COVID-19 Drives Spike in Mobile Phishing Attacks: ReportResearchers Say Targeted Campaigns Are Spoofing Banks' Login Sites
The shift to working from home during the COVID-19 pandemic has led to an increase in mobile phishing campaigns, with attackers targeting remote workers whose devices lack adequate security protections, according to the security firm Lookout. Many of these campaigns are designed to steal users' banking credentials.
Mobile phishing attacks increased 37% globally in the first quarter of this year, compared to the previous quarter, Lookout says in a new research report. Some 22% of enterprise mobile users encountered a phishing attempt in the first quarter, compared to 16% in the previous quarter, according to the research, which the firm says is based on data and telemetry collected from 200 million mobile devices around the world.
This spike in mobile phishing attacks is likely tied to the increasingly large pool of remote workers using mobile devices for both personal and business purposes, the report states. These new habits make employees an easier target for corporate credential harvesting attacks.
"Malicious actors have taken note of how reliant we are on mobile devices," Lookout's report states. "From their perspective, mobile phishing is often the cheapest way to compromise an individual or an organization."
The report also notes that while these mobile phishing campaigns have targeted a wide range of sectors, including healthcare, manufacturing and government organizations, attacks designed to harvest banking customers' credentials have also been on the rise.
For example, recent mobile phishing campaigns have spoofed the login pages of two Canadian banks - Scotiabank and Royal Bank - the report warns.
"While we cannot determine how many of those people actually entered their credentials in the fake login pages they were led to, it’s safe to assume that a certain percentage did give up that data," Hank Schless, senior manager of security solutions at Lookout, tells Information Security Media Group.
Mobile phishing attacks have become an increasingly successful model for attackers, who often rely on spoofed websites, SMS messages, shady apps and other social engineering techniques to target victims, the report says.
Increasingly, attackers are tailoring their campaigns specifically for mobile devices. For example, they are sending phishing URLs that are strikingly similar to the original domains, which often result in victims overlooking tell-tale phishing signs that they may have otherwise spotted if using a bigger screen on a laptop or desktop device, according to Lookout.
"Now more than ever, mobile devices exist at the intersection of our work and personal lives," Schless says. "Devices change between work and personal depending on the time of day, which means that corporate credentials could be phished from an attacker targeting a victim through a personal social media platform or third-party messaging app."
Of course, such phishing attacks can also target employees with higher levels of privileged access, including executives who have user rights to an organization's financial records, research or customer data, Lookout warns.
Other COVID-19 Phishing Attacks
In recent months, numerous security researchers have been tracking COVID-19-themed attacks attempting to spread malware, including spyware and information stealers. Not only have cybercriminals embraced these tactics, but also nation-state actors (see: COVID-19-Themed Malware Goes Mobile).
The COVID-19 pandemic has also been a boon for attackers who target YouTube credentials, security firm Intsights reports.
With the pandemic driving large numbers of individuals to spend more time online, attackers are increasingly using systems they have already infected with malware to search for credentials to premium YouTube accounts, according to a new Intsights report. The threat actors then sell the credentials of legitimate YouTube users on darknet forums, referring to cybercrime forums reachable only via the anonymizing Tor browser, which anyone can download.
The price for these stolen credentials is based on the account's subscriber count, the report says. For accounts with 200,000 subscribers, the price starts at $1,000, it says, while the price for a log of 990,000 YouTube active channels begins at $1,500.
Managing Editor Scott Ferguson contributed to this report.