Introduction

It was a scary time for IT and security teams in 2018. Attacks that exploited AI features, sophisticated malware in broad distribution, unrecognizable phishing techniques, and widespread abuse of location data were just a few of the trends that made 2018 a particularly tumultuous year for security teams.

As organizations fight to secure their valuable data against an ever-growing range of threats, the fear of a data breach is keeping CISOs up at night. In 2018, one breach headline after another captured public attention, with high-profile data leaks hitting Marriott Starwood Hotels, British Airways, MyFitnessPal, T-Mobile, Google and Facebook.

Additionally, 2018 was the year that GDPR (General Data Protection Regulation) came into effect. With heftier fines for data breaches and a shorter window of time for affected companies to report known breaches, 2019 is poised to be the “Year of GDPR Lawsuits”. A prime case in point was Google being fined $57m under the GDPR regime in the first month of the year.

Why do malicious actors seek to infiltrate corporate devices? How are they getting past existing security measures? What makes the current mobile security climate so volatile? This report aims to answer these questions by reflecting on the latest wave of mobile threats and vulnerabilities, reporting on the threat landscape, and making projections for the year ahead. The data in this report comes from our network of corporate-enabled mobile devices across thousands of enterprise customers globally, making up the world’s largest mobile security dataset.

In the past year we have seen

32,846

Malware incidents

455,121

Phishing incidents

1.9 million

WiFi incidents

31.6 million

Data leaks

“Consumer confidence is eroding more and more with every data breach. It’s never been more important to take those precautionary measures to secure your IT infrastructure, inside and outside the perimeter. Too many companies wait until it’s too late to set up sufficient protections that extend to endpoints like mobile.”

Alex Cherian, Alex Cherian, Senior Offering Manager at IBM Security

A changing landscape

Threats have increased in sophistication

Apple and Google took great strides to strengthen the security of their devices in 2018 and, as a result, attackers have increasingly looked to circumvent hardened platforms by turning to social engineering techniques. With the rise of BEC (Business Email Compromise) and spear phishing attacks, it has become abundantly clear that malicious actors are taking the time to research their targets’ behavior and exploit weaknesses.

With more web traffic now taking place on mobile than desktop, scammers are taking note by hitting victims with regular device-centric scams that leverage popular apps. Instead of casting wide nets with comparatively rudimentary techniques in the hope that some will take the bait, attackers have focused on creating the most effective social engineering techniques to bolster success rates.

Global mobile traffic from 2017-2022

Mobile has made us more exposed to attacks

Technological advancements, paired with a deeper understanding of how to manipulate victims, broadened the attacker’s repertoire in 2018. As a society, we have come to accept invasive apps and services that collect rafts of personal data in exchange for more personalized services. This has reached a point where we’ve become somewhat blasé with whom we share our most personal information.

Many organizations embraced BYOD (Bring Your Own Device) policies with open arms. As a result, internal IT teams forfeited sovereignty over these devices, which reach deep into corporate servers and sensitive databases. Attackers found new ways to trick us into doing exactly what they want us to do: allow them to infiltrate organizations and retrieve highly confidential data.

The number of mobile phone users in the world was predicted to pass the 4.7 billion mark by 2019, so it comes as no surprise that mobile is now the focal point of attacks. Cybercriminals have developed a troubingly deep understanding of human nature, and they know exactly how to use it against us.

Understanding the mobile threat landscape in 2019

1. Network attacks

2.App-based phishing attacks

3. Leaky apps

4. Risky configurations

5. SMS phishing

6. Malware

7. Known exploits

8. Out-of-date OS

9. Risky web content

10. Cryptojacking

Phishing is still the number one mobile threat

A new phishing site is launched every 20 seconds and is only active for an average of 4 hours

To most people, the word “phishing” conjures up thoughts of poorly worded emails offering ‘unclaimed lottery winnings’ or ‘hassle free’ payouts from ominous third parties. Fast-forward to 2019, and things are very different. Phishing is not only pervasive, but it is also the most damaging and high-profile cybersecurity threat facing organizations today – supported by research from Google, Black Hat and the U.S. Department of Homeland Security.

57% of all organizations have experienced a mobile phishing incident

The prevalence of phishing within our network of corporate mobile devices is very high when you consider that a lot of them are purpose-built, single-function devices, such as point-of-sale iPads that have a single payment application running with no access to web browsing or email. The likelihood of encountering a mobile phishing attack also climbs even higher as the employee count does. Once an organization exceeds 1,000 employees, the likelihood of a phishing incident reaches 85% and continues to increase exponentially as the employee count climbs.

The number of mobile phone users in the world was predicted to pass the 4.7 billion mark by 2019, so it comes as no surprise that mobile is now the focal point of attacks. Cybercriminals have developed a troubingly deep understanding of human nature, and they know exactly how to use it against us.

Phishing has moved beyond email

Having realized that email was a breeding ground for cyber threats, organizations responded by enlisting email-focused security solutions to protect data. However, this style of protection fails to provide comprehensive protection for the mobile workforce, as the proliferation of mobile technology has dramatically changed the phishing landscape. Wandera’s 2018 Mobile Phishing Report revealed that 83% of mobile phishing attacks occur outside of email. Less scrutinized channels like SMS, iMessage, Facebook Messenger, WhatsApp and other popular messaging apps, games and social media platforms are being employed at scale to distribute phishing links in places employees previously thought were safe from cyber threats.

83% of successful mobile phishing attacks take place outside of email

Mobile is a fertile arena for phishing attacks for a number of reasons. First, people work quickly and act instinctively on their mobile devices. The smaller screen size makes it more difficult to inspect suspicious-looking URLs, and the on-the-go nature of mobile devices means more distracted users. Also, BYOD users tend to be more trusting of their personal mobile devices, and cybercriminals use this sense of security to their advantage in exploiting human error.

Phishing attacks are using high profile sites and brands

To increase the success rate of an attack, hackers need to be selective in deciding which companies to impersonate. It’s simple – reputable brands with large user communities are less likely to arouse suspicion, since victims may already receive regular communication from these brands. Plus, the more users, the more potential targets.

Top 10 most impersonated brands in phishing attacks

90% of data breaches start with a phishing attack

Phishing URLs are almost impossible to detect

Attackers are increasingly using punycode in their phishing domains to make them harder to detect. Punycode converts unicode characters (in languages like Cyrillic, Greek and Hebrew) into ASCII characters so computers can understand them. Unicode characters make domain names that look familiar to the naked eye but actually point to a different server or link to an unfamiliar domain. It is easy for an attacker to launch a domain name that replaces some ASCII characters with similar-looking unicode characters. Not only can characters of different alphabets be converted to ASCII using punycode, but also emojis.

Punycode attacks are up 250% year over year, with 5.2% of mobile phishing attacks now containing punycode

Phishing sites use encryption to increase effectivenes

Our research shows significant growth in phishing sites utilizing HTTPS verification. It has been drummed into users’ mindsets that HTTPS sites are secure, so a phishing attack over HTTPS is less likely to be suspected. Realizing this, hackers use free services such as ‘Let’s Encrypt’ to gain SSL certification for malicious phishing sites.

10% of mobile phishing attacks occur over HTTPS

Most common issuers

Mobile malware is growing more aggressive

Mobile malware has become a high-priority security concern for enterprises globally over the last few years. There are many factors to consider when assessing the riskiness of apps. Malicious apps come in all shapes and sizes. Which variants of mobile malware are most destructive, and what trends should enterprises expect to see over the next 12 months?

13% of all organizations have experienced a malware incident on a mobile device

Since there are many categories of malware (spyware, ransomware, trojan, banker, adware, etc.), and many types of malware that borrow characteristics from multiple categories, it’s easier to analyze the impact of bad apps by asking: “What is it trying to do?”

Some bad apps are designed to exploit OS vulnerabilities to steal data. Others change the configurations of devices to pull down even more malicious software with additional functionality. Some deliver pop-up ads or trigger spates of premium SMS messages for monetization. And others simply cripple devices so they becomes unusable for a period of time.