Free Trial
The many faces of mobile phishing
By admin 25th May 2018

Phishing is defined by the Oxford Dictionary as “the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.” Recently, this definition has begun to evolve as hackers move away from traditional phishing mediums like email, and towards more mobile-centric services like SMS, WhatsApp, Facebook Messenger, Tinder and fraudulent mobile apps. Cybercriminals are adept at using social engineering techniques to make their content appear authentic, and ultimately make their phishing more likely to succeed. This is an extremely common method of cybercrime, growing by 85% year on year since 2011.

 

It’s likely that the amount of mobile-focused attacks has increased because hackers are attempting to maximise the effectiveness of their ‘campaigns’. This can be linked to the fact that for the first time ever, more people are using mobile devices than PCs. As well as this, research has found that mobile users are 3 times more likely to fall for phishing attempts compared to their desktop-using counterparts. Mobile devices and their users are much more vulnerable, so it makes sense that cybercriminals are focusing their attacks on mobile. Let’s investigate how phishers attack this vulnerability.

 

Smishing

Smishing’ is popular because it focuses the attack on an often overlooked component of organisational cybersecurity: text messaging. The attacker sends a text to the victim’s phone that persuades them to click a link found in the message. Clicking this link results in one of two possibilities – the link loads a phishing page where the user is tricked into inputting their login credentials, or it initiates a silent download (meaning there’s no notification) of surveillance spyware to the device. Ultimately, the attacker’s aim is to gain unauthorised access to personal, sensitive and corporate data. With open rates of 98%, too often is this attack successful.

 

Social Media

Phishing attacks originating from social media soared by 500% in 2016, and by a further 100% in 2017. Social media is now the preferred method of attack for phishers, and while workplace desktops are likely to have enterprise-level security solutions installed, mobile devices are generally ignored. This leaves the user free to engage with and download potentially malicious content, as they please. The problem arises when they do inevitably engage with a malicious link embedded in a social media post. This is an extremely common way to trick unsuspecting users into revealing personal information and other sensitive credentials, such as those used to access corporate systems. Malicious links appear across the board, and not just for the most popular recreational sites such as Facebook, Twitter and Instagram. Even professional networking platform, LinkedIn, has been known to play host to similarly malicious phishing attempts. If these attacks are realised through a security-lacking mobile device, it puts both the user and organisation at tremendous risk.

 

Whishing and Messaging-Based Attacks

‘Whishing’ is the term coined to describe Whatsapp phishing. Because Whatsapp enables communication with anyone else on the platform, phishers can target a huge amount of users with the same blanket message. It’s a cheap and relatively easy way to quickly reach lots of users, which is why whishing is becoming prevalent. Again, the mechanics are as simple as clicking a malicious link in a Whatsapp message but the consequences are anything but innocent. Whatsapp-based phishing, like any phishing attack, can be neutralised by blocking connections to the phishing server using a web gateway. However, today’s web gateway’s only work for devices when they are connected to the corporate network.   Mobile devices by their very nature are designed to be used on any network and so lack protection against phishing attacks.

 

Malicious apps

Malicious applications arrive in different forms. The first is from unofficial app stores. Users that are directed from an internet search towards an unofficial app store may unknowingly download a mobile application not made by the original creators. Therein lies the risk of downloading malware and other mobile-specific viruses, because there’s no enforceable guarantee that the download is the desired app. It’s often the case that malware is hidden in the download, and is activated after installation. Another entry point for phishing attacks is through malicious apps on official app stores. There have been countless cases of app removals from iOS and Android app stores, most recently with Google Play’s removal of 60 mobile game apps that contained malware dubbed ‘AdultSwine’. Simply put, the app developers hid malware in games that appeared as pornographic ads, but actually prompted users to download fake security software or scareware. Users were then led to click on other links they would have to pay for. While it’s absolutely worth noting that Google immediately removed all offenders, this isn’t an isolated incident. In 2017, Google removed 700,000 malicious apps from their store – up 70% from 2016. The iOS store has also seen the presence of malicious apps, with hundreds being discovered and removed in 2015. Malicious apps on official app stores are generally, until Google or Apple themselves declare, undetectable. While corporate desktops have a regimented and pre-approved list of software, mobile devices are free to download any app from any network.

 

Conclusion

Phishing is a serious, yet common problem that will get worse before it gets better. 2017 saw a 400% increase in the amount of spam, a figure that IBM research suggests accounts for half of the emails sent on the internet as a whole. 400 business per day are being targeted by phishing attacks, so how can organisations protect themselves against phishing attacks and the destruction it brings in its aftermath? The first step is bridging any gaps in existing enterprise security, which we’ve found usually presents itself through insufficient or non-existent mobile security solutions. Corporate-owned desktops and laptops have already received much of the attention in regard to cybersecurity, but organisations are failing to protect themselves from mobile-focused threats.

 

To learn how Corrata prevents all such phishing attacks click here.