Whenever we use our devices, whether mobile or otherwise, there is a risk that we'll have our data stolen as we mistakenly click on the wrong link, Chris Hazelton is the Director of Security Solutions at Lookout, a mobile phishing solutions company, and he knows precisely what dangers surround us.
Talking to us about mobile phishing and how it's different from the phishing campaigns targeting our other devices, the general threat landscape, and more, Chris Hazelton helps put things in perspective. Find our interview with Chris Hazelton, Lookout Director of Security Solutions below.
TechNadu: There are all sorts of security threats nowadays. Lookout specifically focuses on mobile security. How are threats for mobile devices different than those for desktops or other similar products?
Chris Hazelton: Today, most desktop apps are web apps, and a high percentage of those apps have vulnerabilities in them that malicious actors leverage to deliver malware. In 2018, 5.1% of Microsoft users encountered malware on Windows devices. 4.3% of Android users with Lookout mobile security encountered mobile malware in Q4 of 2019. Even with a lot of native protections in place on mobile, enterprise users still encounter malicious apps at a significant rate. Most organizations do not have protections in place to identify and remediate mobile application threats.
One hundred fifty-six vulnerabilities were identified by security researchers, while Google Android had 414 vulnerabilities. By comparison, Microsoft Windows 10, the most widely used enterprise operating system, had 357 vulnerabilities. Every organization has mobile users, and for that reason, need greater protection from mobile threats and enterprise-level risk control.
Below are significant mobile threats discovered by our machine learning engines and security researchers in 2019. Some of the more notable ones were mobile phishing campaigns against the UN and leading banks, as well as Monokle, which was an advanced surveillanceware campaign developed by a group sanctioned by the US government.
TechNadu: One of the issues you focus on is mobile phishing. Are phishing campaigns more successful when people use their mobile devices than when they use other devices?
Chris Hazelton: With more than half of attackers targeting both mobile and desktops, phishing attacks pose a dangerous threat to mobile users and their employers. While each attack is unique, they share the end goal of stealing sensitive corporate data. Lookout research suggests that users are three times more likely to click on a malicious URL on a mobile device.
Phishing emails represent a small portion of corporate emails, approximately 0.24%, according to a leading email security vendor. Oftentimes, organizations focus on providing phishing tools and training to drive employee awareness. On mobile, phishing threats can come from any app, both personal or for work. For this reason, the encounter rate for mobile phishing is very high in the enterprise. In Q4 of 2019, 15.8% of Lookout enterprise users encountered a phishing link on their mobile devices.
TechNadu: Tell us more about the phishing campaigns targeting mobile devices specifically. Why is this happening?
Chris Hazelton: Lookout Phishing AI recently discovered a phishing campaign targeting customers via SMS messaging to lure them to fake websites of well-known Canadian and American banks. The phishing campaign, primarily spread through SMS messages, mirrors the login pages of the banks in an effort to capture the user's banking credentials and other sensitive login information. Some of the banks affected by this phishing campaign include Scotiabank, CIBC, RBC, UNI, HSBC, Tangerine, TD, Meridian, Laurentian, Manulife, BNC, and Chase, all of which were notified prior to publishing.
Lookout research indicates that this phishing campaign solely targets mobile users. The web pages are built to look legitimate on mobile, with login pages mirroring mobile banking application layouts and sizing, as well as including links like, "Mobile Banking Security and Privacy" or "Activate Mobile Banking."
Lookout has identified more than 200 phishing pages that were part of this campaign and has notified all banks affected. As of today, the campaign is now offline. When the attack was discovered, the Lookout Phishing AI engine was able to find the victim's IP addresses and dates on which the current deployment of the phishing kit recorded the clicks. This revealed a campaign against consumers of these banks, as well as the success of the attack, ongoing since June 2019.
TechNadu: How does Lookout protect people from phishing attempts?
Chris Hazelton: Lookout inspects connections across all apps when a user connects, without inspecting the content and without violating end-user privacy. We protect employees as they bypass today's perimeter controls due to the mobility and adoption of cloud services.
From fully managed and locked down devices to BYOD, Lookout Mobile Phishing Protection supports all the users in your organization.
Lookout alerts users to phishing attempts from any source on mobile devices including:
TechNadu: Identity theft is a major issue nowadays. Are we seeing more cases now than we did, say - a year ago? What should people do or avoid doing to protect themselves against such issues?
Chris Hazelton: Phishing attacks on mobile devices have very high success rates because of how difficult it is to spot the tell-tale signs that people recognize on a laptop or desktop PC screen. Smaller screens, the speed at which we operate with mobile devices, and that few users know how to preview a link on mobile before clicking on it can all seriously impact the ability to identify a mobile phishing attack.
Mobile phishing campaigns happen all over the world. As shown in the map below, countries in every region of the world are dealing with this problem. The data behind this map shows the encounter rates in 2019 of all countries with customers using Lookout Mobile Phishing Protection on their mobile devices. It should come as no surprise that this problem exists across the globe.
TechNadu: What is your advice for people who don't know what to look for to differentiate phishing from real pages?
Chris Hazelton: Phishing on mobile is extremely difficult to spot. Interfaces created by hackers are virtually identical to their legitimate counterparts, and that's a big reason why mobile phishing represents such a risk to the enterprise.
TechNadu: What is one of the biggest security threats we should be looking at nowadays?
Chris Hazelton: Mobile phishing is the biggest unsolved cybersecurity threat in organizations today. It only takes one errant tap to compromise a mobile device. That tap may be on a malicious URL that was truncated in the browser window, a URL an app accessed in its backend to unknowingly connect to a malicious ad network or a link in personal email created to trick a user into offering corporate credentials - that enables an attacker to move laterally in your infrastructure towards your valuable data.