Mobile phishing attacks are scary and on the rise: 85% are outside of email

Scary Mobile Philshing

Mobile phishing attacks are getting so sophisticated that they can fool even the smartest of us. Cybercriminals can now intercept your call with a bank without you even noticing. But it’s not always greater sophistication that enables successful attacks.


Phishing attacks are increasingly targeting mobile devices, and a restricted user interface on a smartphone fools users into doing dangerous things, Aaron Cockerill, Chief Strategy Officer at Lookout, told CyberNews.

“Phishing is definitely expanding into all available channels – that is, bad actors are innovating just as quickly as good developers, leveraging all the limitations, capabilities, and the personal nature of mobile devices to successfully social engineer consumers,” he said.

85% of mobile phishing attacks are outside of email, Cockerill revealed during MIT Tech Review summit Cyber Secure a while ago. 17% of attacks are carried out through messaging apps, 16% – via social networking apps, 11% – through games, etc. Mobile phishing attacks are usually more successful than those on desktop, so we asked Cockerill why.


Easier to trick people into clicking dangerous things

Social engineering attacks, claims Cockerill, are more successful on mobile devices, and there are several reasons for that.

“The first is the restricted user interface makes it easier to trick people into doing dangerous things, such as clicking on dangerous links,” he said.

Users usually know how to read the URL on PC and look for the green lock symbol to know that the link is legitimate and encryption is turned on and active in the browser.

“But when you view a link on a mobile device, it’s very hard to see the actual URL. It’s typically truncated or shortened, or there is no way to read it like the hover action on a PC,” Cockerill told CyberNews.


There is a flawed perception that mobile devices are safe. Attackers are often able to make it seem as though the message is from someone you know or in a context that makes sense to you. Therefore, you are more likely to click on the malicious link inside the message.

“This is because mobile devices are far more personal. Whether it’s a work phone or a personal phone, most people receive personal emails and messages, take personal photos, do personal banking, shopping, personal networking, and so on, on the device. So it’s much easier for an attacker to make you (the target) believe what you are doing is safe,” Cockerill explained.


Lastly, on mobile platforms, thousands of new mobile apps are published every day, with unrestricted access to the Internet and access to a plethora of local device information such as microphones, contacts, cameras, and GPS locations. 

“This resulted in unprecedented innovation, but also frequently (and unknowingly) exposed serious security and privacy issues,” he said.


As an example of companies attempting to address this, Cockerill mentioned the recent push on privacy from Apple. According to him, app developers on mobile devices have long been able to see your browsing history, track physical location, communications, photos, and other sensitive information. While well-meaning developers used this information to improve our lives, malicious actors are increasingly using the same information against us.


“To put it as simply as possible, the return on investment (ROI) for any bad actor is much higher when attacking mobile devices over PCs,” he said.


Sophisticated as never before

During the MIT Tech Review Cyber Secure summit, Cockerill presented some examples of sophisticated attacks. One of them was the Shadow Voice sophisticated social engineering attack.

During this attack, users got an SMS message saying they had to install software to communicate with the bank securely. That software was actually malware. Even if any user got suspicious and was smart enough to call their bank, attackers used the malware, cut off that call, put a screen overlay on the top of the phone screen, and called a different number for the bad actors to continue that attack. “It’s pretty impressive,” Cockerill said.


The FBI has recently warned that, as of December 2019, cybercriminals collaborated to target both US-based and internationally-based employees’ at large companies using social engineering techniques. Cybercriminals vished the employee’s credentials – used voice phishing (vishing) to trick people into logging into a phishing website.


Cyberattacks are getting more sophisticated, and Shadow Voice, as well as recent SolarWinds attacks, are good examples of that. But, argues Cockerill, it’s not always increased sophistication that’s necessary for attackers to succeed.

“Developing new apps that target users on new and unfamiliar channels (as discussed) is simple. Or, to use an example from Frank Abagnale, it’s far easier to counterfeit cheques today than it was 50 years ago – everything you need is available at Office Depot. It’s all about attacker ROI. So I expect that attackers will increasingly attack the weakest link, which, unfortunately, in most cases, is the human (us), not the technology. But they are more likely to do that where their ROI is the highest – which right now is by targeting our mobile devices,” he said.


They come as a surprise

As mentioned above, 85% of mobile phishing attacks are outside of email. It means that they are targeting potential victims through very different channels, and users are not yet trained to spot a phishing attack in an unfamiliar app.

“Phishing is definitely expanding into all available channels – that is, bad actors are innovating just as quickly as good developers leveraging all the limitations, capabilities, and the personal nature of mobile devices to successfully social engineer consumers. New apps represent a new scenario (or channel) in which users don’t yet expect to be phished,” Cockerill told Cybernews.


For that reason, new channels represent significant advantages for phishers. Also, argued Cockerill, leveraging specific apps provides the attacker with a self-selected user base (adolescents) with a particular set of interests (gamers) and a natural hook (offering cheats or in-game goods).

As mentioned above, 85% of mobile phishing attacks are outside of email. It means that they are targeting potential victims through very different channels, and users are not yet trained to spot a phishing attack in an unfamiliar app.

Lookout, where Cockerill works, developed Phishing and Content Protection technology to filter the internet for phishing and malicious links in any app. They noticed that phishers are readily exploiting everything that might be on the minds of many of their targets – from hooks using COVID news to working-from-home themed phishing messages. 

Cockerill expects this to continue, and in 2021 we might see more:

  • COVID alert and hospital availability themed messages.
  • Vaccine-availability themed messages and apps.
  • New “secure communication” and “social networking” apps that claim to be free from the censorship of big tech companies, but are actually trojans.
  • A continued move away from app store-based app distribution to avoid big tech company censorship and improved privacy features, which will increase security risks.

Another worrying trend is that legitimate messages are starting to look more like well-crafted phishing campaigns, making it even harder for users to spot attacks.

“Links in such messages can often not be attributed with any certainty to the legitimate entity because they’ve been shortened with URL shorteners, point directly to third-parties such as marketing tracking services or survey providers, or to a separate domain that was registered for these communications. This practice is training users for exactly the wrong behavior,” he said.


How to protect yourself

For the most part, companies realize this threat. Do they protect their employees from it?

“While this is rapidly changing, unfortunately, more often than not, the answer here is no. That’s partly because the tools to actively protect this vector of attack are relatively new (when compared to PC security) and partly because the problem is exacerbated by the personal nature of the devices,” Cockerill explained.

For example, using 2FA (two-factor authentication) can be effectively implemented to reduce credential theft on both mobile devices and desktops (although more modern credential phishing frequently includes methods to circumvent 2FA). But companies are less willing to connect personal mobile devices through their infrastructure using tools like VPNs or to filter the internet access of these devices, leaving them vulnerable to attack an unfiltered internet, he explained.

What are the basic things that I should be aware of when using a smartphone?

“First and foremost, keep your phone operating system and all the apps up-to-date. These days that’s as simple as enabling auto-update. Next, do not install apps that do not come from a trusted source – which is typically the device manufacturer’s app store,” Cockerill recommended.


More specifically, as it relates to phishing, you should not authenticate (enter your username and password) into pages that come from links in messages. Even if the message seems to be coming from a source you trust.

“For example, if you get an SMS from your bank asking you to authenticate, open the banking app or the bank’s website separately to authenticate and address the issue,” he said.


Credit cards typically have better fraud protection, so make sure you use a credit card, not a debit card while shopping online.


The FBI recommendations

In an advisory released this January, the FBI also recommended mitigation measures for the private industry.

They recommend implementing multi-factor authentication (MFA) for accessing employee accounts in order to minimize the chances of an initial compromise.

“When new employees are hired, network access should be granted on a least privilege scale. Periodic review of this network access for all employees can significantly reduce the risk of compromise of vulnerable and/or weak spots within the network”, reads the advisory.


The FBI also suggests actively scanning and monitoring for unauthorized access or modifications. It can help detect possible compromise or minimize the loss of data.

Network segmentation should be implemented to break up one large network into multiple smaller networks. It allows administrators to control the flow of network traffic.


“Administrators should be issued two accounts: one account with admin privileges to make system changes and the other account used for email, deploying updates, and generating reports,” the advisory reads.



Note: Please fill out the fields marked with an asterisk.


Coopyright / Author: Jurgita Lapienytė