With More Sophisticated and Pervasive Attacks on Mobile Devices, Enterprises Turn to Mobile Web Browser Isolation Advances

The proliferation of smartphones, along with the explosion of remote working given the ongoing challenges of the COVID-19 pandemic, has brought the issue of mobile device security back into focus. Mobile devices increasingly attractive targets for malicious attacks simply given the amount of interactions, from business collaboration to messaging, email, and use of mobile applications.

By silently installing malicious content, smartphones can be infected with viruses and can also serve as a pathway into sensitive data stored on the device, and even access to data on corporate servers as well-funded cyber crime rings can penetrate the perimeter after a single “click on a link” which unlocks a door. Password managers are accessible from mobile devices which can turn into another attack vector. Text messages, whatsapp messages, etc. are all entry points in by-passing email security tools which are known to lack in providing desired level of protection.

In addition to accessing basic mobile device operating systems, malicious applications can also access voice-recording devices, cameras, location-based information, and can even intercept text messages. Not only do these security breaches compromise each user’s privacy, because so much work is being done on mobile devices, business systems and data are also compromised.

Even before the global health crisis exploded, in March of last year, McAfee released its Mobile Threat Report 2020, which found that attackers are using hidden mobile apps and fake websites to foil end-users.

Based on their research, McAfee reported that they have expanded the ways of hiding their attacks, making them increasingly difficult to identify and remove. Hidden apps take advantage of unsuspecting end-users in multiple ways.

In recent years the expanding mobile device market is becoming an increasingly attractive target for malicious attacks. The evolution of smartphone technology delivers more computing power and functionality, and as smartphones are able to run business applications, from Office365 to Microsoft Teams, and from Slack to Zoom, make mobile an increasingly attractive target for malicious attacks.

We’re seeing the standard malicious attacks for PCs, like malware/ransomware, as well as attack vectors, like the Internet access, at least as applicable to mobile computing, so the same security issues exist. A big difference when it comes to mobile is the smaller size of the screen, and the pace of interactions as users are essentially “living their lives” using mobile applications and mobile web interactions.

“Cellular services including messaging, voice calls and live collaboration using the mobile browser can be used to deliver malicious content and to controlling the mobile device,” said Osman Erkan, founder and CEO of DefensX, a browser and web threat isolation technology company which specializes in mobile security. “Cellular services provide multiple opportunities for phishing attacks, for example. Phishing is an attack strategy in which the attacker gains sensitive information from the user by presenting itself as trustworthy. There are even vishing attacks today, carried out using voice calls. By masking the true voice call id, the attacker can trick the user into calling a certain number. The attacker can then gain sensitive information from the user by pretending to be a trustworthy entity, like a bank or insurance company.”

The evolution of mobile browser-based threats are far more difficult to control given the way people use their devices during all waking hours, and given well-funded “campaigns” with software that takes advantage of smaller screens and different mobile “UX.”

"Adversaries are investing in and rolling out more sophisticated campaigns that are so subtle even the most saavy employees, including those in the most senior positions with access to the most sensitive data, are falling for. Policies and education are no longer enough - it's time to automate protection through mobile web browser threat isolation software which doesn't impact productivity."

Erkan explained that users are regularly asked to provide their usernames and passwords, which can be a gold mine for cybercriminals, given how vulnerable content applications are to spoofing. “As millions of workers were forced to work remotely given the global healthcare crisis in 2020, the world saw an unprecedented number of cyberattacks when legitimate applications were spoofed with high accuracy. On one aspect, AI based phishing protection tools are promising a lot but we should not forget that the same AI tools are available for anyone. Attackers use AI poisoning techniques to bypass these protections. AI is fighting versus AI. The result is too many false positives and the SoC teams are distracted. ”

“Enterprise SoC teams can provide training and offer reminders of all these risks through some products that look and remove malicious apps installed on the mobile phone. Ultimately, however, given the pace of business and the new way of remote working, to reach a zero-trust goal, advanced web and threat protection technologies make it possible for users to go with the flow throughout the day with the automatic support of client-side software embedded on their device that warns about risky web sites or mobile apps before they engage, or disallows those domains altogether,” Erkan said.

Types of attacks occur in three categories, according to DefensX:

Fake Browsers

Fake browsers look like Chrome, Firefox, Edge, Safari and others and trick end-users into clicking to lear more. The infection chain starts with a legitimate website injected code from a file sent by of its URLs. The injected code is highly-obfuscated, however the URL most often ends with a .js. Attackers often use “update your software” approaches, including using email links or script code to compromise a webpage. The code results in a message box popping up that tells users a critical error happened due to using an outdated web browser, as one scenario.

Embedded Web Content

Embedded web content phishing schemes use links contained in text or an image that lead to another page on the web when clicked. Attackers with malicious intent hope users click an embedded link (often in an unsolicited email or message) that will take them to a fake but realistic looking website. When the visitor goes to the website, there may be a variety of phishing tactics designed to exploit users, for example collecting personal information provided on the site or initiatiating code that silently downloads malware/ransomware.

Spoofed Web Sites

Spoofed websites mimic legitimate websites with the intent to build trust and get end-users to interact. The most successful spoof websites adopt the exact design of the real website, and come with a similar URL. Sophisticated attacks include the creation of a "shadow copy" of the World Wide Web, and once the end-user has engaged, all their traffic goes through the attacker's machine where sensitive information can be picked up. A third example is using domain forwarding, inserting control characters so the URL appears to be genuine while concealing the actual address of the malicious website.

“With the popularity of mobile browsing, online collaboration and communication, and the constant use of mobile devices with small sreens,” Erkan said, “these three types of attacks trick mobile users often faster than they would if the same user is concentrating at their desk, and viewing a larger screen.”

Even the C-suite is not immune, and in fact is an important target of attackers.

The U.S. Federal Bureau of Investigation (FBI) tracks Business Email Compromise (BEC) which starts with a phishing email and targets high-level business leaders. Using social engineering or stolen credentials, cyber-criminals have used legitimate email accounts to trick people into making wire transfers, according to FBI reports.

These criminals also target company records, wage and tax statements, and medical records. They use the information to con other individuals, file false tax returns, and sell Personally Identifiable Information (PII) used to commit health insurance fraud.

More than 26,000 victims of phishing scams were reported in 2018, including payroll diversion. Cybercriminals used phishing emails to trick employees into giving them their login credentials. The crooks used these stolen credentials to access employee’s payroll accounts and change direct deposit information. Paychecks were diverted to accounts by the criminals. Often, payroll was sent to an untraceable prepaid credit card.

In 2019, the FBI estimated billions of dollars stolen in the past five years; in 2018 alone, more than $1.2 billion in losses was reported.

“Boards of Directors are now getting actively involved,” Erkan said, saying mobile isolation automation is part of a risk management posture. “Prioritizing cyber security to protect organizations from not only financial losses, but the cost to repair the damage, contact individuals that have had records compromised, and pay fines or face class-action suits is top-of-mind, especially after the damage we saw in 2020.”

Phil Hochmuth, Program Vice President of Enterprise Mobility at IDC Research wrote recently that “Phishing has evolved into a massive problem that expands far beyond the traditional email bait and hook. On a small screen and with a limited ability to vet links and attachments before clicking on them, consumers and business users are exposed to more phishing risks than ever before. In a mobile-first world, with remote work becoming the norm, proactive defense against these attacks is critical.”