Let’s be honest, security has never been simple.
Phishing is one of the oldest forms of cyber attacks, but until recent years it was commonly thought of as an entirely desktop attack vector. This was primarily due to the flow of web traffic coming through laptops and desktop computers; however, the overtaking of mobile traffic has also drawn the attention of threat actors.
The fact that hackers are increasingly targeting mobile devices isn’t exactly a secret.
When most people think about cyber risk, they think primarily of their organization’s servers, PCs, and laptops, and how they might be vulnerable to attack.
But in recent years, the way in which users interact with the outside world has changed. In March this year, for the first time ever, Android overtook Windows to claim the largest share of Internet traffic.
And naturally, where users go, threat actors will surely follow.
This past Friday, the Federal Financial Institutions Examination Council (FFIEC) released new guidance to banks, credit unions, and other financial institutions regarding mobile financial services (MFS). These are the services that institutions provide to their customers through mobile devices, such as electronic payments, remote deposits, mobile apps, etc.
Since the beginning of 2016, PhishLabs has observed a number of malicious mobile applications targeting users of popular payment card companies and online payment sites. These attacks combine traditional, browser-based phishing attacks with the mobile platform in order to create convincing mobile applications. These applications claim to afford the user access to their accounts directly from their mobile device; however, their only functionality is the capability to collect credentials and personal information and deliver that stolen information to the attacker. Our research has indicated that these malicious applications have been created by the same actor or group of actors.
PhishLabs has recently discovered and analyzed a malicious mobile application that is being actively distributed via a SMiShing (phishing via text message) campaign which attempts to hijack two-factor authentication (one time password) by viewing the victim’s SMS messages.