Comment: Analysing the mobile threat landscape during the pandemic

In this article, Steve Whiter (Appurity Director) and Tom Davison (Mobile Security Leader at cybersecurity company Lookout) join forces to discuss the mobile threat landscape during the ongoing global health crisis.

In the first few months of Covid-19, during the build-up to lockdown in the UK, malicious actors were quick to take advantage of the hysteria surrounding the virus. This led to an influx of Covid-related phishing scams and fake apps.

In the 2020 Mobile Phishing Spotlight Report, Lookout reported a 37% increase in enterprise mobile phishing in Q1 of 2020 (compared to the previous quarter) with many new domains appearing containing the word “Covid-19” or “Coronavirus”.

At the same time, a plethora of fake apps were purporting to provide valuable information relating to Covid-19. They weren’t pretending to be official government track-and-trace type apps, it was more a case of “Find out what’s going on in your area”.

Amidst a great deal of confusion and fear, it was clearly difficult for many people to determine what an official app looked like. Plus, governments and key organisations in different countries were taking different approaches, even within the UK. News and updates from trusted sources were valuable as people were naturally concerned, and they wanted information quickly.

Attackers took advantage of this situation. They knew that many people were spending more time at home using their devices trying to learn more about the virus. The result was more people than usual being lured into downloading all types of malicious apps to their mobile devices around the world. Lookout also identified commercial spyware being distributed via Covid-19 related apps.

In terms of the various mobile threat vectors out there, app-based phishing is the one that there’s been most activity around. (Other threat vectors include device-based threats and network based threats.) Put simply, if an attacker wants to get you to install an app or they want to compromise something on your mobile device, they will usually begin that process with a phishing message.

Many people using mobile devices, especially in the legal profession, know that their devices are managed and that the communications they are receiving have been through corporate checks, and this can give them a greater sense of security.

But as cybercriminals deploy increasingly sophisticated phishing techniques, the SMS messages they are currently sending are much more believable, especially those purporting to be from trusted organisations such as government departments, banks and other organisations.

That’s because today’s hackers are investing more time and effort into designing and developing pixel-perfect duplicate landing pages and user interfaces. Their messages read more convincingly and their domain names closely resemble the real deal. Plus, on smaller mobile device screens it can be more difficult for people to spot anything fraudulent, compared with desktops.

In the above phishing attack targeting Verizon employees, an almost exact replica of Verizon’s NetScaler has been created. Unless the recipient knew exactly what the URL should be, they were unlikely to be suspicious. (The hyphenated one is the fake.)

Worryingly for the legal sector, hackers are intentionally targeting highly-regulated industries due to the high value of their resources. They are aware that just one mistake from one employee could make the whole network vulnerable.

Another key concern centres around phishing being channelled through multiple routes on devices, from apps to WhatsApp, Messenger, and even things like pop-up ads within apps. So, from a shadow IT perspective, firms may have their partners’ email locked down on their mobile devices, but with more and more interactions taking place outside of email, there’s a greater risk of mobile threats.

According to Lookout’s researchers, the cost of unmitigated mobile phishing threats for companies with 10,000 mobile devices could reach $35 million per incident, and up to $150 million for businesses with 50,000 mobile devices.

As the pandemic continues, it’s important understand how vulnerable people can be to phishing attacks on mobile devices. The Lookout team recently ran a phishing test at a security event in France using freely available delegate contact details from various social media platforms. Around half the people contacted clicked a link, which took them to a page stating: “This is a phishing test!” Bear in mind this was a cybersecurity conference for people who work in the industry day-to-day.

Steve Whiter is a director of Appurity, specialists in business mobility, with extensive experience of secure mobile communications for the legal profession.

Tom Davison leads a team of mobile security experts at Lookout, a cybersecurity organisation specialising in mobile threat intelligence and mobile threat defence.