Mobile Phishing Increasing at an Alarming Rate

Esther Shein

Organizations are often so hyper focused on securing the network perimeter they overlook the fact that a lot of corporate data on mobile devices is making them the preferred target for phishing attacks. In fact, the rate at which people fall for phishing attacks has increased 85 per cent every year since 2011, according to mobile security startup Lookout.

Phishing attacks aim to acquire sensitive information such as usernames, passwords and banking details by masquerading as a trustworthy entity in a message.

Other reports bear this out as well. Mobile phishing is now the number one threat organizations face because “it’s easier for an attacker to exploit a person via a phishing attack than it is to exploit the relatively robust mobile operating systems, especially iOS,” according to Wandera’s 2018 Mobile phishing report.

“iPhones have a reputation for being secure, but this notion only leads iPhone users into a false sense of security,” the Wandera report claims, adding that a mobile user is 18 times more likely to be exposed to a phishing attempt than malware.

Officials say it makes sense, given that people are using their mobile devices more and more frequently for work.

Verizon’s 2018 Data Breach Investigations Report finds that 90 per cent of cyberattacks begin with phishing.

“The most effective way for hackers to gain a foothold on systems and install keyboard loggers or ransomware is to get people to click on links,’’ observed Kevin Curran, a senior member of the IEEE andcybersecurity professor at Ulster University.

Cyber attackers do this by tricking people into downloading infected files or more commonly, by sending people bogus emails or texts.

“One simple step would eliminate the phishing attack problem overnight."

SMS phishing, which uses social engineering techniques, has been steadily rising in the past year, said Dave Jevans, chairman of the Anti-Phishing Working Group (APWG) coalition. For example, an individual might get an SMS/text message from an authentic-looking, trustworthy sender like their bank or ISP, asking them to verify a PIN. They are then directed to a page where the attacker can collect their data.

“The problem is the cellphone companies are not real good at identifying and blocking” SMS phishing texts, said Jevans.

The first line of defense is to educate people about the dangers of clicking on links, said Curran, but added that “only a fraction however will listen and learn.”

What tends to be more effective is when security teams send phishing emails to employees that lead them to a page telling them about their mistake and educating them on the dangers of what they did, he believes. Most ideal would be for organizations to hold regular refresher training by IT security experts, since cyber attackers change their tactics over time.

“What is an adequate precaution today can be outdated very quickly, as in the case of two-factor authentication becoming broken of late,’’ Curran said.

The other popular venue for phishing is via social media messaging platforms such as Facebook Messenger, WhatsApp and Instagram. Users tend to be more susceptible to mobile phishing than other methods, Curran said. One of the reasons is because the URLs are not as easy to check from a mobile device.

“Also, text messages and social media messages tend to be shorter and often are using UR shortening third-party sites, so hackers find it easier to create mobile phishing attacks,’’ he explained.

“People also conduct business on mobile phones throughout the day and night and are often distracted when a message arrives and can more easily click on a link without thinking.”

One particularly effective mobile phishing campaign is Dark Caracal, the first known global campaign that steals data from Android devices. The malware uses fake apps that look real, like WhatsApp, and often ask for excessive permissions, according to the Electronic Frontier Foundation (EFF).

Once a user clicks on a malicious link, “This often leads them to download the Pallas malware, which exfiltrates large amounts of information from their Android devices,’’ such as messages, banking information, documents, call records, audio recordings, contacts, photos and app account data, said Curran.

Because there is no easy solution, users are urged to stay vigilant and be skeptical. Curran advises that they look twice when they receive a text or email that starts with their name or some other identifying information.

"Ultimately, user education is the number one tool we have at this moment. If an email or message arrives telling someone there is a problem with their bank account, for instance, then if for any reason they think it is genuine, they should not click that embedded link but move to their browser, open a new link and type in the name of their bank and login that way, or phone the bank directly," he said.

“That simple step would eliminate the phishing attack problem overnight."