Cybersecurity Awareness Month 2021: Week 3
Last week, we discussed email phishing and the red flags you need be aware of. This common yet effective method of harvesting personal data laid the foundation for attacks that target mobile devices. Though many people are aware of phishing email campaigns, not the same can be said about mobile phishing campaigns. Hackers use social engineering techniques to target services like Facebook, WhatsApp, SMS, and malicious apps to exploit users who are less suspicious of these new avenues of cybercrime.
Perhaps this explains why research has found that mobile users are three times more likely to fall victim to phishing attempts compared to desktop users. The goal of mobile phishing attempts is often the same as email phishing attempts, and as such, warrant awareness and attention. Below, we outline the four most common ways hackers are infiltrating mobile devices.
- Malicious Apps
Hackers try to trick users into downloading malicious apps in two ways. One method involves using legitimate app stores like the iOS or Android stores. They use these markets to broadcast harmful apps that use phishing tactics to steal personal information. Though these stores constantly remove malicious apps, some are able to slip through the cracks amidst the torrents of official apps uploaded to these stores on a daily basis. Secondly, cybercriminals create unofficial app stores. Here, fraudulent apps mimicking legitimate ones are riddled with malware that activates only after they are installed.
These two means of infiltrating devices have become more common as corporate desktops have begun implementing pre-approved lists of software. This limits the success of hacking devices through application stores. Meanwhile, mobile devices can download any app from any network, broadening cybercriminals’ points of entry.
To keep yourself safe, never download apps from a browser; only use apps in your device’s official store. Within legitimate stores, keep an eye out for apps from unknown developers or those with few or negative reviews. Lastly, if an app is no longer supported by your device’s store, there’s probably a good reason it isn’t- so just delete it!
Text messaging is an often-overlooked segment of organizational cybersecurity, making “smishing” (SMS phishing) a newly popular way of hacking into mobile devices. Further, the success of these attacks has only incentivized hackers to continue deploying smishing attacks, as open rates are at an astounding 98%. Smishing primarily exploits devices through encouraging users to click on a link. Opening these links either loads a fraudulent landing page that asks for a user’s login credentials, or secretly downloads spyware onto the device. Both tactics have been successful in gaining access to personal and corporate data. Be wary of links within texts, and if you are unsure if a link from a seemingly legitimate text is safe, reach out to the company it claims it’s from and confirm if they sent a text to your device from the number you have. Always use the phone number from an official source and not one which has been sent to you.
After hackers saw the success in smishing, they began launching phishing campaigns via a medium commonly used as an alternative to SMS messaging: WhatsApp. “Whishing”, or WhatsApp phishing, operates in the same way that smishing does; through sending malicious links over text. Whishing has risen in prevalence due to its relatively cheap and easy implementation. WhatsApp allows communication with anyone else on the app, enabling hackers to send mass phishing messages to a plethora of unsuspecting app users.
Whishing can be neutralized by using a web gateway to block connections to a phishing server, so make sure you are connected to your organization’s corporate network before inspecting any strange WhatsApp messages. Whether using a corporate or personal phone, never disclose sensitive information over Wi-Fi unless you know that the network is secure.
- Social Media
Lastly, hackers use social media to exploit mobile devices. Malicious links can be embedded into posts that appear innocent and uploaded to many social media sites. Facebook, Twitter, Instagram, and even LinkedIn have been known to host these types of posts. The links within these posts redirect users to phishing sites that ask for sensitive credentials. Phishing posts may appear as ads, giveaways, or contests that seem too good to be true. When clicked on, they take users to phishing sites that look real, but are simply fronts for stealing data. Be wary of any post that urgently encourages you to click on a link, especially if it involves a purchase or giving out personal information like an address.
If you’re worried about hackers gaining sensitive information through mobile attacks, contact us about network security at firstname.lastname@example.org.