Mobile Devices Under Siege by Cyberattackers
Mobile Devices Under Siege by Cyberattackers
Between 2019 and 2020, financial services and insurance organizations' exposure to mobile phishing doubled. Cybercriminals are deliberately targeting smartphones, tablets, and Chromebooks in order to increase their chances of securing an entry point.
According to a new Lookout research team report released May 6, a single successful phishing or mobile ransomware attack can provide attackers with access to proprietary market research, client financials, investment strategies, and cash or other liquid assets.
According to the Financial Services Threat Report, nearly half of all phishing attempts targeted corporate login credentials. Approximately 20% of mobile banking customers had a trojanized app on their devices when attempting to sign into their personal mobile banking account, according to other findings.
Despite a 50% increase in mobile device management (MDM) adoption between 2019 and 2020, average quarterly phishing exposure increased by 125%. Malware and application risk exposure increased by more than 400%.
Seven months after the release of iOS 14 and Android 11, 21% of iOS devices and 32% of Android devices were still running iOS 13 or earlier. According to the report, the delay in users updating their mobile devices creates an opportunity for a threat actor to gain access to an organization's infrastructure and steal data.
"Malicious apps delivered via socially engineered phishing campaigns will always be a concern for security teams, as attackers know they can connect with individuals via personal channels such as SMS, third-party messaging platforms, social media, and even dating apps in order to establish a connection and build trust," Hank Schless, senior manager for security solutions at Lookout, explained.
Higher Security Risks, More Mobile Users
This digital environment has created new risks for businesses and their customers' data, as data can now travel to the point of use. Financial services firms are accelerating their digital transformation.
Even before the pandemic compelled organizations to adopt cloud services and mobile devices, the finance industry saw a 71% increase in mobile app adoption in 2019. Tablets, Chromebooks, and smartphones have become an integral part of how financial institutions operate in the modern era.
Regular mobile users include employees who work from home and customers who use an app to manage their finances. Given the Chromebook's meteoric rise to prominence as a preferred mobile device for education and enterprise over the last 18 months, this is a significant canary in the coal mine.
While many organizations have embraced MDM as a means of maintaining control, this is insufficient. Managing a device does not protect it from sophisticated mobile threats, Lookout noted in its report.
When employees were forced to work remotely for an extended period of time, they were forced to rely on their smartphones and tablets to remain productive. Attackers recognized this shift and increased their focus on individuals with mobile-specific malware and phishing attacks, Schless explained.
"This overnight change also required security and IT teams to make drastic changes to their strategies and policies, expanding the capacity of their corporate VPNs and expanding MDM to more mobile users to maintain some semblance of control over mobile access to the corporate infrastructure," he added.
Somewhat Futile Efforts
Despite implementing mobile device management, Schless noted that a significant increase in mobile threat exposures occurred.
"This demonstrates that MDM should be used to manage devices, not to secure them, as these solutions are incapable of protecting devices against cyberthreats such as mobile phishing," he said.
Financial institutions must embrace modern security technologies and strategies in order to remain secure, competitive, and relevant on the devices that employees and customers use the most, the researchers at Lookout urged.
According to Lookout, the average quarterly exposure rate to mobile phishing increased by 125 percent, significantly more than in any other industry. The first difficulty is that MDMs are incapable of securing mobile devices. Additionally, VPNs do not check for malware on the device before granting access to corporate resources and infrastructure, according to Schless.
"Attackers became very clever very quickly; they developed malware and phishing campaigns that could easily circumvent the basic management policies enforced by MDM solutions, which explains why we continued to see an increase in mobile threat exposures despite organizations leveraging MDM more heavily," he explained.
The only way to combat these attacks, he suggested, is to implement a true integrated endpoint-to-cloud security solution. That solution is capable of validating the device's and user's risk posture in order to ensure that no malware or unauthorized users gain access to the infrastructure.
Business Must Act on Security
Financial institutions and other businesses must consider how to secure their customers' mobile app experience in order to prevent account fraud and takeover, researchers warn. Security must be built into consumer applications from the start.
By integrating services into the mobile application development process, customers receive mobile security capabilities natively, without the need to install additional software.
"Because cybercriminals can target both employees and customers when targeting financial services, security teams must cover an incredibly broad threat landscape, which is why it's never surprising to see financial services listed as one of the most targeted industries," said Lookout's Schless.
Why Phishing Catches Victims
Phishing emails frequently contain personal information and can appear to be legitimate. Often, they appear to be a legitimate service from a well-known vendor, according to Joseph Carson, ThycoticCentrify's chief security scientist and advisory CISO.
"Phishing emails almost always disguise themselves as an urgent message from an authority requiring immediate action, such as clicking a link or opening an attached file, in order to avoid further trouble, late fees, and so on. These emails typically contain multiple hyperlinks — some of which are legitimate in order to disguise the one malicious link," he told TechNewsWorld.
Spear-phishing emails are sent directly to you, posing as an email from a person you know and trust, such as a friend, colleague, or boss. These emails include a hyperlink to another website or an attachment, such as a PDF, Word document, Excel spreadsheet, or PowerPoint presentation.
The most common spear-phishing attacks appear to come from your employer's executive management team or someone in authority, requesting that you take an important action – either opening an attachment or, in some cases, making an urgent money transfer to a link in the email, Carson explained.
Spotting Attack Attempts
Carson recommended limiting what you share on social media and enabling privacy and security settings on your Facebook, Twitter, and other social accounts as safety measures.
"Do not accept 'friend' requests from strangers," he added.
Mark the senders of your suspected phishing emails as junk or spam, just as you would with known spam. Then, if they appear directly in your work inbox, report them immediately to your IT security department.
Another preventative measure is to never forward a phishing email. Additionally, ensure that you have taken basic security precautions to safeguard your devices and scanned your system and emails for malware.
"Unusually high mobile data and internet usage can indicate that a device has been compromised and that data is being extracted and stolen. Always review your monthly internet usage trends, typically available from your internet service provider or your home router, for both downloads and uploads to monitor your monthly Internet activity," he suggested.
Generally, you can set usage limits that alert you to abnormally high levels. When these alarms get triggered, immediately review your usage levels.
