Phishing, Brute Force Attacks Rise in Expanded Threat Landscape
Phishing attacks and brute force attacks are on the rise as cybercriminals evolve their attacks to mobile and personal communication channels, according to a report from SaaS Alerts.
On average, there were approximately 40,000 brute attacks daily and 53% of all attempted unauthorized logins originated from China, Vietnam, India, Brazil and Korea, according to the report.
The report, based on an analysis of the SaaS application security records of more than 7,400 small-to-medium-sized businesses (SMBs) and nearly one million end user accounts, saw a notable decline in attempts from Russia, which could be a result of Russia’s shift to focus on the war with Ukraine.
Jim Lippie, CEO of SaaS Alerts, said the low utilization of multifactor authentication (MFA) (32%) across all accounts was among the most troubling findings uncovered by the report.
“This is concerning because MFA implementation is simple and non-intrusive and would prevent 90% or more of account compromises,” he said. “Many organizations do not enforce MFA or strong password or passphrase policies.”
He explained that brute force attacks against these organizations would eventually lead to an account compromise on one or more accounts if these standards are not imposed on user accounts.
Scaling Phishing and Brute Force Attacks for Mobile
Krishna Vishnubhotla, vice president of product strategy at Zimperium, added that brute force attacks and phishing attacks would continue to shift to mobile because those types of attacks scale well on the mobile platform.
“With minimal effort, you can target a very large number of employees and consumers,” he said. “You can buy credentials on the dark web and also power bots and emulators to cycle through them.”
From Lippie’s perspective, IT security leaders and business leaders must realize that in a SaaS-connected business environment, protecting the on-premises network and corporate-owned devices is not enough.
“With the massive expansion in remote work and BYOD device proliferation, monitoring SaaS applications and user account activity is arguably more important than the business network,” he said. “For knowledge workers that use SaaS applications, there is no network boundary, and unless strict access controls are configured, every device is a connection to business data.”
He added that cybercriminals are shifting their attacks to mobile and personal communication channels to reach users because they realize knowledge workers often use mobile and personal devices to access business data resources for the sake of convenience and productivity.
“Business credentials and access tokens are stored on mobile and personal devices and can be effectively used to compromise a business account and access business data or impersonate the account holder,” he explained.
A Global, Mobile and Remote Workforce
Vishnubhotla noted that, pre-pandemic, who and what you needed remote access to was limited and manageable.
“[Pre-pandemic,] you switched between a desktop, a laptop and maybe accessed email via a BlackBerry or a smartphone,” he said. “But post-pandemic, the expectation is you can do everything you could do in the office remotely and the majority of it you could do on your mobile device.”
This is unprecedented access that enterprise IT teams are having to adjust to, which he added is no simple feat considering the realities of the global, mobile and remote workforce.
Lippie advised businesses that permit mobile and personal device use to require (and audit for) antimalware tool use on all personal devices.
“They should also invest in regular security training to help workers recognize the dangers of phishing, SMS and even voice-based attempts to compromise their accounts,” he said.
Bud Broomhead, CEO at Viakoo, said without a doubt, enterprise cybersecurity risk is higher with many employees continuing to work from home; the network is not typically under the control of corporate IT and the protection that corporate IT can provide.
“The good news is this is not an unfamiliar situation–enterprise IoT devices typically operate on networks not managed by corporate IT and the best practices from IoT security directly apply in work-from-home situations,” he explained.
Broomhead said security awareness training is a great starting point for helping protect employees and businesses; however, organizations should build upon it, especially for situations that are unique to them.
For example, organizations with IoT devices will need to pay special attention to keeping them on separate networks and keeping their firmware up-to-date with the latest security fixes.
“In addition to training, organizations of all sizes should have a process to test or audit employees to make sure the security training can be carried through in the actions employees take,” he added.