Report: Growing Mobile Phishing Attacks Threaten Businesses

Accra, Ghana, March 29, 2019//-The Anti-Phishing Working Group, a consortium of security specialists, researchers and law enforcement personnel, has identified mobile phishing as one of the primary attack vectors on mobiles and business across the world.

Mobile phishing remains one of the biggest concerns for security teams. One false click and an employee could take down the corporate network, backend systems, or the entire company.

Hackers can infiltrate networks, spear phish a corporate controller to bilk large amounts of money, or gain access to security credentials, allowing intruders to carry out lateral attacks across an organization, according to the report.

In the report titled-‘How Mobile Phishing Works and What to Do About It’, APWG, the international consortium of security professionals, law enforcement agencies and threat researchers specialized in phishing research and prevention, assesses the latest techniques used by threat actors to attack the smartphones of business users and how to prevent them.

This report by the Anti-Phishing Working Group (APWG.org) identifies numerous phishing threats impacting mobile device users.

It also looks at the unique challenges of defending against mobile threats versus protecting desktop endpoints in enterprise environments.

The report lays out a path and several best practices for protecting mobile devices and users from various types of phishing and spear phishing attacks as well as emerging threat vectors such as voice and SMS.

2018 WAS THE YEAR OF THE PHISH

It is not surprising that one of the most important concerns for security teams is phishing. After all, one false click by an unsuspecting or inadequately trained employee could take down the corporate network, website or backend systems—or the entire company.

Consequences can range from hackers (even on a nation state level) infiltrating networks with Advanced Persistent Threats (APTs) to spear-phishing a corporate controller to steal large amounts of cash to gaining access to security credentials, allowing sophisticated intruders to carry out lateral attacks across an organization. The financial and brand damage of phishing attacks—as well as the risk of legal liability and fines for noncompliance—can be enormous.

For example, the 2018 Ponemon Research Cost of a Data Breach study —the industry’s gold-standard benchmark research—found that the global average cost of a data breach was up 6.4 percent over the previous year to $3.86 million. The State of the Phishing Art Phishing is not new.

Basically, it is a time-honored form of cybercrime in which threat actors attempt to dupe unwitting recipients of email or other communications into clicking on links or performing other actions in order to infect computer systems, steal confidential information, or achieve other nefarious goals. In fact, phishing is so prevalent and effective that malware now ranks as only the second most dangerous attack vector after phishing, followed by directed hacking against unprotected or misconfigured systems.

ATTACKS ON MOBILE DEVICE USERS

In the era of mobile, phishing has a few new twists, where phishers want recipients to: • Visit a fake or spoofed website that will install malware on the employee’s mobile device • Open an attachment that installs malicious code on the employee’s mobile device • Respond to a fake call or voicemail from bogus sources claiming to be the company’s bank, a legitimate vendor, etc. to gain sensitive information, particularly account credentials

Email Phishing

Email phishing is particularly difficult to protect against on mobile devices, because:

Mobile device screen size prevents URL inspection: Mobile device screens are small, and discerning the true destination of a URL that is emailed to a user is difficult, if not impossible, on a small screen. For example, a URL that is emailed, purporting to be a password reset request from a bank, might look like this: www.bankname.com.securityupdate.phishingsite.com When viewed on the small screen of an email client or browser on a mobile device, users will not see the full URL, and will be tricked into believing they are visiting www.bankname.com, when in fact they are visiting a fake website controlled by phishingsite.com.

Devices connect to multiple email accounts: Mobile devices are often used for both business and personal use. In fact, with the very nature of today’s broad-based push toward Bring Your Own Device (BYOD) programs, it means enterprises expect employees to use their own device for corporate computing and email.

With these mixed-use devices comes the reality that a mobile device will also connect to multiple email accounts. There will be a business email account, which can benefit from server-side antispam and anti-phishing protection.

But there will be other email accounts used for personal email that will not benefit from the enterprise server-side protections and detection. Consequently, bad actors can easily deliver phishing emails to enterprise users through these alternate email channels, thereby completely evading any kind of enterprise server-side protection.

Because email apps on mobile devices typically are configured and used in a way where all email from all connected accounts are displayed in a single unified inbox, it is unlikely that users will be able to discern to which account a phishing email was sent.

This can make Business Email Compromise phishing (BEC) possible across both personal and corporate accounts. Email spear phishing 2018 saw a rise in targeted phishing attacks that use information gleaned from a variety of sources to convince recipients that bogus communications are legitimate.

These include: Spear phishing attacks on consumers: These scams use stolen databases of consumer names, phone numbers and accounts to create very targeted and convincing messages. For example, hackers can use a stolen database of credentials from a brand breach—e.g., Equifax or Yahoo!— to send mobile phone users targeted messages using that brand’s name or personal information about the recipient.

Spear fishing attacks on enterprise users and executives: Today’s more sophisticated, financially motivated attackers can also put more resources into targeting big fish—e.g., spear phishing a corporate officer with the credentials required to access financial systems.

These insidious attacks are carefully crafted and targeted. Attackers in these cases do not use mass automation, as in the previous cases described.

Instead, they profile individuals through corporate website employee and management pages and social media profiles such as LinkedIn, Facebook and Twitter, and then combine those with data found in online databases that contain phone number information.

In addition, these attacks often appear to originate from the IT department of the enterprise, and may direct users to URLs to collect passwords and VPN credentials.

They may also be used to direct users to URLs that mimic the enterprise, and ask them to install malicious VPN profiles or enterprise mobile device management certificates.

SMS Phishing

SMS, text and iMessage phishing, also known as smishing, comprises an increasingly common vector for delivering malicious URLs to mobile device users. According to the 2018 State of the Phish™ Report, smishing was a threat to watch in 2018.

The report shows that average failure rates on simulated smishing attacks are the same as those on email phishing tests. However, just 16% of global technology users surveyed were able to correctly identify the definition of smishing in a multiple-choice query.

These attacks come in several varieties: Large-scale phishing: These attacks resemble email spam attacks, where thousands of phone numbers are sent generic phishing messages that appear to be from banks, email providers, app stores and other online services.

The ruses used in these attacks can include password resets, account security updates, or even fake notifications about incoming payments that must be confirmed.

App Phishing

Email and SMS/text/iMessage are not the only vectors phishers use to deliver scam messages and URLs to users. Mobile apps have also become significant channels for distributing phishing links.

Most mobile devices have a huge number of apps installed, and the number seems to grow daily. There currently are 3.8 million apps available to Android users on Google Play, and over 2 million apps available to users on the Apple App Store.

Over 1.5 million apps are available on other thirdparty app stores, not to mention illegitimate or malicious app stores.

App phishing further takes a number of forms: Encrypted communication phishing: WhatsApp, Telegram, Signal and other apps deliver encrypted messages to users that are not filtered in any way.

These are prime delivery channels for sending users phishing links. Note that, unlike with email, the sender is not easy to spoof, but convincing messages can be sent claiming to be from customer support, enterprise IT support, or a known online service. Furthermore, these malicious links cannot be flagged by the enterprise.

Fake social media phishing: Apps like Twitter provide users with always-on connected social media. However, these apps are also frequently used for customer support by well-known brands such as banks, travel services, email providers and e-commerce sites.

Attackers set up accounts on these social media sites pretending to be legitimate customer support service for these companies. They can then deliver URLs to users over this channel, requesting passwords or other sensitive information.

Fake apps: It is a commonly held misconception that commercial app stores such as the Apple App Store and Google Play only allow safe apps onto their platforms. However, every month a multitude of dangerous or outright malicious apps sneak into these stores. As an example, in December 2017 hundreds of fake cryptocurrency apps were published on the Apple App Store and Google Play.

These apps tricked users into divulging their usernames and passwords to real cryptocurrency trading sites, and the bad actors behind these counterfeit apps were able to steal virtual currency. In fact, in November 2017, the third most popular app in the Apple App Store Financial Apps category was a fake MyEtherWallet app. MyEtherWallet was a fake app that for a time in late 2017 was the third most downloaded app on the Apple App Store.

 ANTI-PHISHING WORKING GROUP (APWG) MOBILE DEVICE PHISHING THREATS ON THE RISE

Third-party app stores: Users can intentionally or accidentally access unofficial app stores on both Android and iPhone devices. These app stores often use the technique of distributing a configuration profile that is installed on a device by visiting a web page.

Once such a profile is installed on the mobile device, the user can then access the third-party app stores and download apps to the device. These apps are not subjected to any verification or security review, and can be used to deliver phishing URLs, malicious content, and even to install malicious apps on the user’s device.

FINANCIAL MOTIVATION OF MOBILE DEVICE PHISHERS

The primary motivation of mobile device phishers is financial. Phishers attacking users on mobile devices can monetize their attacks in these ways: Steal and sell online credentials: Bustling online markets exist for selling and buying stolen online credentials.

Phishers have always monetized their attacks by selling usernames and passwords on these markets. Gain access to enterprise systems:

By gaining credentials to enterprise systems through phishing users on mobile devices that are used for both enterprise and personal use, attackers can gain access to enterprise IT systems. This access can be gained by phishing usernames and passwords, phishing VPN credentials, and even phishing cell phone service PINs.

Cell phone service provider PINs are useful when the attacker wishes to port the phone number of the victim to their own device, and then receive all their SMS messages and phone calls. Typically, this is done to defeat enterprise 2-factor authentication (2FA) systems that use SMS text message codes in addition to usernames and passwords.

Once access to internal IT systems is achieved, attackers can either sell that access to data thieves and spies, or can use it to infiltrate corporate systems and steal customer data.

Gain access to banking and payment services: Phishers often use stolen credentials obtained from mobile device phishing attacks to gain access to banking and payment services. This is a variation of the now-common email phishing attack to gain access to online accounts.

Steal cryptocurrencies: A new form of mobile device phishing attack focuses on gaining access to cryptocurrencies that may be stored on the mobile device, or may be stored at an online exchange or hosted wallet.

Attackers are very eager to steal these credentials, as with these in hand they can very easily access cryptocurrency funds and move them to addresses where victims cannot recover their assets. This type of targeted credential theft has grown enormously in the last three years for app, email and SMS phishing of these targets.

In addition to stealing the credentials of individual users, mobile device phishing is often used to target executives in these companies in order to gain access to larger cryptocurrency reserves.

SOLUTIONS FOR SECURING MOBILE DEVICES AND USERS AGAINST PHISHING

The APWG recommends a multi-layered approach to securing mobile devices from phishing attacks. Without all four layers, mobile devices and their users are vulnerable across many different delivery channels, including email, SMS/text/iMessage and apps.

For instance, unless devices are locked down and strictly limited to use for enterprise functions—i.e., can only access enterprise apps and are not used for text messaging—they cannot be protected by a server-only email filtering approach.

However, this is unrealistic in all but the most secure and classified environments. The huge shift to BYOD for mobile devices is dramatically expanding the threat landscape for phishing, which further reinforces the need for broader protection capabilities.

Specifically, this four-pronged approach for defending enterprise mobile devices against phishing and spear phishing attacks, includes the following best practices:

Server-based anti-phishing protection

The first line of defense against phishing on mobile devices is to have robust server-based anti-phishing protection. This protection must be composed of anti-spam filtering, phishing detection, BEC phishing detection and spear phishing detection. While necessary for mobile device protection, it is far from sufficient.

Device-based URL protection

The second line of defense against phishing on mobile devices is to have device-based URL filtering for email, SMS/text/iMessage and app phishing.

Because mobile devices are used for both business and personal tasks, and they have many ways of receiving content and messages, it is imperative that devices have onboard URL protection.

The vast majority of phishing attacks direct a victim to a URL that provides convincing content to trick the user into disclosing credentials (username, password, VPN password, PIN), or installing malicious apps or configuration profiles.

URL protection that spans not just an enterprise email account but also personal email accounts, SMS/text/iMessage and the content that apps download is crucial.

Device-based security profiling

Enterprises should deploy device-based security profiling to detect if devices have been purposely or inadvertently made vulnerable to targeted phishing or malicious app or network traffic interception.

This profiling should examine operating system versions and patch levels, installed configuration profiles and certificates, and scan for malicious apps.

User Education

Phishing and spearfishing attacks have one thing in common—they require an unwitting or uneducated human on the recipient side. The problem for security teams lies in the rising level of sophistication of today’s attacks.

These socially engineered communications often look real, contain credible personal information, and appear to come from a legitimate address.

African Eye Report

Leave a Reply

*