Security firm Lookout has released a report which shows an alarming increase in the rate at which users are receiving and clicking on phishing URLs on their mobile devices. The firm witnessed an average rate of 85% per year increase since 2011. What is perhaps more worrying is that 56% of users received and clicked on a phishing URL that bypasses existing layers of defense, the security firm says. On average, a user clicked on a mobile phishing URL six times per year.
The security company set out with the aim of analyzing the mobile phishing threat landscape, the company found that attackers are successfully circumventing existing phishing protections to target the mobile devices. This circumvention of existing protections allows the attacker to expose sensitive data and personal information relatively easily. With over 66% of emails first opened on a mobile device and email arguably the first point of attack for a phishing campaign, unprotected emails on a mobile device are becoming the chosen attack vector for many such campaigns.
The report also looks to dispel certain myths regarding mobile security. One of these myths pertains to how corporations treat mobile phones. Corporations will spend a lot of time, effort, and money deploying firewalls, secure email gateways, endpoint anti-virus, and user education to prevent employees from receiving or being tricked by phishing messages. Such methods have proven to be effective in securing corporately owned hardware such as laptops. However, mobile devices are generally deemed to be personal devices, thus not deemed to be worth such measures. An employee often uses the same smartphone for work that is used to pay for lunch, send personal emails, take family photos, check social media, review customer records, get directions to meetings, and skim financial reports. Gaming apps, dating apps, and messaging apps sit next to document readers, corporate email, file-sharing apps, and other apps that contain your company’s most important data. The personal device now provides a target attackers cannot ignore.
Unfortunately, such attacks are not proof of concept attacks. Such attacks have been seen in the wild. Two such attacks are Dark Caracal which targeted Android devices and Pegasus which targeted Apple devices. Dark Caracal uses phishing messages through WhatsApp and Facebook to lure victims into clicking malicious links and downloading Android malware. The Android malware, called Pallas, then begins scanning the victim’s device and collecting huge amounts of data. Dark Caracal targets include governments, militaries, utilities, financial institutions, manufacturing companies, and defense contractors. The types of exfiltrated data are extensive, including documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.
The Pegasus surveillance-ware often referred to as spyware, received worldwide attention because of its severity. The operators distributing Pegasus sent victims a phishing message via SMS. If the victim clicked, it set off a chain of silent events, leading to one of the most sophisticated iOS device compromise attacksLookout has seen. Similarly, once on the device, Pegasus monitored all the activity on the device and collected significant amounts of sensitive data. The spyware’s documentation also explains that the malicious website used for the spyware’s installation communicates with a Pegasus Installation Server located on the operator’s premises. When the victim visits the website, a request is forwarded to the server, which determines whether the device can be exploited and sends the appropriate exploit chain for specific purposes, to attempt infection. If the infection fails, the victim is redirected to a legitimate website, to avoid raising suspicion.
Prevention is always better than Cure
From the above examples, it is easy to see why taking mobile security seriously can be of the utmost importance to both corporations and individuals. While software exists to help prevent such mobile phishing campaigns from being successful, there are more than a few extra steps that can be taken to prevent becoming a victim. F-Secure recommends that you should always check the URL of a website before clicking it. This is because it is very easy to replicate the look of a website but difficult to copy the legitimate site’s URL. The next bit of advice pertains to keeping important banking details secure on your device. Be sure you are on a legitimate website and only use one card for online purchases, this will limit the potential damage done if infected.
The above tips can easily be adopted by the individual, but what can corporations do? Corporations and SMEs need to know what your employees are doing, proper security awareness training is vital, and user behavior analytics can be very effective in determining where the company is susceptible to attack before it happens. Even when companies are confident about their level of security thanks to multi-factor authentication, that confidence is often misplaced. Attackers can throw up a fake log-in page to get the target’s credentials and use them to access the official site. When prompted for two-step verification, where they’re expected to enter a code sent via SMS or app on the target’s phone, they simply replicate the two-step verification process and present the user with it and then copy over the results the same way they copied over the original credentials. This further highlights the need for comprehensive security awareness training.
Don’t be fooled
Another important thing to remember is that it is easier to trick individuals into falling for phishing attacks on mobile than it is on a desktop. This is because the features and functionality of mobile devices are open to abuse. For instance, the screen size of today’s mobile devices offers attackers an advantage in phishing. Mobile devices make it harder for a person to determine what is real and fake and operate outside what is traditional corporate security perimeter.