Your Phishing Protection Isn’t Securing Mobile and That’s a Big Problem
No longer are emails the only point of attack in mobile phishing attempts.
A clever SMS phishing attempt has been making the rounds on Twitter. In this real-life scenario, the attacker sends a text message asking a user if they requested a Google password reset for their Gmail, and to reply with “STOP” if they did not. Once the user replies with “STOP,” the attacker sends another message,
“Confirm the 6 digit numerical code to STOP the password reset. Respond with ‘822’ to have the verification code re-sent”
Google uses this form of two-factor authentication to keep attackers out of your account, but this attacker used it to get in — scary, right?
These types of attacks are happening more often, becoming more sophisticated, and are increasingly harder to defend against.
The above is a great example of a phishing attack where the victim is asked to do something directly, such as provide access to an account or wire the attackers a certain amount of money. The only way to defend against that type of attack is through user education — teaching users to verify before they trust. But, most mobile attacks involve socially engineering the user to either click a link or install malware.
In fact, Lookout’s recent report, Mobile Phishing 2018: myths and facts facing every modern enterprise, found that since 2011, the rate at which users are receiving and clicking a mobile phishing URL has increased an average 85 percent year over year.
An 85 percent increase year over year is alarming, and makes you wonder why that is. One reason is since mobile devices are being used for work, hackers are no longer targeting mobile devices for just consumer credentials, but also to access corporate ones. Today, everyone has a mobile phone, and whether it was supplied by work or purchased by the individual, it’s almost always used for both personal and work purposes. More often than not, family photos, social networks, customer records, and financial reports are all on the one device. WhatsApp is sitting next to Salesforce and Tinder is right below Concur. This change has opened a new window of opportunity for criminals using sophisticated phishing attacks. Moreover, the well-defined boundaries of traditional network security solutions like firewalls no longer work to safeguard against phishing attempts on mobile devices because more often than not, these devices are connected from outside the corporate perimeter.
Mobile phishing attacks are increasing because it’s easier and more profitable for the bad guys to attack a mobile device that has no phishing protection than it is to attack a work PC that does.
Traditional Security Does Not Protect You Against Mobile Phishing Attacks
Legacy security approaches like secure web gateways and next gen firewalls do not adequately protect your organization from mobile phishing attacks because mobile devices operate outside these protections.
Traditional approaches will filter out potential phishing emails and malicious URLs before they hit the email server, which is great for protecting corporate email from phishing attacks. However, since the workforce has both personal and corporate email on their mobile devices, as well as a plethora of different mobile centric messaging and social media apps, mobile devices connected outside the corporate perimeter are not protected by these perimeter technologies.
If your organization relies on a legacy/perimeter security based approach, it leaves employees wide open to mobile phishing attacks. With more and more information consumed and communicated through SMS, social media, and other messaging apps, enterprises have a duty to both their employees and customers to take mobile security seriously.
Mobile Phishing: New Avenues of Attack
Enterprises must realize that when it comes to mobile devices, corporate email is not the only, or even the primary, attack vector used in mobile phishing attacks. The more likely avenues of attack are personal email, social networking and other mobile centric messaging platforms, and SMS/MMS.
While most personal email providers have some level of phishing protections, attackers are finding ways to trick people into clicking on malicious links or downloading malicious apps without them even knowing it. Savvy attackers are targeting personal email accounts to execute corporate phishing attacks because they know the same stringent protections that exist on corporate email are not protecting personal email. Moreover, attackers know that employees check their email — personal or corporate — on their mobile device first. This is especially true for personal accounts as users almost always have personal email on their smartphone but rarely have it on their corporate PC. Therefore, the only way to read personal email at work is on their phone, and since mobile devices have a restricted user experience, users are more vulnerable on mobile email apps.
Phishing attempts that target personal email accounts go something like this:
Your employee, let’s call her Sarah, receives a personal email on her mobile phone from her friend, Melissa, to share photos via a new photo sharing app. Sarah doesn’t think that’s strange, since she and Melissa have shared photos of their kids before via SMS and email, and she knows this app will make sharing a lot easier. So, Sarah clicks on the link and downloads the app. After she downloads it, the app doesn’t seem to work. Sarah, not knowing if she is doing something wrong, leaves the app on her device until she speaks with Melissa. Later that afternoon, Sarah has to make a bank transfer to her family’s shared account so she opens her mobile banking app and enters her credentials.
What Sarah does not realize is that the “photo” app she downloaded was a banking trojan. When she launched her mobile banking app, an overlay spoofed her bank and captured her credentials. Because Sarah has poor security hygiene, these credentials happen to be the same she uses for work. So the attackers now have her user credentials for both her bank, and if they try, her work accounts.
This scenario is similar to what Lookout researchers have observed with the BancaMarStealer banking trojan. Once installed on a device and a victim opens a targeted app or visits a website of interest to the attacker, BancaMarStealer lures victims into unknowingly entering their credentials by displaying legitimate-looking overlays that are carefully designed to imitate the login portal of a victim’s bank or other targeted service.
Social Networking and other Mobile Messaging Apps
Mobile devices and their app stores have introduced a flood of new messaging apps and platforms. Unfortunately all of this innovation has also created a whole new avenue for attackers to exploit.
What if an employee — we’ll call him David — regularly communicates with friends, family, even colleagues via WhatsApp. Sounds harmless to your corporate data, right?
One day, a colleague David normally chats with on WhatsApp — let’s call him Patrick — sends David a message asking him to review a deck for a customer meeting ASAP. David does not think twice before clicking on the link to review it for his colleague. The link takes him to a Google login page, where he naturally enters his credentials because their team uses Google Slides for presentations. Rather than the presentation loading, a blank page pops up and the customer deck is nowhere to be found. But David isn’t worried, he assumes Patrick probably just messed up the link (it wouldn’t be the first time). And by now, the customer meeting is underway so David just returns to his work.
Unfortunately for David, he was just phished and his credentials were stolen. And, because he didn’t even notice it, his company’s security team, who has no visibility into phishing via mobile messaging apps, wasn’t notified.
David is not alone in falling victim to social media phishing attempts. Late last year, there was a Facebook phishing campaign, in which the attacker posed as a friend of the victims and lured them into clicking on a YouTube link. Once clicked on a mobile device, it would serve them a page that looked like the Facebook login page designed to capture their credentials.
Just like with personal email, social messaging applications pose a threat to corporate security.
Lastly, the third avenue that attackers are using to trick employees into falling for a phishing attack is through SMS/MMS. According to an enterprise study conducted by Lookout, over 25% of employees clicked on a link in an SMS message from a phone number spoofed to look like their area.
In this scenario, an employee received a text message alerting them that Amazon’s wildly popular “Treasure Truck” was coming to town. For people that allow notifications from Amazon (for delivery status, etc), receiving an SMS message from the retailer is not strange. So naturally, they clicked on the link to learn more and after a brief blank page, were taken to the actual website for Amazon’s Treasure Truck.
In this case, that blank page was not anything malicious, but it simulated an attack where malware is delivered via a link sent by SMS. In fact, this was the attack vector for Pegasus, the most sophisticated mobile Advanced Persistent Threat (mAPT) we’ve seen in the wild, which was capable of jailbreaking an iPhone and installing spyware with just one click, leaving the user none the wiser.
When you see how simple it is to exploit these mobile points of entry, it’s not at all surprising that mobile phishing attacks are increasing. What is surprising is that most enterprises continue to just protect corporate email from phishing attacks. It’s time for enterprises to recognize that phishing attacks have evolved far beyond the corporate email vector and mobile is the door left wide open to their corporate data.
As the chief strategy officer, Aaron is responsible for developing, validating and implementing cross-functional strategic product initiatives that align with the Lookout vision of a secure connected world.