According to a widely accepted estimate, cybercrime costs the world economy the sum of US $ 500 billion, more than the GDP of South Africa (350.6 billion dollars) and slightly less than that of Nigeria ( 521.8 billion dollars), the continent’s largest economy.
The latter pays a heavy price to the scourge: according to estimates, cybercrime costs the Nigerian economy the sum of US $ 500 million per annum.
According to the United Nations, cybercrime covers any illegal behavior directed by means of electronic operations that targets the security of computer systems and the data processed by them.
It goes without saying that the phenomenon goes far beyond the common scams perpetrated through emails – the famous Nigerian “419” scam.
Alongside this form of crime are a host of other illegal activities using ultra-sophisticated means.
In this article, we will endeavor to present a range of different forms of cyber crime, their characteristics and scope, as well as available related data.
According to Microsoft’s Digital Crimes Unit (DCU), “there are nearly 400 million victims of cyber crime each year. And cyber crime costs consumers 113 billion dollars a year. India, followed by Pakistan, Egypt, Brazil, Algeria, and Mexico, have the largest number of infected machines involving malware developed outside Eastern Europe”. (13)
A high cost
According to Microsoft’s estimate, in 2014 about one half of all adults connected to the Internet were victims of cybercrime. This costs the world economy 500 billion dollars; 20% of all small and medium-sized enterprises (SMEs) have been hit.
These estimations are confirmed by Merrill Lynch Global Research, who, in a 2015 report, also predict a potential “Cybergeddon” in 2020, when cybercrime could extract up to one-fifth of the value generated by the Internet.
As far as the African continent is concerned, there are fewer available data – this shows the absence of measuring tools and of control of cybercrime.
However, and to serve as an illustration: a study conducted by International Data Group Connect showed that each year, cybercrime cost the South African economy an estimated 573 million dollars. For the Nigerian economy the cost was estimated to be 500 million dollars, and for the Kenyan economy, 36 million dollars (14).
Proportionally speaking, for middle income countries this represents enormous sums.
Another study conducted by Deloitte and dating back to 2011 showed that financial institutions in Kenya, Rwanda, Uganda, Tanzania, and Zambia had sustained losses of 245 million dollars, attributable to cyberfraud. (15)
Lastly, several Zambian commercial banks were defrauded of over 4 million dollars in the first semester of 2013, as a result of a complex cybercrime scheme involving Zambians as well as foreign nationals.(16)
In francophone Africa, the phenomenon is mostly to be found in the main regional economies. For instance, in 2013 the estimated cost of cybercrime in the Ivory Coast was 26 billion CFA Francs (3.8 million euros). In Senegal the cost was estimated to be 15 billion CFA francs (22 million euros).
At an international forum on cybercrime in 2016 in Dakar, Charles Kouamé, in charge of governance in the Ivorian Authority for the regulation of telecommunications, pointed out that 1.409 complaints had been lodged and acted on by the Ivorian courts last year. According to him, the global volume of Web based fraud in the country seems to have started to decrease, falling from 5.8 billion CFA francs (8.9 million euros) in 2014 to 4 billion CFA francs (6,1 billion euros) in 2015.
These figures show the size of the problem in a part of the world which is currently experiencing exponential growth, fed by the rise in the prices of raw materials and the boom in the technological sector, to which one could add the rise in the incomes of the middle classes. Even if they can’t buy the usual computer “kit” (PCs, printers, routers etc) they can now connect to the Internet with smart phones, the prices of these devices having dropped significantly in the last ten years.
This explains why, in 2013, in Sub-Saharan Africa alone 311 million mobile phone users were counted (a penetration rate of 36 %). The figure should reach 504 million in 2020 (49% penetration rate). (17)
For its part, the International Telecommunications Union (ITU) estimates that one African out of every five now uses the Internet. (18)
The high ratio of Internet connection is unfortunately accompanied by a high rate of software piracy.
Since there are obvious links between software piracy and cybercrime, the main method used by cybercriminals is still to use infected machines, fed by the proliferation of pirated software.
In 2013 a study by the IDC (International Data Corporation), The dangerous world of counterfeit and pirated software commissioned by Microsoft estimated that 33% of all software in the world was counterfeit and estimated that on the global scale the phenomenon cost 114 billion dollars.
In Africa, the twelve countries with the most infected IT infrastructure are: Libya (98%), Zimbabwe (92%), Algeria (84%), Cameroon (83%), Nigeria (82%), Ivory Coast (81%), Kenya (78%), Senegal (78%), Tunisia (74%), Morocco (66%) and Mauritius (57%). (19)
An earlier study by BSA in 2011 estimated that the proportion of pirated software in the whole of Africa and the Middle East was of 58%.
In the Kenyan market alone, Microsoft estimates the proportion of pirated software to be 78% with a commercial value of 12 billion kenyan shillings (about 120 million dollars).
Most of this software ends up on African markets because of the high cost of buying the original versions.
In most francophone countries, “new” computers are on offer in two possible options: “free dos” (without an operating system) or, in most cases, an option with pirated operating systems.
It goes without saying that the counterfeit programmes are subject to modifications in their codes, with the introduction of lines of malicious code and Trojans that expose most machines to the activities of cybercrime networks.
The net result is that the African continent has become a nest of cybercriminals of all kinds. For instance, those who specialise in the “419” scam, named after article 419 in Nigerian criminal law that penalises fraud and specifies the fines and other penalties for this sort of crime. Other criminals operate on a larger scale, using sophisticated crime networks.
Indeed, according to a new 2015 estimate by international software security group Kaspersky, three African countries are among the world Top 20 countries with the highest ratio of computers infected by malware. They are: Somalia (6th), Algeria (14th) and Rwanda (16th). (20)
In another report, Kaspersky states that more than 49 million cyberattacks took place in the continent during the first three months of 2014, most of them in Algeria, Egypt, South Africa, and Kenya.
Another company specialising in software security, Norton, estimates that 70% of South Africans have been hit by cybercrime (compared to a world average of 50%).
McAfee is another firm in the same line of business. It calculated that cybercrime had cost South African companies more than 500 million dollars in 2014.
All these figures show how widely exposed African countries are to cybercrime, compared to other economies.
Another notable fact is that Internet connectivity and mobile telephones offer unprecedented possibilities for spreading and sharing data.
Mobile money threats
In its annual Security Bulletin 2015 giving overall statistics for that year, the Kaspersky group points at a new trend: for the first time mobile finial threats are among the 10 main malware programmes written with a view to stealing money. Two families of mobile banking Trojans – Faketoken and Marcher – were among the 10 top banking Trojans for 2015. Another notable and alarming trend for that year was the rapid spread of ransomware. In 2015 Kaspersky detected programmes of this sort in 200 countries and territories.
Africa, with the rapid growth of its mobile banking sector, is particularly vulnerable to this sort of evolution.
Revenues from mobile telephony now represent 3,7 % of GDP on the African continent – a ratio three times higher than in developed economies.
“Cybercrime accounts for losses of 1 billion Rand (about 64 billion dollars) for South Africa every year.”
In this context, cybercrime is growing.
Data on the subject are somewhat scattered, but the main target on the African continent is very probably South Africa, because of its high connectivity rate, its wealth, and its GDP per head. According to the 2014 report of the Center for Strategic and International Studies on cybercrime (NET LOSSES: ESTIMATING THE GLOBAL COST OF CYBERCRIME), South Africa loses 0,14% of its GDP because of cybercrime. (21)
According to the South African Banking Risk Information Centre (Sabric) cybercrime accounts for losses for the country of 1 billion Rand (about 64 billion dollars) every year. Almost half of these losses are due to debit card fraud.
These figures are confirmed by the Internet Crime Report 2014, published by the FBI. The classification of cybercrime cases according to the countries of origin of complainants mentions three African countries among the 50 most affected: they are South Arica in the 11th place (434 complaints), Nigeria (24th place, with 215 complaints) and Egypt (45th, 95 complaints). When the cases are classed according to the damages caused,South-African complainants are, there again, in first position with 6.5 million dollars lost; followed by Nigeria (2,9 million dollars) and Egypt (523.000 dollars). (22)
On the other hand, in the Ivory Coast (a francophone country) the Direction de l’informatique et des traces technologiques (or DITT), an agency set up to fight cybercrime, estimates that in 2014 and 2015 cybercrimes such as “romance scams” and the theft of email accounts and data were becoming less numerous. But others were gaining ground, such as money transfer scams (up by 207,7 %) and mobile phone payments fraud (un 74,4%).
The emergence of these crimes linked to transactions by phone is made easier by the widespread use of new payments by mobile (or cellular) phones. A peak can be observed in the number of cases observed during the school holidays, between the months of July and September. According to the DITT, this is due to the high number of cybercriminals who are still at school or university.
In the Ivory Coast, simbox fraud has cost almost 926 million CFA francs in 2014. This technique allows the fraudsters to bypass the normal channels for international telecommunications which are then treated as local calls. This causes enormous losses for telecom companies.
In Kenya, the three methods most frequently used by the cybercriminals in 2012 were keylogging software (spyware), password theft, and ATM piracy. But in 2015 the main methods were: ransomware (malware that blocks access to personal data, holding the data hostage), also the manipulation of database transactions, and social engineering (a way of acquiring information, and a form of fraud, used to obtain a product or a service under false pretences).
The profile of the virtual delinquents has also changed.
The ”Kenya cyber security report 2015″ points out that in 2012, cybercriminals were opportunists by nature, or computer enthusiasts seeking to impress, but that they’ve now become hardened professionals, whose attacks have very specific aims.
In Senegal, very little data is available, but the most significant case is the one involving Jonijoni, the money transfer site, that was hacked into for several hours last January.
The hackers, who said they were Senegalese, wanted to draw attention to the matter of security. The address led to a black page that had a text by the two perpetrators. They said, among other things, that “computer security is, alas, neglected in our beloved country. Here we are again to remind you of the importance of this security. Oh, and: his time, we’ll spare your data”.
An investigation in Kenya in 2015 showed that fewer than 5% of organisations who were asked about what measures they’d taken said they’d equipped themselves with tools to administer the security of their databases. Over 73% of the people who’d been victims of cybercrime had not lodged a complaint, and in that number 13% didn’t know to whom they should report those attacks. Still according to the ”Kenya cyber security report 2015”, the public sector faces the highest threat to cyber security, followed by the banking sector and financial services (including electronic money). This is explained by “the continued automation, centralisation of systems, limited investment in computers security”, as well as a lack of “defined processes” shared by all.
South African media in 2015 revealed that hackers, with accomplices in the civil service, had tried four times to lift 24 million dollars from the coffers of the Ugandan central bank, by targeting the accounts of the ministries with the largest shares of the national budget.
More recently, the group known as Anonymous said they’d launched a cyberattack and appropriated a terabyte of data from the Kenyan Foreign Ministry, in order to “denounce the corruption of the powerful in this country, both in the public and private sectors”.
The Kenyan authorities seek to understate or minimise the gravity of the leak, believing there are no sensitive documents among the lifted data. But the incident illustrates one more facet of the risks that cybercrime represents for Kenya and all the other African countries.
Even once a legal framework has been put in place, the fight against cybercrime comes up against other difficulties.
In the Ivory Coast, the laboratory of digital forensics, whose job is to accompany the police in their duties, finds cooperation with the telephone companies far from easy.
In 2015 those operators answered fewer than 50% of the demands made by the police for information or data about mobile phone numbers. Many of these requests are treated only partially. Or sometimes, for a single request, results are given only about certain numbers. Even in the case of requests that are answered satisfactorily, the answers are often very long in coming and only arrive at a time when they are no longer useful to investigators.
Mobile: opportunity and threats
The mobile telephone sector is expanding rapidly in Africa, a trend that can be seen by the popularity of vocal communications but also of the exchange of data on the continent.
The latest figures published by GSMA are as follows:
Unique mobile subscribers
2013 : 564 million (penetration ratio: 65%)
2020: 947 million (penetration ratio: 91 %)
2013: 564 million (penetration: 65%)
2020: 947 million (penetration: 91%)
It’s estimated that 3G connections will continue to increase, from 15% in 2013 to 52 % in 2020
(72 million smartphones in 2013, forecast : 525 million in 2020 )
Jobs directly provided by the mobile ecosystem
2013: 2,4 million
2020: 3.5 million
(3.7 million jobs, linked indirectly, created in 2013)
(Data provided by GSM Africa)
Concerning the dangers of cybercrime in that sector, homogeneous statistics for the whole continent are hard to come by. But on a world scale, Kaspersky sees an increasing threat:
– Kaspersky Lab detected 884,774 new malware programmes. This means a threefold increase on 2014 (285,539)
– The number of new banking trojans has decreased, reaching a stable level of 7.030 (16,586 in A014).
– 94,344 unique users were victims of mobile ransomware attacks. This figure is five times higher than in 2014 ( when it was 18,478). (23)
These figures show an imminent threat to the African continent, where the growth of the mobile phone sector is the highest in the world.
Cyberterrorism in Africa
African cyberterrorists don’t have the same powerful means at their disposal as their opposite numbers elsewhere in the world, but they are harmful nonetheless.
These last few years, a few terrorist groups have started to make their presence felt on a supranational level.
Anonymous is a generic denomination that covers several international groups that have no unified command structure. These groups are active on the Internet defending causes relating to (among others) justice, politics, and religion.
They are well-known because of their DDoS (Distributed Denial of Service) attacks, by which they paralyse whole websites, by flooding their servers with concerted attacks that overwhelm them.
They can sometimes be recognised in public, because they wear Guy Fawkes masks.
They made an impression with a series of large scale operations, for instance against the current system for protecting author’s rights in the online distribution of works of an artistic nature. They have also supported the WikiLeaks website, and the Occupy Wall Street movement.
Members of Anonymous, known as Anons, also became famous for launching attacks against government agencies in the United States, Israel, Senegal, Tunisia, Uganda, etc.
In Senegal, the group drew attention to itself by spectacular targeted attacks.
In 2015, for instance, Anonymous Senegal attacked the sites of the State Information Technology Agency (ADIE) and of the Ministry of Livestock and Animal Production.
These attacks were seen as a response after the banning in Senegal of an issue of the magazine Charlie Hebdo that featured cartoon images of the Prophet Muhammad.
Under the hash tag #OpChalieHebdo , the authors of the attacks gave explicit reasons for their operation:
“So, you banned Charlie Hebdo’s front page cartoon? … Bad call”.
They used a simple technique known as website defacement.
This consists of replacing the home page of a website by another page, usually with a black background, with messages in red letters describing the aims of the operation.
Technically, in PHP language, all that is needed is a simple replacement of lines of code in the index.php page, which contains the technical instructions for redirecting the user to the Home page of a website. The modification will give the impression that someone has taken control of a site or, at the very least, of its Home page. A swift technical intervention to restore the original index.php is enough to restore the site.
A loose collection of activist (or “hacktivist”) groups claims the name Anonymous. They have created multiple accounts on social networks to exchange information and expertise on hacking techniques. But to date no spectacular action can be attributed to them. (24)
The hacker Yunus Incredibl made a name for himself in 2014, by taking on six Senegalese government sites with domain names ending in the suffix .gouv.sn.
These were the sites of the Foreign ministry, the ministry of the Interior, the Journal Official (the official government publication listing new legislation etc)., the Ministry of Sports, and the Délégation générale à la protection sociale et à la solidarité nationale (DGPSSN), the agency responsible for social protection and aid.
A subsequent investigation indicated that the hacker was based in Algeria and had clearly wanted nothing more than to show his computer skills.
In a more general way, Internet groups of African militants are slowly beginning to organise to defend various causes ranging from the fight against corruption to violations of children’s rights.
In a press statement published last January, a number of these small groups had announced that they were launching an operation they called #OpAfrica, to draw the attention of the international community to failings in governance. Their aim was to do this by a series of spectacular actions.
A first list of targets had been drawn up, in the following countries:
Rwanda, Uganda, South Africa, Zimbabwe, Tanzania, Ethiopia, Sudan, and South Sudan.
It has to be noted that although their political aims may be “noble”, these groups are still, from a legal point of view, criminal organisations, insofar as they fit the description by conducting unauthorised intrusions into computer networks.
The Mauritania attacker
This is an active member of the “Anonghost” group which took part in the massive defacement of French Internet websites in 2015.
Moreover, Boko Haram used the Internet for a long time to challenge former Nigerian president Goodluck Jonathan, by posting their claims in videos. But the group uses the Internet mainly for recruitment and propaganda, because up to now Boko Haram hasn’t really had the means to act directly on the Web.
And African cyberterrorists use their own channels of communication such as the TOR network, which makes it possible to anonymise connections, but also video games chatrooms that allow them to converse freely, without any surveillance.
The United Nations Conference on Trade and Development (UNCTAD) warns that cybercriminals are increasingly targeting developing countries, first and foremost because the relevant legislation in those countries isn’t enforced as strictly as it should be. The number of countries who have adopted cyber legislation is increasing fast, but over 30 countries, most of them in Africa and Oceania, still have no specific legislation of this kind (source: 2015 report on the Information Economy).
The most important Pan-African legal document is the Convention of the African Union on cybersecurity and the protection of personal data, adopted in June 2014.