Security firm Lookout has published a report detailing the current state of phishing email attacks targeting smartphones. In the campaigns witnessed by researchers, many of them have the specific aim of infiltrating company networks. According to the report, researchers experienced a rise in such attacks of over a third, 37%, for the period from October 2019 to March 2020. Traditionally the scourge of phishing was predominantly an area affecting laptops and desktops but given the increase in the need for employees to work remotely has seen attackers look to target mobile devices. Attackers are not content to target one platform or the other as both Android and iOS devices have been seen actively targeted in recent campaigns.
The targeting of smartphones is fiendish for several reasons. The first alluded to above in that there has been an increased reliance on smartphones for work purposes. The other is that detecting a phishing mail is harder to spot on a mobile device mainly because due to screen size a lot of the information has been condensed and hidden, displaying the main message itself. On a PC more information is readily displayed such as URLs, previews to links, and email addresses. These are key indicators that something is not quite right and that the email may indeed a malicious attempt to phish credentials. On a mobile device, it is easier to hide those details and potentially easy to fall for the bait.
In an interview with ZDNet , Hank Schless, senior manager of security solutions at Lookout, reiterated this point stating,
“It's difficult to spot red flags that we normally detect on a laptop or PC on such a small mobile screen... Since we can't preview links, see full URLs in mobile browsers, and quickly tap anything that comes our way, malicious actors are investing their time and energy into making these campaigns undetectable to the untrained eye.”
The abuse of the smaller, less informative screens does not end with the email. In campaigns, attackers created fake login pages for cloud platforms relied upon by enterprises such as Office 365. These pages look stunningly similar to actual login pages making it far easier to fall for the trap set by the attackers. Once login details are entered on these fake pages they are sent to command and control servers controlled by the attackers, the captured credentials can then be used in an effort to compromise enterprise networks. It is not only business accounts that have been targeted in the recent campaigns but personal accounts as well. Personal accounts are targeted to steal login details, banking information, and other personal data.
One such campaign witnessed by researchers saw customers of a major Canadian bank targeted by an attacker who sent out a mass text message to thousands of people asking them to log in to their account, directing them to pages that looked almost identical to the real thing. Like with numerous other campaigns, attackers are leveraging the COVID-19 pandemic as a lure. It is also important to note that mobile phishing doesn’t always use emails but can use SMS, instant messaging, and social media platforms to steal credentials and information.
When this is combined with supposed information pertaining to a pandemic the victim list is likely to increase. As the lines between a personal device and one for work get blurrier this trend can be expected to continue and increase. The trend will further be buoyed by how many large corporations will keep employees working remotely even once government restrictions have been lifted.
Defending against mobile phishing campaigns can be extremely difficult given that attackers have the option of using multiple platforms and it is harder to manually detect whether the message is an attempt at phishing or not. In a blog post written by Schless, he goes on to suggest several defensive measures,
“One way to protect your organization is to educate your employees on how mobile phishing is different and why mobile phishing attacks are successful. One of the fundamental differences between mobile devices and personal computers is that they are inherently more trusted by their users. Mobile devices sit at the intersection of their owners’ personal and professional identity, especially while working remotely. The other aspect that makes mobile phishing dangerous is that there are many more ways to deliver a malicious link outside of email – such as SMS, social media, messaging platforms, and even dating apps. Also, with a smaller screen and simplified user interface, it’s very difficult to spot a malicious link on a mobile device.”
In February 2020, Lookout published another report detailing a mobile-only phishing campaign targeting users on mobile banking apps mainly in North America. The report details how nearly 4,000 people fell victim to an off the shelf phishing campaign. This campaign serves as an illustration as to how effective and potentially damaging such a campaign can be to a victim. In this instance, the campaign relied on leveraging SMS messages as the method to deliver the campaign. This is fiendish in the sense that many of us rely on SMS messages sent by our bank to keep tabs on out accounts, by using messages supposedly from the bank we are more likely to fall for the lure.
Devil in the Details
The campaign was uncovered by the firm’s AI geared towards detecting phishing campaigns. The initial spread was via SMS messages but like with other mobile campaigns these would redirect victims to login pages of the respective banks. Banks targeted included Scotiabank, CIBC, RBC, UNI, HSBC, Tangerine, TD, Meridian, Laurentian, Manulife, BNC, and Chase. Not only did the campaign target users of some of the largest banks in North America it utilized an SMS tool kit which would allow the attacker to create custom messages to better employ social engineering techniques to get the victim to hand over their credentials.
Once redirected to the fake login pages the attacker would then direct the victim to other pages which would ask security questions one would expect to be asked by banks. These questions included ones related to confirming their identity and providing their bank cards expiration date or their account number. In total over 200 pages were used by attackers throughout the campaign. From data compiled by researchers, it looked as if the campaign had been active since 2019 and had ended by the time the report was published. Researchers concluded,
“Customers of banks targeted by phishing campaigns are at risk of having their banking credentials stolen, which could lead to serious financial loss. However, spotting phishing attacks on mobile devices can be much more difficult than on a laptop or desktop computer. The features, functionality, and even the screen size of today’s mobile devices make it harder for a person to determine what is real versus what is fake.”
The phishing campaign detailed above and the recent spike in similar campaigns pose several threats to anyone using a smartphone. Researchers pointed out how hard these campaigns are spot, let alone act accordingly as one might do when a spam email is received on a PC. Such campaigns also pose another threat in that they can easily be conducted by malware-as-a-service operators leasing out malware to capture the information as well as botnets to do the sending of emails. This significantly drops the barrier of entry to conduct a successful campaign, all that is required is a malicious actor to have the required funds to get a hacker to conduct the campaign. Given the potential profit to be had by compromising the right victim with a healthy bank account, the initial funds might not be hard to come by if past campaigns were a success.
With regards to the mobile-only campaign which targeted the users of specific banks using mobile-banking apps, while the phishing message may be harder to spot there are some best practices to adopt while using online banking. It is recommended to always go to the app itself or the bank's official page rather than being redirected by link appended to an SMS, email, or instant message. Secondly, it is always recommended that URLs and email addresses are thoroughly checked where possible. Lastly, enable two-factor authentication where possible. This could be the last line of defense which keeps out a threat actor from accessing your hard-earned money. With phishing campaigns and many other cyber attacks, the devil is in the details people are likely to miss.