5 Ways Phishing Attacks Manipulate Mobile Devices Outside Email

by Lisa O'Reilly on June 11, 2020

Given the current demand for remote working, phishing attacks on mobile devices are particularly worrisome for security professionals. There is only a 30% penetration of threat defense on mobile devices, according to Gartner’s Market Guide for Mobile Threat Defense. Yet most mobile device users still think they have the protection they need to be safe. According to Verizon’s 2020 Mobile Security Index report attacks are becoming more sophisticated and targeted.

And as defenses improve, attackers are increasingly turning to mobile. When you look at your emails on a mobile device, you’re at a disadvantage. It’s not as easy to spot the signs of something nefarious. You can’t always see the padlock symbol or lack of it, or hover over a link to see the underlying URL. This can make users more prone to phishing attacks. In fact, even among companies with defenses in place—including mobile device management (MDM) and almost certainly at least one form of email filtering—many of their users still received and clicked on phishing links.

Perhaps even more troubling? While mobile devices have fair email security protocols in place, phishing threats are extending well beyond email as an attack vector. According to the Verizon report, 85 percent of attacks seen on mobile devices took place outside of email. They break down these phishing attack vectors in this way:

Messaging – 17%
Social Media – 16%
Gaming – 11%
Productivity Apps – 10%
Others, including news and travel apps – 31%

The key to phishing attack success in many of these vectors is URL obfuscation. Simply put, hiding malicious URLs, masking phishing sites, and hiding code are all mobile phishing trends that we are seeing. Here are five ways we see phishing bad actors manipulating mobile (and non-mobile) devices:

The use of compromised websites to host phishing pages. Approximately 90% of the phishing URLs detected by our feeds are either hosted on a compromised domain, or hosted on legitimate cloud services like SharePoint, GoDaddy, and Amazon AWS. Bad actors know blacklisting Amazon or SharePoint isn’t feasible, so any online services that provide HTML hosting are prey for these types of attacks, as bad actors attempt to evade domain reputation engines. With remote workers accessing these work-related sites and tools, mobile security needs to step up.
URL redirects, or URL forwarding, from a benign link. We’ve started to notice bad actors introduce the concept of redirectors. Redirectors would use a URL shortening services in a newsletter or some email communication where the link would be pointing further down the road to the phishing link. The bad actors would list a rewritten, shortened URL in the email body and when the user clicked on it a SEG would allow the user access since it wasn’t on its blacklist. The rewritten URL would then redirect the user to a phishing site.
Multi-stage phishing attacks. We’re seeing a type of sophisticated phishing attack that involves a multi-stage phishing schemes that launches local files to evade existing security. It starts with a link sent in email that is not malicious but leads to what appears to be a benign site. Once that website is opened, the user performs a task and a local HTML file is downloaded to their computer or mobile device. When the user clicks on that file, a local HTML page is launched with a link to continue which sends them to the final domain where the phishing content is delivered. The bad guys are forcing a rational human through multiple steps that security equipment would normally have trouble detecting. They don’t allow a phishing site to appear unless they can confirm that a human is interacting with the site. This means that even if the final phishing domain is on a blacklist, traditional anti-phishing security cannot protect users from it until someone or some technology follows the entire user process and reaches a point where the phishing site is baited.
Increasingly short attack lifecycles. Bad actors are aware of how current technologies are trying to catch them, and they see perfect opportunities to evade detection. They change domains and URLs fast enough so the blacklist-based engines cannot keep up. For example, malicious URLs might be hosted on compromised sites that have good domain reputation. People click and within a few minutes the bad actors have collected all the data they need, so they move on to the next site. By the time the security teams have caught up, that cool attack is already gone and hosted somewhere else. It’s no surprise at this speed that old legacy methods of chasing URLs and using domain reputation are no longer enough.
SMiShing and mobile endpoint attacks. These mobile-specific attacks – often called SMiShing – are initiated in the form of a text message disguised as a communication from a bank or other potentially trusted brand than encourages a click-through to a phishing site where credentials are targeted. As mobile devices become more prevalent for work communication, we are seeing an increase in these phishing attacks.

Our Mobile Phishing Protection solution comes in the form of a lightweight, cloud-powered app that protects iOS and Android users. And for Windows, MacOS, Chrome OS, and Linux users, we offer Browser Phishing Protection for Chrome, FireFox, Safari, and Edge browsers. Both solutions provide protection on social media, SMS and collaboration platforms by detecting credential stealing, rogue browser extensions, and more. These endpoint and mobile security products are easily deployed and managed with leading UEM solutions or with SlashNext’s Endpoint Management System.

To find out how you can protect your remote workforce from the growing number of sophisticated mobile phishing threats, contact us and request a demo today.