The rate at which users are receiving and clicking on phishing URLs on their mobile devices has increased at an average rate of 85% per year since 2011, mobile security firm Lookout reports.
What’s more worrisome is the fact that 56% of users received and clicked on a phishing URL that bypasses existing layers of defense, the security firm says. On average, a user clicked on a mobile phishing URL six times per year.
In a new report (PDF) analyzing the present state of mobile phishing, the security company explains that attackers are successfully circumventing existing phishing protections to target the mobile devices. Thus, they manage to expose sensitive data and personal information at an alarming rate, the company claims.
With over 66% of emails first opened on a mobile device and email arguably the first point of attack for a phishing actor, unprotected emails on a mobile device can easily turn into a new avenue for attack.
“Most corporations are protected from email-based phishing attacks through traditional firewalls, secure email gateways, and endpoint protection. In addition, people today are getting better at identifying phishing attacks. Mobile, however, has made identifying and blocking phishing attacks considerably more difficult for both individuals and existing security technologies,” Lookout notes.
The security firm claims that existing phishing protections are not adequate for mobile devices, where the relatively small screen makes distinguishing a real login page from a fake one highly problematic. On mobile, email is only one of the possible attack vectors, with truncated malicious URLs and apps accessing potentially malicious links also being used for compromise.
SMS and MMS also provide attackers with new means of phishing, not to mention popular and highly used personal social media apps and messaging platforms such as WhatsApp, Facebook Messenger, and Instagram. According to Lookout, more than 25% of employees click on a link in an SMS message from a phone number spoofed.
One attacker known to have used a non-email means of phishing is the threat actor behind ViperRAT, who engaged into conversations with their victims after posing as women on social media platforms. Once they managed to establish their trust, the actor asked the victims to download an app for “easier communication.”
In another example, an attacker targeted iOS and Android users via Facebook Messenger, suggesting that they appeared in a YouTube video. When clicking on the provided link, the user was served a fake Facebook login page meant to steal their credentials.
Lookout also notes that users are three times more likely to click on a suspicious link on a phone than on a PC. On a mobile device, users can’t always see the entire link they click on, as they would on a desktop, and there isn’t always a firewall to keep the device protected, as would be the case with a PC in a corporate environment.
“Mobile phishing is increasingly the tip of the spear for sophisticated, large-scale attacks. Some of the most active attacks come from mobile advanced persistent threats, or mAPTs,” Lookout also notes.
While an APT is a group, usually a nation-state, which can persistently and effectively target other nation-states, businesses, or individuals to steal information, a mAPT brings such attacks to mobile. Dark Caracal and Pegasus are only a couple of the most recent examples of such attacks.
Furthermore, because some applications contain URLs in the codebase to communicate and fetch information in real-time, attackers can abuse the functionality for phishing. Thus, enterprises should worry about “benign apps” that access malicious URLs.
“For example, apps often use advertising to make money. In order to do so, they incorporate ad SDKs into their code. These SDKs connect to URLs behind the scenes in order to display ads to the end user. If a benign app uses an ad SDK run by an attacker, that attacker may use the SDK to access malicious URLs in order to display ads meant to trick the end user into giving over sensitive data,” Lookout explains.
Related: Phishing Pages Hidden in “well-known” Directory