Zimperium warns of a surge in phishing attacks specifically tailored for mobile devices. These attacks are designed to evade desktop security measures in order to breach organizations through employees’ smartphones.
Mobile phishing includes SMS phishing (smishing), QR code phishing (quishing), voice phishing (vishing), and mobile-targeted email phishing.
“The emergence of device-aware email attacks allows campaigns specifically targeted to mobile users through seemingly standard email messages in which the malicious payload only executes when accessed from a mobile device,” the researchers write.
“When the same link is accessed from a desktop environment, the attack chain is terminated, making detection and analysis significantly more challenging. This is a unique and clever tactic for bypassing standard email and network security solutions, as few enterprises and users employ security on the mobile device.”
Threat actors are also using links that redirect to different destinations depending on whether the user is on a mobile device or desktop.
“Our analysis of verified phishing sites reveals a sophisticated pattern of desktop redirection to legitimate services as an evasion technique with Google and Facebook being the primary destinations,” the researchers write. When accessed from desktop devices, these malicious sites redirect users to legitimate platforms – a technique that significantly complicates automated analysis and detection.
This evasion tactic allows attackers to maintain prolonged campaign effectiveness by appearing benign to security tools while still targeting mobile users with malicious content.”
New-school security awareness training can give your organization an essential layer of defense against evolving social engineering attacks.
“As organizations increasingly rely on mobile devices for business operations, including multi-factor authentication and mobile-first applications, mobile phishing poses a severe risk to enterprise security,” Zimperium says.
“Attackers are exploiting security gaps in cloud and mobile business applications, expanding the attack surface and increasing exposure to credential theft and data compromise. Traditional anti-phishing measures designed for desktops are proving inadequate, requiring a shift to mobile threat defense solutions on the mobile device.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Zimperium has the story.
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
