Phishing is the number one threat affecting organizations today, in fact, 90% of cyber attacks start with a phish. While phishing has been around for a long time, today’s mobile attacks have evolved beyond all recognition.
With more than 57% of all Internet traffic coming from mobile devices, it’s no surprise that attackers have turned their attention to mobile employees and the wide range of communications apps and sites they use. Research shows 48% of phishing attacks take place on mobile, and users are 3x more vulnerable to phishing on mobile than on desktop.
Our latest Mobile Phishing Report delves deeper into the current mobile threat landscape, examining the sophisticated mobile phishing attacks targeting businesses across the globe. Wandera’s threat research team analyzed the traffic to known phishing domains to determine which apps and services are used to distribute the phishing attacks. The following data has been gathered from a sample of 100,000 Wandera-enabled devices over a four week period in March 2018.
Today’s mobile phishing attacks move fast
Wandera’s research shows that a new phishing site is created every 20 seconds – that’s over 4,000 new mobile phishing pages being created each day. Problematically, list-based phishing protection services that use logs of known phishing URLs are not effective when used in isolation because sites are not detected and registered in real-time. The average phishing site is live for an average of four hours and therefore threat detection techniques need to work faster.
What’s also concerning is that hackers are utilizing a multitude of new distribution methods made available by the explosion of mobile. While email remains a prime target for attackers, email filters and decades of training mean that these attacks are seldom effective. When looking at actual live successful attacks, fewer than 1 in 5 originate from email phishing campaigns.
Mobile phishing is relentless within the enterprise and we don’t expect this to change any time soon. Unsuspecting victims are encouraged to click links, or run files to launch malicious code to start the attack.Sachin Sharma, Product Marketing at VMware
Today’s mobile phishing attacks are happening in “safe” waters
Our research also highlights another attack trend that is worth looking at in more detail. A number of phishing sites are utilizing HTTPS verification to conceal their deceitful nature. One new HTTPS phishing site is created every two minutes. How does this work? Well, SSL certificates are a way of digitally certifying the identity of a website and securing its traffic.
They inform the user that their personal information has been encrypted into an undecipherable format that can only be returned with the proper decryption key. Countless cybersecurity campaigns advocate encryption and tell enterprises that HTTPS sites are the ones to trust, so what’s the problem? Exactly that.
Users perceive HTTPS sites to be secure, so they’re less likely to suspect a ‘phish’. Realizing this, hackers use sites like letsencrypt.org to gain SSL certification for their insecure phishing sites. Throughout 2017, the number of phishing sites operating from a secure HTTPS domain skyrocketed, growing by over 1000% and it’s a trend we expect to continue as attackers improve their techniques.
In a similar sense, iPhones have a reputation for being secure, but this notion only leads iPhone users into a false sense of security. Our research shows that iOS users are 18x more likely to be phished than to download malware. Why are phishers targeting iOS? Probably because it’s easier for an attacker to exploit a person via phishing than it is to exploit the relatively robust mobile operating systems – especially iOS.
Today’s mobile phishing attacks use a wider net
Security systems pointed at traditional architecture – desktop, for example – are typically well resourced and robust at defending against attacks. Text messages on mobile tend to be an overlooked area in a CISO’s strategy, and thus make for lucrative targets for attackers. It’s also remarkably easy to emulate the sender information to make it look like messages are sent from a trusted service.
Our research found messaging apps and social media are fast becoming the most popular delivery method for mobile phishing attacks with a 170% increase in messenger app phishing and a 102% increase in social app phishing from 2017 to 2018.
It’s not only through SMS that phishers are able to reach their targets with surreptitious links. WhatsApp is another powerful channel for distributing mobile phishing attacks, with hackers able to create profiles disguised to look like legitimate senders.
Our research also uncovered instances of employees navigating to phishing URLs through dating apps like Tinder and Happn. In fact, analysis of phishing activity on thousands of employee devices suggests that over 6.1% of all successful mobile phishing attacks take place on dating apps. 6.2% of all successful mobile phishing attacks take place on dating apps
The categories where mobile phishing attacks originate
The top 5 apps for messenger phishing
Today’s mobile phishing attacks are selective
Corporate devices hold a vast array of data for attackers to target. While many apps are authenticated with single sign-on services like Okta and OneLogin, many employees make use of their own user credentials or Facebook and Google logins. The average iOS user has 14 different accounts on their work phone, typically including services such as Amazon, Paypal and Airbnb. On Android, there are even more for the phishers to steal, with the average user having apps requiring 20 unique logins.
The previous examples highlight how attackers are not short of distribution vehicles for their phishing campaigns. Utilizing a range of communication platforms is one thing, but in order to increase the success rate of an attack, malicious actors need to be selective when deciding which companies to impersonate. It’s simple – reputable brands with large user communities are less likely to arouse suspicion as the victim may already receive regular communication from the service, plus, brands with over 1 billion users means there are more “fish in the sea”
In order to better understand current attack trends MI:RIAM – Wandera’s machine learning and intelligence engine – ran an analysis of the top 10 brands targeted by mobile phishing attacks, through an analysis of their unique fully qualified domain names (FQDNs).
Top 10 brands targeted by mobile phishing attacks
Today’s mobile phishing attacks can beat basic security measures
Think you’re safe because you use 2FA? You’re not. Malicious entities are using fake login pages to bypass two-factor authentication. How do they do this? In short, the attacker captures the victim’s information on a fake page whilst simultaneously entering their credentials into the official site. This then triggers the authentication text message with a code that the victim then enters into the fake page which is captured by the attacker and entered into the real page. Worryingly, this process can be automated to carry out an attack on an organization at scale.
Zero-day phishing protection
In order to tackle this heavy shift toward corporate devices and pervasive accounts, a new approach to phishing protection is required. Solutions available on the market now rely on existing logs of phishing domains to enforce blocks. Wandera has advanced MI:RIAM’s phishing algorithm with next-generation machine learning to proactively seek out, recognize, and block phishing attacks before they hit their first ‘patient zero’. The zero-day phishing algorithm is complex, and relies on a variety of input factors to determine if a web page is in fact malicious. Numerous points of data are analyzed and taken together to generate a risk score which ultimately determines if the page is flagged and blocked – the moment it is discovered.
Mobile Phishing Report 2018
Phishing sites morph, evolve and redirect by the second – allowing hackers to alternate their techniques. Learn more about the mobile phishing threat landscape.