Focus on Phishing
This latest report from Wandera focuses on one of the most overlooked and unglamorous threats – phishing.
Although you may not realise it, phishing has become one of the most prevalent forms of cyberattacks and the fact that in November 2016 mobile traffic surpassed desktop for the first time, hackers now have access to the most powerful distribution network in the world.
Not only are these attacks becoming more frequent but they are also becoming more high-profile in their nature too, with some reports of attackers succeeding in bypassing two factor authentication and other ostensibly secure systems.
So, what makes mobiles vulnerable to phishing?
- Limited Screen Size
The limited screen space available on mobile devices often means that the URL is not always visible on the browser that the user visits. This makes it easy to miss suspicious domains. Furthermore, the ability to scrutinise fine details on webpages is more difficult.
- Distraction Mode
The on the go nature of our lives these days means that most interactions require less concentration from the user meaning we are less likely to pay attention to the fine details which phishers will use to their advantage.
- Secure Medium
For numerous reasons people are typically more trusting of their mobile devices than of desktop devices. This trust that people place in their mobile technology makes phishing attempts more successful.
TYPES OF MOBILE PHISHING
- Financial Fraud
This kind of attack attempts to directly gain access to financial information such as log in credentials and bank details. These are often disguised as legitimate looking emails or SMS messages from services such as PayPal. The messages often contain information regarding an anomalous payment or important service update. The recipient, tempted to inspect the unrecognized transaction clicks through the email and is directed to what appears to be the legitimate PayPal login page. Upon entering their login credentials the hacker collects this information and is afforded access to the users real PayPal service.
- Service Updates
Like financial fraud attacks, this approach sees hackers posing as legitimate looking services such as Dropbox or a utility provider often as an indirect means for financial gain. These fake landing pages are designed to gain access to user credentials which hackers can then use to login to the legitimate service and gain access to everything the user has associated with it.
- Promotional Offer
This form of phishing promotes a discount or special deal. Often the promotion requires the user to share the initial link which helps to spread the attack even further with no effort required from the hacker themselves. This kind of attack is particularly prevalent on social media sites where it is more common for users to trust third party sources. Upon entering their credentials to access this too good to be true deal, the user information becomes accessible by the attacker and is used with malicious intent.
- Sphere Phishing
This type of phishing is much more targeted than other attacks in that hackers will use information specific to the target. Hackers will employ trust and manipulation tactics often by impersonating employees or contractors to extract a piece of confidential data. Facebook and Google famously fell victim to this whereby employees paid invoices worth tens of millions to phony suppliers. This clever blend of targeted information and trust gaining techniques shows how even the most shrewd and intelligent employees can be manipulated by these attacks.
Whaling involves attacks on high profile individuals whereby hackers will typically spend months observing their daily routine and mapping out their personal relationships. Once hackers are equipped with this highly personalised information they will begin to use it to their advantage.
The extensive availability of mobile devices today has afforded attackers a multitude of new methods to distribute phishing URLs. Using Wandera’s unique cloud infrastructure, which operates in the pathway of mobile data, researchers were able to determine which apps and services were being used to distribute the offending links. Contrary to popular belief it was found that only 19% of phishing attacks took place over email and that the remaining 81% took place on mobile apps and sites. Below is a breakdown of the types of apps and services where mobile traffic to phishing sites originate:
- 25.4% from Gaming apps
- 18.9% from Email apps
- 13.3% from Sports apps
- 13.1% from New and Weather apps
- 9.4% from Productivity apps
- 8.1% from Social Media apps
- 6.4% from Messaging
- 5.8% from Ecommerce
- 5% from Dating apps
How can we combat Mobile Phishing?
- Education and basic training around employee practices is essential. Employees should be told to never click through links in unsolicited emails or mobile apps and they must exercise caution when sharing credentials or personal information on mobile devices.
- Education alone however is not enough to solve this complex problem. It is of vital importance that you have a security solution in place that is able to monitor and intercept any traffic directed at phishing sites. As a fundamental technique in the hacker’s toolkit, phishing domains form the cornerstone of most attacks. Device-only mobile security solutions will do nothing to protect against this threat. Whilst employees may have some protection from phishing attacks while they are in the office through the Wi-Fi security system or the web and mail gateways it’s a totally different story the moment they leave the office. Devices are highly vulnerable to phishing over 3G or 4G cellular connections and when devices are connected to unknown Wi-Fi hotspots.
It is evident from the research conducted by Wandera that phishing on mobile devices has become among the most widespread forms of cyberattacks today. The mobile realm has granted hackers access to a powerful distribution network that is easy to take advantage of. It is now more important than ever to protect your corporate mobile devices from these kinds of attacks. Wandera has built the only technology that can detect traffic directed towards phishing sites. To find out how you can implement this system and protect your enterprise from the increasingly prevalent mobile phishing threat get in touch with us today.