Beatriz Cleves & Paul WilsonJanuary 20, 2021
Mobile Devices More at Risk Than Ever
Malicious attacks have moved from desktop browsers and computers to mobile apps and devices, where end users now spend most of their time online. Cybercriminals are leveraging security vulnerabilities, SMS phishing and a myriad of other techniques to infect mobile devices and steal the sensitive data to compromise accounts.
Cybersecurity journalists and analysts increasingly talk of doom and gloom, for good reason. New attack strategies and techniques are emerging with consistency.
Verizon’s latest Mobile Security Report states that 50% of companies “are falling behind attacker’s capabilities,” and 54% of companies were “less confident about the security of their mobile devices than that of their other systems.”
Staying ahead of these trends and understanding the latest attacks is of upmost importance considering the threat landscape related to mobile devices. Below, we look at the most recent attack techniques and vectors.
SMS Phishing Campaigns
In recent months, malicious actors have especially targeted mobile devices with a 600% increase in mobile SMS phishing attacks in 2020. 1 Though it seems unlikely, many individuals do fall for SMS phishing attacks. Early last year, there was a SMS scam targeting individuals who were staying at a hotel. The message was so convincing that 54% followed the link.2
Targeted SMS phishing campaigns have varied throughout the last year, evolving and becoming increasingly realistic. Where there’s an action there’s a fraudster reaction, which certainly applies to the techniques and timing of these attacks.
- Logistics Companies:
With so many individuals shopping online instead of visiting retail stores due to the pandemic, malicious actors launched various campaigns impersonating logistics companies. In the middle of the year and especially throughout the holidays, there was an influx in SMS phishing related to lost Fed-Ex or Amazon packages with links to malicious sites.
- Financial Scams:
SMS text messages were sent to various PayPal users informing victims that their accounts have been “permanently limited” and that they need to follow the link to verify their identity.3 Our customers have also reported various SMS scams related to PPE loans and other fake financial relief initiatives.
- COVID Scams:
Recently, there have been mobile phishing campaigns related to COVID-19 vaccines. One of which reads "We have identified that you are eligible to apply for your vaccine” and then prompts the user to click on a link for further information or to 'apply' for the vaccine4. With most individuals eager to receive a vaccine, it’s no surprise that many fell victim.
Mobile Emulator Attacks
Mobile emulators have been around for some time and are typically used to conduct testing in a virtually simulated mobile environment. Instead using a physical mobile device, app developers prefer using emulators to test and carry out quality assurance tasks. In recent years, emulators have been popular amongst malicious actors to execute elaborate fraud schemes targeting mobile users. With basic information about a legitimate device, fraudsters can easily recreate mobile environments and gain access to sensitive information.
IBM’s security research team recently discovered a sophisticated attack involving mobile emulator farms.5 They reported that these emulators were used by a cyber-gang targeting several financial institutions.
Using emulators, the malicious actors were able to spoof actual user devices and access sensitive data – resulting in account takeover. They used various methods to carry this out including automation, scripting, phishing logs, and more. Nearly 16,000 devices were compromised, and millions of dollars were stolen within a matter of days. 6
Emulators can be used for legitimate reasons in certain cases, but not when it comes to accessing sensitive data. To ensure a secure mobile session, users accessing mobile apps containing sensitive data from emulators are generally deemed high risk.
OS Security Measures are not Enough
Apple and Android have made strides in securing their operating systems, but fraudsters are relentless in carrying out new and more sophisticated attacks. This means that rogue mobile apps delivering any number of nasty malicious programs via Trojans continue to be a problem. Unlocking smartphones from the manufacturer-imposed limitations, a practice known as jailbreaking or rooting is another highly unsecure practice.
Users may choose to jailbreak or root their phones for various reasons, but the downside is that the phone – whether Android or iOS – becomes inherently unsecure. Attackers are even known for developing malware that specifically targets jailbroken or rooted phones, as they are much easier to infect.
Control what you can
It’s impossible to control or limit what user’s do on their device. The most effective approach involves implementing a security strategy that focuses on assessing device risk. A truly exhaustive mobile fraud protection solution must be capable of assessing whether a device is risky (by being jailbroken, for example). It should allow organizations to decide which devices should be denied access based on their risk-tolerance.
For a financial institution’s customers who want to do their banking via their smartphone or tablet, all the protection they need can be integrated or “baked into” the bank’s own mobile application – providing a secure and frictionless experience.
To learn more about how Appgate can help keep your organization secure from mobile attacks, click here.