Lookout’s Hank Schless discusses accelerated threats to mobile endpoints in the age of COVID-19-sparked remote working.
Smartphones, tablets, collaboration apps and other modern framework tools are critical to maintaining productivity remotely, but they also demand an integrated security strategy purpose-built for mobile devices.
The coronavirus pandemic has completely upended the way we work, educate and socialize. Soon after the rapid onset of the virus, organizations were forced to fully adopt work-from-home and other remote models. Luckily, employees quickly proved they could be productive and successful without being directly connected to the corporate network.
In fact, in mid-March, when most organizations sent their employees home, Lookout saw a 25-percent jump in iOS device usage. At the same time, mobile phishing attacks against consumer and enterprise users spiked across all geographies and industries. In correlation with the iOS jump, there was a 37-percent increase in mobile phishing attempts between Q4 2019 and Q1 2020. Cybercriminals are taking advantage of social uncertainty and exploiting the fact that we rely more on mobile devices to stay productive.
You’ve likely already adapted your security strategy to secure employee desktops and laptops, but if you haven’t yet secured mobile, it’s not too late to catch up. Here are some attack methods to be aware of when choosing a mobile-security strategy.
Malicious Actors Target Mobile for a Reason
Phishing attempts are much harder to identify on a mobile device. Spearphishing campaigns exploit human vulnerabilities, such as our trust of our phones and tablets. They also take advantage of the smaller mobile screens to hide the tell-tale signs we’re used to identifying on desktop computers. Attackers can pose as a legitimate party by taking advantage of VoIP phone numbers, for example, or the simplified design of a messaging app.
Threat actors will also spoof URLs and take advantage of the fact that mobile browsers shorten URLs to hide the true identity of the webpage. Also, many people don’t think to preview a link because we’re so conditioned to just tap on anything that’s sent to us. Unlike a company-issued laptop, mobile devices rarely have anti-phishing or anti-malware installed. Considering smartphones and tablets have just as much access to corporate resources, they should receive the same level of protection as those traditional endpoints.
Beware of Vishing
A recent warning from the FBI and CISA indicated that cybercriminals have turned to “vishing” to exploit the lack of mobile-device protection and attack remote workers. Vishing, or voice phishing, is a form of phishing where attackers trick you into giving up information over the phone; oftentimes posing as helpdesk or IT personnel. Since vishing relies on human error, security measures like VPNs, multi-factor authentication and one-time passwords cannot defend against these types of attacks.
While vishing takes social engineering to the next level, the kill chain to access corporate data is no different from web-based credential-harvesting attacks. Once the attacker successfully phishes the credentials, they can quickly gain access to the infrastructure and execute their attack, doing extreme damage in a short time frame. Because the user is being targeted and convinced to share their credentials, the vulnerability lies in human behavior. Enterprises need to train and educate all employees about what mobile phishing attacks look like and the best practices on how to avoid falling for them.
Phishing and Chromebooks: Secure your Remote Learners
Chromebooks have become an essential, cost-effective tool for education systems that offer remote learning. They connect students and educators with resources, and help students with homework and learning, in conjunction with Google Classroom, Google Workspace for education and other apps.
Chrome OS, with all of its built-in security features, has a reputation of being more secure than legacy operating systems. The kernel cannot be accessed and the apps run in isolation, which makes it difficult to compromise the device under normal use. It also has automated updates for patching vulnerabilities. But as much as we like Chromebook OS for secure, remote learning, Chromebooks are a modern endpoint device facing the same human-based security challenges as any other type of devices.
In other words, phishing and web-content attacks pose just as much of a threat to Chromebooks as they do to smartphones and tablets. In addition, Chromebooks use the Google Play store to download apps, which means that if a malicious app makes its way into the store, it could also affect Chrome OS devices. Finally, Chromebooks are subject to network-based threats.
Where Do We Go from Here?
With most of us working away from the office, each of us now represents a remote office that your organization needs to secure. Many organizations turned to VPNs when shifting to remote work, but that leaves a number of security gaps, including the fact that many of us don’t use VPNs when using our mobile devices.
With work now happening wherever the employee resides, you must move security from perimeters to the endpoints. Security now needs to go wherever the employees go. As we continue to migrate towards a mobile-first world, this is a great opportunity to rethink how to permanently secure your organization.
Hank Schless is Senior Manager for Security Solutions at Lookout.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.