Mobile phishing is becoming more prevalent and more difficult to spot
According to Oxford Dictionary, phishing is “the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers”. This definition is evolving as hackers move away from traditional mediums like email. Mobile phishing is their new approach. They are targeting services like SMS, WhatsApp, Facebook Messenger, Tinder and fraudulent mobile apps. Cybercriminals are adept at using social engineering techniques to make their content appear authentic. This is an extremely common method of cybercrime, growing by 85% year on year since 2011.
It’s likely that the amount of mobile phishing attacks has increased because hackers are attempting to maximize the effectiveness of their ‘campaigns’. This can be linked to the fact that for the first time ever, more people are using mobile devices than PCs. As well as this, research has found that mobile users are 3 times more likely to fall for phishing attempts compared to their desktop-using counterparts. So, it makes sense that cybercriminals are focusing their attacks on mobile. Let’s investigate how phishers attack this vulnerability.
‘Smishing’ is popular because it focuses the attack on an often overlooked component of organizational cybersecurity: text messaging. The attacker sends a text to the victim’s phone that persuades them to click a link found in the message. Clicking this link results in one of two possibilities. One – the link loads a phishing page, tricking the user to input their login credentials. Two – it initiates a silent download of surveillance spyware to the device. Ultimately, the attacker’s aim is to gain unauthorized access to personal, sensitive and corporate data. With open rates of 98%, too often is this attack successful.
Phishing attacks originating from social media soared by 500% in 2016, and by a further 100% in 2017. Social media is now the preferred method of attack for phishers. While companies prioritise security for workplace desktops , they generally ignore (or forget) mobile devices. This leaves the user free to engage with and download potentially malicious content, as they please. The problem arises when they do inevitably engage with a malicious link embedded in a social media post. This is an extremely common way to trick unsuspecting users into revealing personal information and other sensitive credentials.
Malicious links appear across the board, and not just for the most popular sites such as Facebook, Twitter and Instagram. Even professional networking platform, LinkedIn, has been known to play host to similarly malicious phishing attempts. These attacks put both user and organization at tremendous risk.
Whishing and Messaging-Based Attacks
‘Whishing’ is the term coined to describe Whatsapp phishing. Because Whatsapp enables communication with anyone else on the platform, phishers can target a huge amount of users with the same blanket message. It’s a cheap and relatively easy way to quickly reach lots of users, which is why whishing is becoming especially prevalent. Again, the mechanics are as simple as clicking a malicious link in a Whatsapp message but the consequences are anything but innocent.
Whatsapp-based phishing, like any phishing attack, can be neutralized by blocking connections to the phishing server using a web gateway. However, today’s web gateways only work for devices on the corporate network. Mobile devices by their very nature, function on any network. As a result, they lack protection against phishing attacks.
Malicious applications arrive in different forms. The first is from unofficial app stores. Users may unknowingly download a mobile application riddled with malware. There’s no enforceable guarantee that the download is the desired app. Often, the malware only activates after the app installation.
Another entry point for phishing attacks is through malicious apps on official app stores. There have been countless cases of app removals from iOS and Android app stores, most recently with Google Play’s removal of 60 mobile game apps that contained malware dubbed ‘AdultSwine’. Simply put, the app developers hid malware in games that appeared as pornographic ads, but actually prompted users to download fake security software or scareware. Users were then led to click on other links they would have to pay for. While it is worth noting that Google immediately removed all offenders, this is not an isolated incident.
In 2017, Google removed 700,000 malicious apps from their store – up 70% from 2016. The Apple App Store has also seen the presence of malicious apps, with hundreds being discovered and removed in 2015. Malicious apps on official app stores are generally, until Google or Apple themselves declare, undetectable. Corporate desktops have a regimented and pre-approved list of software. On the contrary, mobile devices are free to download any app from any network.
Phishing is a serious, yet common problem that will get worse before it gets better. 2017 saw a 400% increase in the amount of spam, a figure that IBM research suggests accounts for half of the emails sent on the internet as a whole. 400 business per day are being targeted by phishing attacks, so how can organisations protect themselves against mobile phishing attacks and the destruction it brings in its aftermath? The first step is bridging any gaps in existing enterprise security, which we’ve found usually presents itself through insufficient or non-existent mobile security solutions. Corporate-owned desktops and laptops have already received much of the attention in regard to cyber security, but organizations are failing to protect themselves from mobile-focused threats.
To learn how Corrata prevents all mobile phishing attacks click here.