Phishing attacks against mobile devices can be just as damaging to an organization as attacks targeting workstations and laptops, according to a market report by Cyber Security Hub. Employees are increasingly using their mobile devices for work, and attackers have expanded their focus accordingly.
Jim Livermore, CDM Smith’s Principal & Director of Global Information Security, told Cyber Security Hub that ad and click fraud is one of the most common threats facing mobile devices, and it’s particularly damaging when it’s used to surreptitiously install malware. Another infection vector comes through legitimate and third-party app stores.
“Hackers can also create malicious apps that look legitimate and have them approved for download in the phone’s app stores,” Livermore said. “Users then download them thinking they are good apps and in turn download malicious code to their phones.”
Attackers also use drive-by downloads to compromise mobile devices. These are achieved by tricking mobile users into visiting a website and knowingly or unknowingly authorizing a download.
“The drive-by consists of a piece of malware hidden within a website that appears innocuous,” Cyber Security Hub explains. “The hope is that a weakness in the user’s computer or device will allow for a click and subsequent infection. To do this, hackers typically use exploit kits that sniff out vulnerable websites. Once the site gets the go-ahead by an unsuspecting visitor, the malware is downloaded on the user’s device. It then contacts another computer to initiate further coding to access the device.”
It’s important to note that almost all mobile malware campaigns involve an element of social engineering. Users can prevent these attacks by being careful about what they click on or install on their phones, and by staying up to date on the latest attack techniques. Organizations should start approaching mobile devices with the same type of vigilance they would extend to any other computer. New-school security awareness training can create a culture of security within your organization so that every threat is treated with an appropriate level of caution.
Cyber Security Hub has the story: https://www.cshub.com/mobile/articles/email-phishing-overshadows-risk-of-mobile-malware
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
