Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

Phishing Threats Move to Mobile Devices

Mobile devices are emerging as a primary gateway for phishing attacks aimed at stealing data.

A mobile user is 18 times more likely to be exposed to a phishing attempt than to malware, according to a new report on techniques and technologies that try to get a user to be an accomplice in their own victimization.

While employees have been taught to be suspicious of links and attachments in email, there is considerably less scrutiny of channels like SMS, Skype, WhatsApp, games, and social media. "As more communications take place over mobile devices, organizations haven't changed their thinking to cover the modes of communications taking place on the devices," says Michael Covington, vice president of product at Wandera, which published the report.

Mobile devices are the technology channel on which personal employee and corporate apps and data come together, and criminal hackers are taking advantage of that to reach enterprise credentials through personal communications.

"You can train an employee to not be a victim, but the mobile attacks are so compelling that education isn't enough," Covington says. "We want to see corporations move into the present, recognize the risk and mitigate the risk."

That risk is considerable. According to Wandera's mobile phishing report, the average iOS user has 14 different accounts on their work phone, typically including services such as Amazon, Paypal, and Airbnb. On Android, the number jumps to 20 unique apps. And both messaging and social media apps increased in popularity as an attack vector by more than 100% in 2017, with no sign of that growth slowing in 2018.

While email remains the most common target of phishing attackers, the effectiveness has been dramatically reduced by improving defense systems and years of employee training, the report notes. Fewer than one in five successful attacks originate with email phishing campaigns on desktop and mobile devices. That's not to say that phishing as a tactic is going away.

According to the Verizon 2018 Data Breach Investigations Report, 90% of cyberattacks begin with phishing. There's a good reason for that, Covington says, especially in the mobile domain. "To be perfectly honest, these mobile devices are pretty hardened," he says. "They do have problems, we have seen them exploited, but if you look at something like the current iOS it's pretty hardened. Phishing allows an attacker to bypass all of those protections."

There are companies that see statistics such as those around phishing through apps and decide that the solution is to lock down apps. But that's not an effective solution to the problem, according to Wandera.

"Phishing attacks have been observed in practically every single form of communication on mobile devices, including Skype, QQ, WeChat, Viber and Kik. Clearly this is a problem at scale that cannot be solved through blocking certain apps, or through app- centric controls," the report said. "Phishing attacks have been observed in practically every single form of communication on mobile devices, including Skype, QQ, WeChat, Viber and Kik. Clearly this is a problem at scale that cannot be solved through blocking certain apps, or through app-centric controls."

Mobile phishing attacks have become more sophisticated and effective as the stakes have increased. As Mike Murray, vice president of security intelligence at Lookout said in an InteropITX session, "Mobile has become not just a target, but the primary target in the enterprise."

"Mobile has a gap and often it's the user sitting on the other side of the interface," says Covington. That danger of that gap is amplified by the behavior of the companies where they work. Covington explains, "Most organizations want to stop phishing and protect data with GDPR coming online. Neither is being addressed with mobile."

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13864
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
CVE-2020-13865
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.
CVE-2020-11696
PUBLISHED: 2020-06-05
In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.
CVE-2020-11697
PUBLISHED: 2020-06-05
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
CVE-2020-13646
PUBLISHED: 2020-06-05
In the cheetah free wifi 5.1 driver file liebaonat.sys, local users are allowed to cause a denial of service (BSOD) or other unknown impact due to failure to verify the value of a specific IOCTL.