Several decades ago when the public took to the web in their masses to experience the benefits of interconnectedness, cyber attacks were practically unheard of. However, things soon changed.
Early adopters of the web soon realized the online world gave them something that they were lacking offline: anonymity. Whilst in many aspects this was viewed as a positive thing, a handful of users took a more cynical approach.
Malicious actors learned that through employing some relatively simple techniques it was possible to impersonate third parties, gather intelligence and earn a quick buck in the process. Internet phishing was born. But still, the question of “what do you mean by phishing” stands.
What is phishing?
When the topic of phishing arises, many look to define phishing, in order to understand all about phishing and the problems it can pose. Phishing is a simple yet effective attack technique, which can provide the perpetrators with a wealth of personal and corporate information. The aim and precise mechanics of the attack can vary, but they usually centred around soliciting personal data from the victim or getting them to install malicious software that can inflict damage upon their device.
Why are phishing attacks so dangerous? Well, they exploit the most vulnerable part of an organization: its employees. Employees are arguably a corporation’s best asset, but when it comes to keeping data safe they double up as their biggest security threat.
Even the most vigilant team members respond to cleverly targeted phishing campaigns, click on files riddled with malware and open attachments from “colleagues” without giving it a second thought. Phishing is not only regular, but it’s also the most damaging and high profile cybersecurity threat facing enterprises today – supported by research from Google, Black Hat and US Homeland Security.
How does a phishing attack start?
The attack itself usually begins with a form of communication to an unsuspecting victim: a text, an email, or an in-app communication. The message is engineered to encourage user interaction with an enticing call to action. Perhaps the chance to win a new iPhone, a voucher for a free holiday or more simply, the opportunity to gain access to a service like PayPal or Facebook.
In order to solicit personal information from the victim, the phisher will often lull them into a false sense of security by sending them to a legitimate looking webpage to fill in their details. This intel could either be used immediately to gain access to the service via the official site, or the data could be harvested and sold on to others on the Dark Web.
Mobile is the new frontier for cybercrime. A huge 48% of phishing attacks are on mobile according to Cloudmark and the number of mobile phishing attacks is doubling every year. In fact, mobile phishing is so rife that a new attack is launched every 20 seconds. That’s more than 4,000 mobile phishing attacks per day.
It’s widely accepted that most web traffic now happens on mobile. Therefore it doesn’t come as a shock that hackers use this to their advantage by crafting their attacks for a mobile platform. Cell phones are a fertile arena for phishing attacks for a number of other reasons as well. Firstly, it’s easier for an attacker to exploit a person than it is to exploit the relatively robust mobile operating systems, especially on iOS.
Mobile devices have smaller screens and feature a number of visual shortcuts, meaning spotting suspicious URLs or malicious senders is far more difficult than on desktop. Users are also more distracted and vulnerable on mobile devices due to their portable nature and inherently personal feel.
How employees are get phished on mobile
Security systems pointed at traditional architecture – desktop, for example – are typically well resourced and robust at defending against attacks. Text messages on mobile tend to be an overlooked area in a CISO’s strategy, and thus make for lucrative phishing waters for attackers. It’s also remarkably easy to emulate the sender information to make it look like messages are sent from a trusted service.
This impact is amplified by the notion that very few individuals know the phone number of their ISP, banking provider or cloud storage account, meaning inspection of the sender address is unlikely to arouse suspicion. With SMS phishing (also known as ‘smishing’), if a message looks like it comes from Microsoft, for most people there’s little reason to suspect otherwise.
Victims are directed towards a fake landing page, designed to harvest user credentials. Again, with little to no network protection and most mobile security solutions only focusing only on compromises to the endpoint, there is effectively zero protection against this kind of attack inside most businesses – especially when users are visiting these phishing pages on public WiFi or through mobile data connections.
Whishing and other messaging apps
It’s not only through SMS that phishers are able to reach their targets with surreptitious links. WhatsApp is another powerful channel for distributing phishing attacks, with hackers able to create profiles disguised to look like legitimate senders.
Once again, as most people are not familiar with the official accounts of various brands, profiles that feature a legitimate-sounding name and logo are much more convincing than an email from an unknown address. The rise of WhatsApp phishing, or ‘whishing’, has seen a growth in campaigns that offer promotional deals, often pretending to be from well-known brands like McDonalds, Nike or supermarket chains.
In some cases, these attacks will be more focused and instead used in spear phishing methodology. These attacks involve the impersonation of a known individual, which with some quick internet research can be easily mimicked to build a misplaced sense of trust in the target – again exploited in order extract data from the victim.
Worryingly, these attacks are everywhere. There is nothing wrong with WhatsApp itself, and so locking down access simply moves the problem, rather than solve it. More importantly, it’s not just SMS and WhatsApp that feature in the mobile phisher’s toolkit. With literally thousands of messaging apps to choose from, phishing attacks could happen almost anywhere.
Research at Wandera uncovered instances of employees navigating to phishing URLs through dating apps like Tinder and Happn. In fact, analysis of phishing activity on thousands of employee devices suggests that over 5% of all successful mobile phishing attacks take place on dating apps.
Phishing attacks have been observed in practically every single form of communication on mobile devices, including Skype, QQ, WeChat, Viber and Kik. Clearly this is a problem at scale that cannot be solved through blocking certain apps, or through app-centric controls.
Protecting your fleet
No matter how hard you try to educate yourself and your team, it’s inevitable that some attempts will slip through the net. However, don’t stress – it’s not all doom and gloom. The only way the attacker can exfiltrate your data is if they’re able to communicate with your device.
To stay ahead of the attacker it’s imperative to have a security solution in place which is able to intercept traffic to phishing sites, stopping the threat at its source. How to protect your device fleet Wandera’s mobile threat prevention and detection technology monitors and blocks traffic in transit, blocking phishing attacks wherever they originate – including in SMS, email, applications and in the browser.
Unlike app-centric solutions, it doesn’t have to be open on the device and doesn’t rely on updates to keep users safe from the latest threats. We hope we have answered the question, “what is phishing”, but to learn more about the complex world of mobile phishing and how to defend against mobile security threats within your organization, get in touch with one of our mobile security experts.
For more information, get in contact with one of our mobility experts today:
More about phishing:
Mobile Phishing Report 2018
Phishing sites morph, evolve and redirect by the second – allowing hackers to alternate their techniques. Learn more about the mobile phishing threat landscape.