NCSC cyber defence scheme blocked thousands of scams in 2019
The UK’s National Cyber Security Centre (NCSC) has reported more success in protecting UK citizens and organisations from online harms via its flagship Active Cyber Defence (ACD) programme as the initiative enters its fourth year.
The ACD programme is designed to protect UK internet users from “the majority of harm caused by the majority of cyber attacks the majority of the time”. The third annual ACD report covers the calendar year 2019, so does not yet reckon with the impact of the Covid-19 pandemic on the UK’s cyber security posture.
It covers a number of core services including protective domain name services (PDNS), web and mail checks, host-based capability (HBC), logging made easy (LME) vulnerability disclosures, Exercise-in-a-Box, and the NCSC Takedown Service. It also oversees the wildly popular suspicious email reporting service (Sers), although as this was only launched in 2020, it is outside the scope of the most recent report.
Among some of the highlights drawn from 2019, the NCSC said its takedown activities resulted in a “significant reduction in ‘badness’ on the internet” even as malicious actors continued to adapt their attacks, while other parts of the scheme continued to gather valuable data on email security, and how to coach organisations through Dmarc implementation.
During the course of 2019, its Takedown Service, which is run by Netcraft, removed 217,172 malicious URLs, up approximately 25,000 on 2018. This was distributed across 21,111 IP addresses in 2019, down slightly from 24,320 in 2018 – possibly the result of infrastructure used to conduct attacks being harder to acquire, although this remains an unproven hypothesis.
A total of 17,399 of the campaigns busted in 2019 used UK government branding in some way, mostly phishing URLs, but also phishing URL mail servers, malware attachment mail servers, and advance-fee fraud – aka 419 – scams, many of which related to fake Brexit investment opportunities.
Note that the NCSC takes a wide view of government branding, so the data include brands that may not necessarily identify themselves as government linked, such as TV Licensing, which was the most imitated brand in the statistics, the BBC, and even the National Lottery, which is spoofed extensively by advance-fee fraud scammers.
Interestingly, attacks spoofing HMRC – usually the government domain abused the most by cyber criminals and fraudsters – dropped way down in 2019, which is largely due to the department’s implementation of anti-spoofing controls, Dmarc protection, and a laser focus on protecting itself.
Other notable takedowns included almost 1,400 credit card skimmers, 861 hosted in the UK, and many of them related to unpatched versions of the Magento ecommerce platform; and attacks on an online business that provides personalised English and Scottish Premiership football shirts. Takedowns of cryptominers bottomed out in 2019, probably thanks to the disruption of the Coinhive service in March of that year.
Elsewhere, ACD’s protective domain name system (PDNS) programme, which fights malicious activity targeting the public sector with the support of Nominet, increased the number of protected public sector employees from 1.4 million to 2.2 million in 2019, handling 142 billion queries, more than double the number in 2018, as many as 43,726 per second at peak times.
It blocked 80 million queries to 175,000 unique domains, 25 million of them related to algorithmically generated domains or AGDs, 16 million to botnet command and control (C2) infrastructure, 14,000 for indicators related to exploit kits, and 3,200 for ransomware.
The most frequently seen malwares in its rogues gallery in 2019 included Emotet, Necurs, Kraken, Sphinx, Neutrino, Cerber, CryptoLocker, GandCrab, WannaCry, NotPetya, BadRabbit, Ramnit, Tiny Banker and Conficker.
As of 31 December 2019, the PDNS service was in use at 35 out of 45 central government departments, up from 24 at the end of 2018, while 102 local government bodies, as well as some shared services suppliers, signed up, meaning PDNS now covers 65% of local government organisations, up from 40% in 2018. Particularly strong engagement was seen in the devolved administrations in Northern Ireland, Scotland and Wales.
The report can be downloaded to read in full via the NCSC’s website, and the organisation is inviting further analysis and feedback from stakeholders, security experts, and the general public.