Phishing is one of the oldest forms of cyber attacks, but until recent years it was commonly thought of as an entirely desktop attack vector. This was primarily due to the flow of web traffic coming through laptops and desktop computers; however, the overtaking of mobile traffic has also drawn the attention of threat actors.
At the end of 2016, Android devices overtook Windows desktops as the most commonly used platform for accessing the internet. As with most technology, innovation tends to outpace security aspects critical for a stabilized user-base, which makes mobile a viable medium for phishing attacks.
Mobile attacks have become increasingly popular as mobile devices are typically less secure and offer more variables for the attacker to manipulate users. While the hardware is becoming more secure with encrypted fingerprint sensors and even facial recognition, like desktop phishing attacks, the user is still the primary weak point. Even with training, there are new tactics in play that trick a user or are socially engineered to complete a desired action.
People are not yet conditioned or vigilant when it comes to mobile attack campaigns, especially when they come through text messages, social messaging, or other chat messaging services. In many cases users simply don’t review the contents of a mobile message when it appears to come from a trusted source, even though the same telltale signs of a phishing attack are typically present.
For example, last June, our Director of Threat Intelligence, Crane Hassold, discussed a new tactic that was both simple and could easily fool most users. URL Padding, or the process of adding enough characters in the URL to hide any funky or abnormal text, has been observed on numerous phishing sites.
For instance, check out this phishing site URL:
Although the URL mostly looks normal up front, the dashes hide the rest of the abnormalities. This is effective on mobile devices simply due to the screen size real estate, which means the same tactic would not be as effective on a desktop monitor or even a tablet.
So what does this all mean? With an increase in user adoption of the mobile web, threat actors also follow behind. However, most training programs are not agile enough to cover the rapidly changing tactics in play, and that creates a massive weak point for both organizations and general consumers.
Social Engineering, The True Threat
One of the reasons phishing threats continue to be so pervasive is not because they are technologically advance, but more so a psychological attack that exploits the human mind. On a daily basis we are inundated with countless emails, messages, social media posts, and other digital communication. Due to the normalization of these mediums and some of the inherent trust builtin, threat actors take advantage of us by abusing both the platforms and brands we use the most.
Unfortunately social engineering creates two issues for security awareness training: the speed for which technology changes and training typically can’t keep up.
Two-Factor Helps, But Isn’t Foolproof
In response to increased attacks targeting users, many companies now offer SMS-based two-factor authentication (2FA) to limit or prevent fraudulent access. As a result of these defensive measures, attackers have created SMS interceptors that are used in some threat campaigns. Using these tools, attackers can obtain a user’s credentials via a phishing campaign and then intercept the user’s 2FA mobile message. As a result, the attacker would then have all the necessary information needed to pass authentication tests and gain access to a user’s account.
The use of 2FA bypass has also become an increasingly common feature in mobile malware, especially mobile banking trojans. Often used for credential and SMS theft, mobile banking trojans possess the ability to intercept or steal SMS messages, system information, contacts, call history, and other user data. Some of the most prolific mobile banking trojans in 2017 included BankBot, Marcher, RedAlert2, Mazar, and LokiBot.
Training Needs to Catch Up
“Users may have learned good security habits for the desktop environment, but many of those don't apply well to the mobile user experience. Attackers are exploiting the fact that downloading apps, opening links, and a wide range of other things are different on mobile platforms. As the shift towards mobile continues, it's critical that SAT programs invest in building strong mobile security habits as well.,” said PhishLabs Vice President of Enterprise Services, Stacy Shelly.
If you're interested in a modern security awareness training program that changes user behavior, your first lessons starts by clicking here (which is not a phish).