In February 2024, Lookout discovered an advanced phishing kit targeting the Federal Communications Commission (FCC), along with several cryptocurrency platforms. While most people think of email as the realm of phishing attacks, this threat actor — known as CryptoChameleon — used the phishing kit to build a carbon copies of single sign-on (SSO) pages, then used a combination of email, SMS, and voice phishing to target mobile device users.
This attack is the latest in a trend, signaling a sea change in the modern kill chain. When people think of “cyberattacks,” their minds often go to malware and brute force attacks, and when they think about cybersecurity, they first think about protecting laptops and desktops. But the attack on the FCC demonstrates that mobile devices carry a huge amount of risk, and it’s not the only example.
Scattered Spider, a different threat actor, has targeted companies like Twilio and Uber using similar tactics. These attackers aren’t forcing their way in — they’re often walking through doors that have been flung wide open using social engineering.
CryptoChameleon used these tactics to steal the usernames, passwords, password reset URLs, and even photo IDs of hundreds of people, which demonstrates a critical point: when attackers target mobile devices, the consequences aren’t limited to mobile devices. Mobile devices are the keys to the kingdom, providing a pathway for attackers to compromise your entire organization.
In a world of hybrid work, in which mobile devices provide critical flexibility to your workforce, here’s what you need to know about the risks they pose to your organization.
Mobile Devices a Favored Target in the Modern Threat Landscape
In many ways, mobile devices serve as an avatar for their user. They are trusted devices that people use for both their work and their personal lives, and they contain a wealth of information, from work email to personal email, to passwords and phone numbers, and they’re frequently used for multi-factor authentication. With so much valuable data on one little gadget, it’s no wonder mobile devices have become a favored target for threat actors.
Another reason modern-day attackers find mobile devices so appealing is that they tend to be easier targets than traditional endpoints like desktops. When users are looking at the tiny screen of a mobile device, they have a harder time discerning threats.
Think back to the attack on the FCC — CryptoChameleon created fake Okta login pages and prompted users to enter their credentials. These pages looked practically identical to the real thing, and on mobile, it’s more difficult to spot a URL that’s not-quite-right. Attackers could swap a lowercase “L” for an uppercase “I,” for example, and it’s easy to see how users could click on a scam link without realizing it’s not the real thing.
Because of the inherent vulnerability of mobile devices — and because when breached, they can serve as a free pass to steal credentials, which grants easy access to the cloud infrastructure that houses your organization's sensitive data — it’s no wonder that this is where attackers have begun to focus their efforts.
Protecting Mobile Devices, Existing Security Solutions Fall Short
The truth is, many of the legacy endpoint protection solutions on the market aren’t equipped to keep mobile devices secure. Some solutions ignore mobile devices entirely, putting their entire focus on desktops and servers.
To fill this security gap, many organizations have turned to mobile device management (MDM) solutions, but this is like putting a bandage on a broken leg and expecting it to fix the problem. In reality, MDM isn’t a security solution — it’s a management one. While it may provide some visibility into apps, passwords, and current operating systems, it doesn’t provide any visibility into threats.
Endpoint detection and response (EDR) and extended detection and response (XDR) can be a step-up, security-wise, but they often lack insights into mobile-specific threats. In the modern day kill chain, mobile devices are a frequent entry point for attackers, which means if your EDR solution doesn’t have mobile insights, it’s leaving you vulnerable.
The Risks to Mobile Devices are Wide-Ranging
Social engineering is a widely favored tactic for compromising mobile devices — that’s how CryptoChameleon compromised the FCC and a range of cryptocurrency platforms — but it’s not the only way mobile devices become compromised.
There are a wide variety of mobile threats your organization needs to be aware of.
Risky and malicious apps
The most common mobile threat we think about is malware, which is often easy to spot and block, but there are a wide range of mobile app security risks that you need to be aware of to holistically minimize risk. Employees using personal devices will inevitably download unvetted apps — a form of shadow IT — which introduce a spectrum of risks. These risky apps might have excessive permissions, unethical developers, or even introduce malware to a device.
OS and app vulnerabilities
Another risk of employees using personal devices for work is that individuals may not keep them updated. Out-of-date apps and OS versions can leave mobile vulnerabilities unresolved, opening devices up to exploitation by attackers.
Network threats
With users frequently connecting their mobile devices to a variety of networks — from airport Wi-Fi to unvetted Bluetooth devices — they become susceptible to network threats like man-in-the-middle attacks, which is when an attacker intercepts and decrypts data from the device.
Multiple types of phishing
These days, phishing attacks come in many different disguises. They can be delivered via email, but they can also come in the form of SMS messages, QR codes, and on messaging, social media, or dating apps. And with such a small screen, phishing attacks are particularly difficult to spot on mobile devices. A recent Lookout survey found that 75% of organizations experienced a mobile phishing attempt targeting employees within the last six months.
Mobile Security is a Must
When it comes to mobile devices, everyone — including government agencies like the FCC — is vulnerable. These devices are a gateway to your organization’s critical apps and networks, where your sensitive data is housed, which is why today’s threat actors are using them as the starting point in the modern kill chain.
To keep corporate data secure — whether it’s located on mobile devices or in the cloud — organizations must create a security strategy that incorporates mobile devices as well as traditional endpoints. To learn more about how threat actors are exploiting mobile devices, check out our free webinar, Understanding the Modern Kill Chain to Keep Data Secure in 2024. Our experts cover how the kill chain has evolved, the modern tactics that are being used to trick users, and what actions you can take to immediately begin protecting your data.
Blog courtesy of Lookout. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program. Read more Lookout news and guest blogs here.