Mobile Phishing and the Glaring Gap in Mobile Security
SMS, social media and apps leave enterprise employees exposed to phishing attacks
Every security professional is fully aware of the prevalence and danger of mobile phishing. It remains one of the most powerful cybersecurity threats faced by organizations worldwide. The authoritative Verizon Data Breach report for 2017 noted that phishing was involved in 95% of reported breaches. Organizations are not complacent about the dangers of phishing and continue to strengthen employee training programs and upgrade the quality of the technical solutions they have put in place to mitigate the risk. Enterprise email systems, in particular, have seen heavy investment in anti-phishing technology.
While this focus on protecting enterprise email systems is entirely appropriate it is critical to understand that on mobile devices there are multiple alternative attack vectors. Phishing attacks can originate on social media site accessed through a mobile app or mobile browser, can be delivered by SMS or MMS or embedded within popular messaging apps such as WhatsApp. Games, sports and dating apps have also been used to execute mobile phishing campaigns. Attackers are not blind to the fact that employees rely more and more on mobile devices and have moved to exploit the new opportunities that this presents. Proofpoint reported a 500% increase in phishing attacks over social media in the last quarter of 2016. According to researchers, 81% of attacks on mobile are outside email. Mobile phishing attacks are agnostic as to operating system as they rely primarily on users clicking on URL’s rather than on executing malicious code within an app.
The potential for successfully SMS phishing is a particular worry. SMS is increasingly used in an enterprise context as a secure channel for activities such as 2-factor authentication or password recovery. Employees are coming to accord SMS a higher trust weighting than other channels. A properly crafted mobile phishing attack over SMS can now leverage this perception to extract credentials or other highly sensitive data.
The Gaping Hole in Enterprise Security
In the light of the above, it is surprising to learn that existing enterprise security systems offer no protection against these threats. This is due to one simple fact: mobile devices access the internet over public networks (e.g. WiFi, 3G/4G). As result the protections in place on the Corporate LAN (e.g. web gateways, firewalls) are unavailable. There means that these systems are powerless to prevent an employee accessing a malicious site.
There are two factors which significantly increase the risk associated with this gap in the typical enterprise’s security infrastructure. Firstly, research by IBM has shown that people are much more likely to fall for phishing attacks on mobile than on desktop. The smaller form factor makes it more difficult to detect the telltale signs which would raise employee’s suspicions. The more informal, rapid-fire, low attention way in which we all use mobile means that our guard is often down.
A second factor which makes the mobile phishing security gap more worrisome is the absence of any way to determine whether an attack has occurred. This is because enterprise security teams have no systems for logging mobile device activity. Mobile security systems such as Mobile Device Management systems or anti-virus software provide information only on device files and settings and nothing about network activity. This makes it impossible to search the mobile fleet for indicators of compromise (IOC’s) when the security team becomes aware of an attack. Consider the implications: your CEO has detected a spear phishing attack over SMS and has now brought it to your attention. He wants to know has anyone fallen for the attack and, due to your lack of visibility, you have no way of knowing.
Plugging the Gap
The current state of the art technology to address this gap in security infrastructure is to route your employees’ mobile data traffic to a central gateway where protection can be applied. This can be done using a VPN or proxy solution. However, this approach has major drawbacks which make it unsuitable for widespread enterprise adoption. Two things, in particular, are problematic. The first is that it is highly intrusive on employee privacy because all of the employee’s internet traffic would now be subject to inspection by their employer. Secondly, the need to route to a single control point introduces potential impacts on performance and reliability. If the gateway goes down all of your employees devices will become unusable.
Corrata has pioneered an alternative approach which offers the required level of protection but without the drawbacks outlined above. Instead of routing traffic through a central gateway we place a personal gateway on each device. This applies the security protections but without the need to intrude on the employees’ reasonable expectation of privacy. In addition, it avoids the latency and reliability issues associated with a central gateway. Corrata’s solution offers protection against phishing but also can disable the operation of malware and eliminate the risks of insecure WiFi.