Mobile phishing a growing threat, warns report

The rate at which enterprise users are falling for phishing attacks on mobiles has increased 85% every year since 2011, research by mobile security firm Lookout shows.

Despite education around traditional phishing, 56% of Lookout users fell for a phishing link on their mobile device between 2011 and 2016, according to the firm’s latest report on mobile phishing.

Mobile users who clicked on a mobile phishing link did so an average of six times per year, the data shows. The report is based on analysis of anonymous data from more than 67 million mobile devices protected by Lookout since 2011.

Mobile devices are becoming a popular target for phishing attacks, the report said, because they are connected outside traditional firewalls, they typically lack endpoint security controls, they access a variety of messaging platforms, they hold a huge amount of personal and corporate data, and it is difficult to see the destination of links on mobile devices.

In one enterprise experiment, over 25% of employees clicked on a link in an text message from a phone number spoofed to look like one in their area.

“Mobile devices have eroded the corporate perimeter, limiting the effectiveness of traditional network security solutions like firewalls and secure web gateways,” said Aaron Cockerill, chief strategy officer at Lookout.

“Operating outside the perimeter and freely accessing not just enterprise apps and cloud-based software services, but also personal services like social media and email, mobile devices are rich targets for attack since they may lack enterprise security, but enable enterprise access and authentication.”

Phishing attacks are particularly effective on mobile devices, the report said, because hidden email headers and URLs make it easy to spoof email addresses and websites while new vectors, including test messages and messaging apps, enable attackers to make their campaigns personal.

“It’s critical for enterprises to realise that when it comes to mobile devices, email is not the only phishing attack vector,” said Cockerill.

“Attackers now take advantage of text messages, as well as some of today’s most popular and highly used social media apps and messaging platforms, such as WhatsApp, Facebook Messenger, and Instagram, as a means of phishing. Security professionals who overlook these new routes of attack put their organisations at risk.”

The report highlights a cyber crime phishing campaign dubbed Dark Caracal, which uses phishing messages through WhatsApp and Facebook to lure victims into clicking malicious links and downloading Android malware, called Pallas, which is designed to collect huge amounts of data.

Dark Caracal targets include governments, military organisations, utilities, financial institutions, manufacturing companies and defence contractors. The types of exfiltrated data are extensive, including documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos and account data.

The Lookout report adds to a growing body of research that establishes that most cyber attacks begin with phishing and people are more susceptible to phishing on mobile.

To address the growing threat of mobile phishing and capitalise on the commercial opportunity, Lookout has introduced phishing and content protection to its mobile endpoint security product.

According to Lookout, the enhanced product is designed to detect phishing attempts from any source on mobile devices, block connections on mobile devices to known malicious links, alert users to phishing sites, and gain visibility into the frequency and severity of users clicking phishing and malicious links.