Real people tend to donate whole dollars – $20 rather than $4.73,” said Hails.

If your website has been targeted by credit card fraudsters speak with your bank or merchant provider. You can also contact NetSafe via their freephone telephone number 0508 NETSAFE or report an incident online at


[1] Cybercriminals abuse charities to verify stolen credit card data

[2] Scam-related bank complaints on the upBanking Ombudsman

2014: An online year reviewed at NetSafe HQ

550023_10151198124371945_425821055_nChristmas 2014 is rapidly approaching and that means it’s time for us to review the year almost gone and identify the (anonymous) visitor trends and traffic patterns to our three most popular websites again.

Unsurprisingly – and perhaps somewhat depressingly – many of the common concerns from 2012 and 2013 are still making the top ten charts at NetSafe this year: ransomware, phishing attacks and comprised email and social networking accounts still make it to the top of the most visited pages on, Security Central and our blog.

2014 in numbers

We’ll publish a more in-depth, full year review in early 2015 but looking at data for the year to date, more than 230,000 people have visited these three websites so far this year.

We’ve also logged almost 8000 incidents via all our communication channels and recorded close to $7.5m lost by Kiwis to a wide range of digital challenges across the realms of cyber safety, cyber security and cyber crime.

Read on for an insight into NetSafe visitor trends for 2014:

Just over 200,000 people visited the main NetSafe website during 2014 from an amazing 215 countries, states and territories. As the mobile internet revolution roars on, 1 in 3 visitors were using a mobile or tablet device to access our online content. We plan to release a new NetSafe site on Safer Internet Day 2015 (10 February) to make the mobile experience more fulfilling and hope to source funding to revisit some of our older resources next year too.

Talking of mobiles, interest in parental controls for phones being used by young people remains strong. Concerns about fake profiles on Facebook moved up 4 spots suggesting use of the social network remains strong (despite new challengers ) and as a result, the bad guys continue to develop ways to exploit trusted network connections.

The most obvious new entry to the NetSafe top ten is interest in securing Mac and iOS devices – the Californian company has seen some major media stories this year around iCloud hacks and other security concerns and with the company’s products selling well this makes these operating systems a more high profile target.

NetSafe’s Top Ten Website Pages for 2014:

  1. How can I put parental controls on my child’s mobile phone?
  2. Can I download music and videos from YouTube? Am I breaking copyright law?
  3. Facebook: reporting fake and imposter profiles
  4. Cyberbullying: advice for young people, parents and teachers
  5. How can I complain about
  6. The Copyright (Infringing File Sharing) Amendment Act: What schools should know
  7. How do I protect my Apple Mac or iOS devices?
  8. How can I security check my computer?
  9. What does anti-virus and anti-spyware software do?
  10. Help! My email account has been hacked

Visitor technology explored

Our anonymous statistics service helps identify what browsers and operating systems visitors are using offering us an important insight into current tech being used by consumers.

Overall, Windows powered PCs remain the computer of choice for NetSafe visitors. But challengers including iOS, Android, Macintosh and even Linux are now making up 42% of market share.

What computer operating system do NetSafe visitors use?

  1. Windows – 55%
  2. iOS – 16%
  3. Android – 13%
  4. Macintosh – 10%
  5. Linux – 3%

It was reassuring to see that 87% of Windows users were running a supported version of Microsoft’s operating system. Encouraging the remaining one in ten to make the jump to a newer OS will be a challenge for 2015

  1. Windows 7 – 68%
  2. Windows 8.1 – 12%
  3. Windows XP – 10%
  4. Windows 8 – 7%
  5. Windows Vista – 3%

Drilling down into the data shows some different numbers for New Zealanders when it comes to their operating system of choice.

What computer operating system do Kiwi NetSafe visitors use?

  1. Windows – 63% (55% globally)
  2. iOS – 12% (16% globally)
  3. Macintosh – 12% (10% globally)
  4. Android – 7% (13% globally)
  5. Linux – 5% (3% globally)

Interestingly, Chrome OS is the system of choice for 1% of Kiwis, perhaps reflecting the use of Chromebooks in NZ schools.

When it comes to web browser use, the duopoly days of the 90s browser wars are long gone and Google’s Chrome takes a large chunk of the pie:

  1. Chrome – 40%
  2. Safari – 20%
  3. Internet Explorer – 18%
  4. Firefox- 12%
  5. Android Browser – 6%

Internet Explorer use has declined over the years but we still counted 100+ stalwarts using the ancient IE6 browser. Support for IE8 will continue until early 2016 but we’d still encourage all web users to improve their computer security by upgrading to a modern browser in this age of drive by downloads and malicious malvertising.

Security Central Top Ten

Visits to our computer security site continued to focus on the ongoing threats around ransomware, and Adobe Flash and Reader vulnerabilities. Our cyber security advice will be migrating to the main NetSafe site in 2015.

  1. Dealing with CryptoLocker ransomware
  2. How to check and update Adobe Flash
  3. Dealing with ransomware
  4. Dealing with ransomware and remote access hacking
  5. How to check and update Adobe Reader
  6. An Introduction to Cybersecurity
  7. Phishing, social engineering and online scams
  8. NetSafe Computer Security Checklist
  9. Reporting cybercrime in New Zealand
  10. Phishing and social engineering

The NetSafe Blog Top Ten

.nz websites continue to be cloned and 2014 saw some nasty employment scams enacted against both job seekers and Kiwi businesses. And again, advice for securing Mac devices made it into the charts:

  1. Help my website has been cloned – Bad robot! Defeating website scrapers
  2. Is Jenny Wilson from Reclaim Expert calling you?
  3. How to spot a suspicious email attachment
  4. I’m the king of the castle, get down you dirty rascal – Defence in Depth explained
  5. Anti-Child Porn Ransomware hits New Zealand businesses
  6. Don’t want your iPhone or iPad ‘hacked’? Why unique passwords are so important for online security
  7. Scamwatch reports bring total losses reported to NetSafe’s Orb website to $4.4m in third year of operation
  8. Phishing, smishing and how a casual click can deliver a nasty surprise
  9. Smartphones and public wi-fi ‘Evil Twin’ attacks
  10. Going Phishing: how to spot a fake banking website

The NetSafe office and telephone helpline will be closed between 24 December and 12 January but we will continue to triage reports made to our cyber incident site over this period. Stay safe and secure in 2015 and enjoy the Christmas break.

Kiwis, what floats your digital boat?

I was lucky enough to spend some time in Sydney this week attending a Google for Non Profits training day and catching up with a range of cyber safety organisations in Australia who are looking to take advantage of a whole host of Google tools to help their organisations tackle digital challenges affecting a wide range of audiences.

In between coping with the muggy Australian weather (an impressive lightning storm shut Sydney airport briefly last night) and taking in the beautiful surroundings of Darling Harbour, I couldn’t help but be amazed by the resources the Californian company is making  available for non-profits.

NetSafe has been lucky enough to receive a Google AdWords grant that will seriously improve the way we market our educational services to New Zealanders in 2015. We already have pretty good organic search engine optimisation and some highly ranked pages on popular online issues, but a monthly grant of $10,000 to spend on Pay Per Click advertising couldn’t have come at a more exciting time as we refine our content marketing strategy for the next twelve months.

I’ve used the PPC AdWords system for several years and am qualified to boot. Revising our website and the content within to cover new and evolving cyber safety, cyber security and cyber crime topics to assist New Zealanders is going to be a priority for 2015.

NetSafe’s Communications Survey

Over the last few weeks we’ve been asking Kiwis to review how NetSafe communicates and the responses to date have been interesting. If you want to take the brief survey, it’s not too late to respond.

Although the total number of responses to date have been small when compared with the volume of people we speak with each year, the results have been positive – more than 4 out of 5 of those taking the survey have taken action to improve their online safety and security based on NetSafe email newsletters, Facebook posts and tweets.

When we asked what issues Kiwis are interested in keeping up to date with, the graph below shows the response to the limited range of choices we originally suggested. We didn’t even touch on emerging threats such as the spying dangers of wearable technology:

Click to see a larger image

One survey taker said: “IT is such an integral part of our lives that it benefits all of us to stay ahead of the game.

What were the top five topics?

  1.  Computer security
  2. Online scams and fraud
  3. Online safety
  4. Microsoft Windows
  5. Malware

I’d somewhat assumed that specific topics such as BYOD and Android would rise to the top, especially when so many of us are now using mobile devices to connect online. It turns out there are still plenty of NZ PC users wanting up to date advice and guidance.

What areas are you interested in when it comes to tech challenges? Take the brief NetSafe survey and give us your feedback.

Meet the NetSafe Team: Stephen Denniston

Stephen Denniston is almost at the end of a three year degree course studying cybersecurity at Unitec in Auckland and will graduate in 2015 with a qualification that will increasingly be in demand by both New Zealand and overseas employers. As part of his course he is studying operating system vulnerabilities and malicious software designed to infiltrate networks and devices.

He joined NetSafe in October on a part time basis to work in our contact centre team. NetSafe handles an average of 700 incident reports each month submitted by home internet users and small businesses alike. The non-profit records upwards of $500,000 lost each month to online scams and fraud and cyber security threats ranging from phishing emails to ransomware.

Stephen tells us about his experience to date and offers his opinions on the digital challenges that affect so many New Zealanders:

  1. Why did you want to study cybersecurity?

It is a completely, utterly, fascinating field. In effect I get to break down computer systems, the hardware, the software and the network communications into their smallest parts. Dissect each seeing how they work and fit together in the system as a whole, look for gaps where vulnerabilities may exist and speculate on ways in which they may be used.

It’s like Lego with electrons.

But that’s only part of the equation, people are the oft forgotten computer component, not to gloss over the complexity of computers. But I challenge you to find a computer that doesn’t need a human to interact with it in some way, people are an important component in the computer systems feedback loop.

This is where social engineering comes into play, with the view to leverage people’s instincts to gain advantage counter to their beliefs or expectations. No matter how secure or how much money you spend on a system’s security, response teams, penetration testers, red-teams, if the users aren’t aware of the implications of their actions, it only takes a single USB stick, a single unfiltered link, a single attachment and it all comes crumbling down.

  1. Which areas of study are you particularly interested in?

Malware analysis for the insight it gives into the minds of the malware authors, the tactics and ideology of their pursuit. These guys are the foundation that the deep-web black-markets are built on and around.

Although malware is largely aimed and involved in financial crime, when an Advanced Persistent Threat (APT) comes along, the insights gleamed off of nation states is of the highest interest and typically yields new or unknown zero-day vulnerabilities as well as new coding and obfuscation patterns.

Although these things tend to be in an evolving pattern themselves, it piques my interest to see what or if government funding can have an impact on the nature of malware. As the turnaround from reverse engineering the APT wares to seeing them used by non-APT entities (deep-web black-market types) is shrinking at a rate something akin to Moore’s Law.

Social engineering for my interest in people and understanding what makes them tick, although we are all individuals with our own hopes and dreams. We all fall into patterns of behaviour and as with any pattern, if observed for long enough weaknesses can be exploited for malicious purposes. The taken for granted fact about all the internet enabled devices we carry with us, without thought, is the ease of which we can be observed but take minimal or non-existent measures to mitigate or prevent.

  1. Do you have a background in computing?

I’ve had a long held interest in computer security, cryptography, social engineering and malware. In one of my part time jobs I worked as a technician/diagnostician and system builder.

Having studied computers one way or another at various levels, I initially started studying with the intent of being a programmer, as I found networking too easy and less dynamic, but found my interest in operating systems a larger pull.

I ended up playing with Linux and the various distributions and flavours that it comes in. Which in-turn lead me into security as this is the middle ground between hardware, software and networking and human intent which allows me to push and test my knowledge. The best way of learning how something works, is to break it apart and put it back together.

  1. What previous work experience or life skills do you think add to what you study at Unitec?

I have a background in customer service from the retail sector mainly through part time jobs working while studying. I tried my hand at sales, and have limited exposure to marketing in that I ran a research project for a client into bottled water, created surveys and ran focus groups.

Which all feeds into my interest in social-engineering. But also puts me in a unique position in that I understand computers and am not afraid to communicate about them. When giving a presentation or talk with a group I’m the one who ends up doing all the talking, switching between fine technical detail and sounding like a sales pitch for the fountain of youth.

  1. Do friends and family expect you to be able to fix their printer?

I worked previously in a hardware diagnostic role so I get that lot, their Wi-Fi, the internet, the printer, you name it.

When I login to their router without looking up the password (admin:admin) to fix the Wi-Fi, instantly I’m labelled a hacker and quizzed on my hacker knowledge and if the neighbour can do the same to the house phone.

95% of the time I’m turning it off then on again. The 5% of the time that doesn’t work then I become interested. Friends and family are split into two groups, techies and non-techies. If a techie has a problem it’s either really interesting or endlessly frustrating. Else if a non-techie has a problem it’s usually down to neglect and their computer is about to (or has already) died.

  1. What kind of work would you like to do once you graduate?

Penetration tester. To me this sounds like an endlessly evolving, challenging role where you’re paid to hack, what’s not to love.

  1. What have been your first impressions of working at NetSafe?

Gob-smacked. The variety and quality of the work created by such a small team to encapsulate the breadth of the country is astounding.

But also a growing awareness of a triple disconnect

  • a disconnect between legislation and malicious users – what can be done to punish/pursue online criminals, particularly across state lines.
  • a disconnect between the public and malicious users – a lacking of awareness of how criminals operate and how to protect the legitimate users from the malicious users (hackers/scammers), and;
  • a disconnect between legislation and the public - what protections can, should and do the public expect from their protectors.
  1. After talking with people on the phone and answering a wide variety of email queries and ORB reports what would be your ‘top tips’ for Kiwis wanting to protect themselves online?
  • Keep your anti-virus updated and scheduled to run when you’re not using the computer (i.e. when you’re asleep).
  • Keep your computer updated, allow it to download and install updates automatically, it’s not worth having an unpatched system connected to the net.
  • Get street smart, keep up to date on how hackers and scammers operate.
  • Don’t run your PC in administrator mode, create a separate user in user mode and use that day to day.
  • Change any default passwords, especially ones for administrator, such as those found on routers.
  • Macs aren’t safe anymore, treat them like a PC and install an anti-virus software.
  • Don’t click on unknown links. Especially from email. Especially when you’re not expecting them.
  • Don’t open attachments you’re not expecting (or disable JavaScript in Adobe Acrobat if you’re intent on opening them)
  • Install a browser extension that disables JavaScript on all sites except the ones you choose [NetSafe suggests NoScript for FireFox users].
  • Install a browser extension that blocks advertisements as this is a popular way of distributing malware [NetSafe suggests Adblock Plus or Disconnect].

Meet the NetSafe team: Jesse Greenslade

JesseNetSafe staff have between them more than 30 years experience of internet safety and security issues. Jesse Greenslade is the latest full time member of staff, joining us back in June 2014 as Office Manager.

Jesse has worked for six years in the education and health sectors and is tasked with everything from day to day admin and finance to managing NetSafe’s member relationships and investigating new funding sources.

He was recently awarded an AMP Regional Scholarship to go towards the funding of his debut children’s book titled ‘First Week Blues’ which looks at the impact of bullying on young people. Learn more about Jesse’s story and pre-order your own copy at

- – - – - – - – - – -

How has the impact of bullying affected your own life?

If we go back for a minute and look at the “social norm” society puts on young people in New Zealand and around the world it creates an image of what one must be.

When I was at school, and even more so now, society gives the impression that boys should like sports, PlayStation, Xbox. They must be tough on the inside and out. Girls should like dolls and playing netball etc. When children age and become teenagers they begin to drink and go to parties. These are all stereotypes that society puts on young people. Because I did not fit within the “social norm” I was ostracised from my peer group – I was bullied because I was different. One of the main impacts bullying had on me was my self-confidence, because people questioned my appearance and who I was.

At 25, you’re the youngest member of the NetSafe team – was cyberbullying an issue for you at school?

Cyberbullying did not have a huge impact on me at school. I didn’t have Facebook until I was seventeen and I wasn’t bullied via text messages. I think it is harder for young people now because unlike me I had an escape from bullying when I was at home. I had a break, now young people are getting bullied in the privacy and comfort of their own home. They have no escape

What inspired you to write First Week Blues? And what has been the response to date?

The idea of writing First Week Blues came from wanting to help young children, to teach them strategies to cope to give them inspiration that they can get through it.

Everyone can relate to Blue, at some stage in our lives we have felt vulnerable or excluded in way or another. The response has been great, the book has been reviewed by Chief Human Rights Commissioner David Rutherford which I never thought would happen. I have support from other organisations in New Zealand that deal with children who are different and who don’t fit in with the social norm.

Hairy MacLary, the Gruffalo or the Cat in the Hat. What’s your favourite storybook character?

I loved Hairy MacLary. Hair MacLary had a group of friends who all came from a different walk of life. It goes to show that no matter how small or big you might be you can be accepted into a friendship group.

What would you say to a young person experiencing bullying today?

To all the young people out there who have been bullied or are being bullied, you are not alone.

Stand strong and fight for what you know is right. You are not alone and you will get through this, be proud of who you are.

What you are experiencing is only temporary. Talking to someone and being honest about what is going on can change the situation you are in. And to the bullies, next time you judge someone or stick a label on that person think about their situation and about what you are about to say or do. Your next action could have an impact on their life forever. Some scars do not heal.

Young people reading this who have had a hard time at school with bullying or who may be fighting with depression need to push on. Asking for help or talking about your feelings is the best things you can do for you. Don’t respond to the bully it only ignites the ammunition.

What made you want to work at NetSafe?

NetSafe is an organisation that supports people dealing with digital challenges. What drove me more to NetSafe as an organisation is its work with young people who are getting bullied online. I have a passion and desire to help young people like me who have been bullied and working for an organisation like NetSafe enables me to do that.

What have been your first impressions of the work we do?

The work NetSafe does is amazing; it offers a listening ear as well as support and guidance to help people get through what they are experiencing. NetSafe is an amazing team and I am proud of working with such an excellent organisation.

What would be your ‘top tips’ for Kiwis wanting to protect themselves online?

  • Never give out your password to anyone even if you trust them.
  • Before you post something online ask yourself would I be happy for this post or image to be shared around the world? You never know who might share it.
  • If you are adding someone on Facebook only add them if you know them.
  • Always have a strong password and ensure it is something nobody can guess.

Related Links:

Advice and guidance for dealing with digital challenges