Mobile phishing on the rise
Fifty-six percent of users clicked a phishing URL that they received on their mobile devices that bypassed existing layers of phishing defence. Those mobile users that clicked on a phishing URL did so an average of six times a year.
This was one of the findings of a report titled 'Mobile phishing 2018: Myths and facts facing every modern enterprise today', published by mobile security company Lookout, which studies the behaviour of the company's users.
New avenues of attack
The company says it has noted this mobile phishing URL click rate increase 85% year-over-year. "Contrary to popular belief, phishing attacks are not isolated to e-mail. Mobile devices open entirely new avenues of attack for malicious actors."
Moreover, phishing attacks are highly effective on mobile devices, due to hidden e-mail headers and URLs making it child's play to spoof e-mail addresses and Web sites. In addition, new vectors, including SMS and messaging apps, allow hackers personalise their campaigns.
According to the company, attackers now take advantage of SMS and MMS as a means of phishing, as well as some of today's popular social media apps and messaging platforms, including WhatsApp, Facebook Messenger, and Instagram.
An eroding perimeter
Aaron Cockerill, chief strategy officer at Lookout, says mobile devices have eroded the corporate perimeter, significantly lowering the effectiveness of traditional network security solutions such as firewalls and secure Web gateways.
"Operating outside the perimeter and freely accessing not just enterprise apps and SAAS, but also personal services like social media and e-mail, mobile devices are rich targets for attack since they may lack enterprise security, but enable enterprise access and authentication," he adds.
Organisations who ignore mobile phishing do so at their peril, he says. There have been several phishing attacks that prove that attackers are moving beyond e-mail and targeting mobile devices.
There's a RAT on my phone
An example of this is ViperRAT: a sophisticated form of surveillance ware. The attackers behind ViperRAT lure victims into downloading a malicious app by posing as women on social media platforms. After building a relationship with the victim, the attacker sends them a message over the social media platform asking them to download an app supposedly for easier communication, and which they send for installation directly via a malicious URL.
To install the malware, the victim allows various permissions which will effectively enable the threat actors to carry out surveillance using the device. The hackers can execute on demand commands - allowing them to take photos and record audio, collect information about the device, browse the Web, send and receive messages and eavesdrop on conversations.