No Filter – Part One
Spear phishing exposes the ‘mobile gap’ in enterprise defenses.
Spear phishing is one of the most effective, widely deployed, and damaging cyberattack techniques. Unlike traditional phishing, which casts a wide net, spear phishing is a targeted and sophisticated form of social engineering. The threat is significant: in 2023, nearly 65% of organizations experienced spear phishing attacks. Attackers meticulously research their victims, often using personal details to craft convincing messages. Generative AI allows attacks to be cost-effectively scaled. The ubiquity of SMS and the explosion in the use of messaging apps has opened up a whole new range of delivery channels.
Unlike traditional phishing, which might involve sending hundreds or thousands of emails indiscriminately, spear phishing attacks are customized and designed with specific targets in mind. Attackers gather detailed information about a victim through social media, leaked data, or previous breaches, and then craft messages that appear legitimate. Mobile messaging apps have become central to spear phishing due to their widespread use for both personal and professional purposes.
SMS Phishing (Smishing)
Everyone is familiar with text messaging scams: fake parcel delivery notifications, warnings to update your banking details, or alerts to file for a tax refund. When targeting enterprises, the messages might involve urgent notifications to update your credentials or a message from a colleague sharing an important PDF. For example, a user might receive an SMS that appears to be from Microsoft365, alerting them to an “urgent security issue” with their account and instructing them to verify their login details on a fraudulent website designed to steal their credentials.
Smishing attacks are highly effective in corporate environments. Employees are accustomed to receiving legitimate notifications, making it easier for attackers to deceive them. The distribution of verification codes as part of MFA, though on the wane, has led many employees to view this channel as in some sense secure.
Sidebar: SMS Spoofing
A key tactic used by attackers in smishing campaigns is SMS spoofing. Attackers manipulate the sender information, making it appear as though the SMS is coming from a known contact or a recognized source, such as Microsoft or Workday.
Since SMS lacks robust authentication mechanisms to verify the sender, SMS spoofing is difficult to detect and block, making it an effective tool for attackers. It increases the chances of a successful phishing attack by giving an air of legitimacy, particularly when combined with a sense of urgency.
Messaging Apps
Messaging platforms like WhatsApp, Facebook Messenger, Signal, and Telegram are fertile ground for spear phishing. These platforms have billions of users, and attackers can impersonate known contacts to build trust. In many cases, attackers will convince the target to take specific actions, such as sending money, providing sensitive information, or clicking on a malicious link.
Since many people use these platforms for both personal and professional communication, the lines between work and private life blur, making it easier for attackers to exploit these communication channels. The end-to-end encryption provided by platforms like WhatsApp offers privacy but makes it harder to detect malicious activity, as security solutions may not be able to inspect the content of the messages.
Even with the best email filtering solution in place, some phishing messages will reach your employee’s inbox. When viewed on a mobile phone, it’s more challenging for employees to spot clues that might alert them to a phish. Smaller screens with less detailed information make it easier for a phishing attempt to slip through unnoticed.
A subtle point about spear phishing is that it doesn’t necessarily target the employee’s corporate email address. Attackers can evade email phishing filters deployed by the enterprise by communicating with a target over their personal email account, perhaps with information about a new role.
What Are Attackers After in Spear Phishing Attacks?
In general, mobile phones cannot be used to move laterally within an enterprise network. There are, nonetheless, a host of bad things that attackers can accomplish with a successful mobile attack. An attack can be used to gain access to cloud systems by successfully harvesting credentials and/or session cookies. An attacker might also use mobile messaging channels to initiate a fraudulent payment, extract compromising personal information, or trick the target into sharing sensitive documents. The exfiltration of intellectual property, trade secrets, or classified information is often the aim of nation-state attackers. Spear phishing is commonly used by commercial spyware vendors to get remote access to target devices for purposes of surveillance or data extraction.
Sidebar: Real-World Examples
Twilio Smishing Attack
In August 2022, Twilio, a cloud communications company, fell victim to a smishing attack. Attackers used SMS spoofing to send text messages that appeared to come from Twilio’s internal IT department, prompting employees to click on a link and update their credentials. Believing the messages to be legitimate, some employees entered their login details on a fake login page.
The attackers used these credentials to access Twilio’s internal systems, impacting several of its customers who relied on Twilio for secure messaging services, including two-factor authentication (2FA). This attack illustrates how easily a smishing attack can compromise sensitive internal systems, even in tech-savvy companies, through well-crafted spoofed messages.
Scattered Spider and Teams
Scattered Spider is a cybercriminal group that targets larger enterprises and their outsourced IT providers. It is considered an expert in social engineering tactics. In April 2023, it used compromised Office365 accounts to target users over Microsoft Teams. Pretending to be from HR, they managed to entice employees to access a fake Office365 login page and to share their MFA codes.
Charming Kitten
APT35, also known as Charming Kitten, is a cyber-espionage group linked to the Iranian government. APT35 has targeted government officials, academics, and activists, especially those involved in Middle Eastern geopolitics. In a number of documented cases, APT35 sent personalized SMS messages to targets that appear to be from legitimate sources, such as email providers or social media platforms, asking them to click on links to “verify their accounts” or “update their credentials.” These messages direct users to fake login pages, which harvest credentials and grant attackers access to sensitive communications and data.
Conclusion
The combination of constant connectivity, access to sensitive information, and weaker security measures creates vulnerabilities that spear phishers can easily exploit. The smaller screens of mobile devices make it harder for users to spot phishing indicators, such as slightly altered email addresses or fake links. Additionally, people are more likely to interact with their phones on the go, often leading to quicker, less cautious decision-making. Users may also neglect basic security hygiene, such as enabling multi-factor authentication (MFA) or keeping devices updated, making them more susceptible to phishing attacks. And finally, mobile devices often lack the robust security tools found on desktop environments, such as antivirus software and phishing filters.
In our experience, this last point is underappreciated among Information Security professionals. Incident response specialist Mandiant’s most recent annual review highlighted attackers’ increased focus on evasion. They specifically called out attackers’ use of social media, SMS, and other messaging platforms to deliver lures to targets—methods that bypass traditional defenses. Often, mobile specialists will reassure the InfoSec team that the use of MDM and MAM means all is in order. InfoSec professionals are then surprised to discover that MDM does not scan for malware or protect against malicious links—basic controls that they rely on in the desktop world. It’s now clear that there’s an urgent need for InfoSec teams to end the neglect of mobile defenses. In part two of this series, we’ll explain how inadequate protections in mobile networks, operating systems and browsers leave your organization exposed.