Why you need the protection against smishing that only a specialist can provide
The recent attacks against Twilio and Cloudflare have brought home to many security professionals how exposed their organizations are to phishing attacks delivered by SMS and other mobile channels, including WhatsApp, LinkedIn, and Facebook Messenger. And the attacks just keep coming. Only today, one of Corrata’s security researchers identified a similar-style attack in progress against Zendesk. An obvious question to ask is why, given the prominence of phishing as a threat vector, organizations are falling for these pretty unsophisticated attacks.
In security professionals’ minds, phishing has, for a very long time, been associated exclusively with email. And indeed, email still remains the primary delivery mechanism for phishing attacks on desktops and laptops. Email services such as Microsoft Outlook and Gmail come with integrated anti-spam and anti-phishing protections. Notwithstanding this, many organizations have invested in additional anti-phishing solutions from providers such as Proofpoint and Cofense.
And while none of these solutions is bulletproof, they do provide an important defense, particularly when allied with employee training, implementation of multi-factor authentication, and web filtering solution.
Mobile is different
But mobile is different – 85% of phishing on mobile takes place outside email, most notably over SMS. And unfortunately, there is no inbuilt anti-phishing protection in SMS. It is true that some Telecommunications providers use SMS firewalls to filter malicious content, but implementation is patchy and effectiveness questionable.
What’s more, telecommunications providers lack the kind of well-developed threat intelligence sharing mechanism provided by organizations such as the Anti-Phishing Working Group.
Efforts by Google or Apple to implement protection at the device level (by building them into the messaging client) are stymied by privacy concerns: having ‘big tech’ read the contents of your messages is not somewhere that most people will want to go.
Protection built into browsers such as Chrome and Safari is a help but designed as they are for mass market use, they react too slowly to new attacks – in a recent test, we found that Chrome blocked less than 17% of new smishing attacks.
Help is at hand
The bottom line is that when it comes to smishing, organizations are hopelessly exposed…
The good news, however, is that help is at hand, and effective solutions are readily available. A range of specialist mobile threat defense solution providers, of which Corrata is one, provide effective and easy-to-deploy smishing protection as part of their broader mobile threat defense products.
These solutions work at the device level by examining any link that a user clicks, whether embedded within a text, WhatsApp or other messaging app. If the link is dangerous, then access to the site is blocked, the user notified, and an alert sent to the security operations team.
Do traditional endpoint solutions work?
Traditional endpoint security vendors (e.g. Microsoft Defender, Symantec, McAfee, Sophos, Trendmicro etc.) also offer mobile versions of their desktop products. Many include smishing protection. A recent analysis by Corrata security researchers has shown that these ‘suite solutions’ perform poorly in detecting and blocking smishing and other types of mobile-specific.
Our researchers took a sample of recent SMS phishing attacks and examined how many were blocked by mobile threat defense solutions provided by the ‘traditional’ vendors and compared it with the percentage blocked by a specialist provider (in this case, Corrata)…
The results were clear-cut – the traditional ‘suite’ solution (provided by household names in enterprise tech) caught only 39% of the smishing attacks. In contrast, the specialist solution (in this case, Corrata) caught 100% of the malicious messages…
Why specialist trump generalists
While we weren’t surprised by how well our solution performed (it’s what we work on every day), we were surprised at how poorly the ‘suite vendors’ performed. Our hunch is that they lack the right threat intelligence:
They are relying on threat feeds which are built to defend against the threats they see every day: on desktop, in email, etc. In contrast, our threat feed is ‘mobile first’, incorporating both traditional threat feeds but augmented with mobile-specific threat intelligence. But Corrata goes further: we tune our algorithms to detect new threats even before they’ve been identified by the broader threat intelligence ecosystem. And we work closely with our operator partners to make sure we are a step ahead.
Reliable, up to the minute, threat intelligence is critical to defeating phishing and other cyber threats
SMS phishing, in particular, is a very fast-moving game with new attacks launched and taken down in hours, if not minutes. This means that adopting the precautionary principle is often the correct approach. But this must be done in a subtly calibrated manner to avoid impacting the experience and productivity of staff. So, I guess the lesson is: if you want the best Mobile Threat Protection, look for a specialist!