Consumers all over the world continue to click and tap on bogus links on websites and mobile apps, losing personal information and money to conman phishing attacks.
Apart from the Internet of Things (IoT), consumer devices represent arguably the highest number of mobile endpoints, have notoriously poor security and are becoming the target of choice for malicious actors.
In fact, according to the latest figures from Microsoft, phishing remains the single biggest vector of all cyberattacks, largely because it's so much cheaper for attackers than other forms of exploitation.
Multiply the number of devices by the number of attacks, and couple that with the fact that mobile users are three times more vulnerable to phishing, and the risk factor is huge.
But the real issue, given the BYOD trend over the last 10 or so years, is that when the consumer population is at work, they're employees at organizations who may be underestimating the threat posed by phishing in the workplace.
URL click rates soar
A new report from Lookout, a San Francisco-based mobile endpoint security firm, analyzed 67 million mobile devices, revealing that the phishing URL click rate has increased an average of 85% year-over-year for the last seven years.
"Mobile devices have eroded the corporate perimeter, limiting the effectiveness of traditional network security solutions like firewalls and secure web gateways," said Aaron Cockerill, chief strategy officer at Lookout. "Mobile devices are rich targets for attack because they operate outside the perimeter and freely access not just enterprise apps and SaaS, but also personal services like social media and email. They may lack enterprise security but they enable enterprise access and authentication."
It will come as no surprise to enterprises that endpoints can make their networks porous, but the scale of the problem shows just how susceptible they are becoming. The report details that 56% of users received and clicked on a malicious URL, and showing personal vulnerability to repeat attacks, they clicked rogue links an average of six times a year per user.
In a staged security test, 25% of users at an organization clicked on a link sent by SMS that was spoofed to look like a local area number.
Why mobile is so vulnerable
Mobile devices present such a wide attack surface for phishing because they lack the same level of security as desktops, have small screens that are easily spoofed and use pathways into the device that are wider than just email.
Smaller screens than desktop make spotting phishing threats much more challenging, and mobile users lack functionality which would help, such as being able to hover over a hyperlink to see the destination. Longer URLs are often truncated on-screen, further masking the destination.
Once an URL has been clicked, spoofed websites or apps take over, allowing lateral movement within the enterprise, where corporate firewalls and endpoint protection are circumvented. Email, SMS, social media apps and messaging platforms can hijack the user, steal login or personal data and then redirect into the corporate network.
Email makes organizations uniquely vulnerable, because about two-thirds of emails are opened first on mobiles as opposed to desktops. Sometimes, even a click from the user isn't necessary, as apps use URLs in their codebase to access real-time data that supports their functionality.
Malicious URL misdirects
A good example of this is that apps often use advertising to support revenue. Some apps incorporate an ad SDK in their code that delivers advertising to users. Attackers can use the SDK to misdirect to a malicious IRL which then displays a bogus ad that encourages users to unknowingly offer-up data about themselves or the enterprise.
ViperRAT surveillanceware made the news in 2015 when it was used to spy on the Android devices of servicemen in the Israeli Defense Force. The malware uploads contact details, steals photos, monitors device inputs including camera and mic, reads browsing history and screenshots capture data from other apps. Victims were lured to download the app by phishers posing as women on social media platforms.
The Dark Caracal campaign, attributed to the Lebanese security intelligence organization, used Android surveillanceware called Pallas to monitor users and exfiltrate data including documents, contact address books, text messages and application account data. It also selectively activated voice recording from the microphone, and captured elicit photos from the front and back devices cameras.
- Firewall Fail: IT Can't Identify All Network Traffic
- Microsoft Security Is Channeling the Terminator
- Endpoint Security: 3 Big Obstacles to Overcome
— Simon Marshall, Technology Journalist, special to Security Now