![](\"https:\/\/images.idgesg.net\/images\/article\/2018\/02\/security_threat_vulnerability_hacking_spyware_ransomware_stealing_crime_thinkstock_628125726-100749993-large.3x2.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: James A. Martin| Date: Wed, 27 Nov 2019 06:24:00 -0800<\/strong><\/p>\n The night before I was to give a eulogy at my mother\u2019s memorial service, I was smished.<\/p>\n As someone who regularly writes about cybersecurity, I\u2019m not usually duped by a cybercriminal\u2019s tricks. But I was in a highly emotional state and not thinking clearly when the text arrived, appearing to be from my bank. \u201cSomeone has attempted to log in to your account,\u201d the message warned, and provided a link for me to click and verify my identity.<\/p>\n I clicked the link.<\/p>\n A legit-looking, mobile-optimized web page appeared, asking me to enter my debit card\u2019s PIN as a form of verification. Still not thinking clearly, I entered my PIN. When I didn\u2019t receive an SMS in return, informing me that my identity had been verified, I finally realized I\u2019d been scammed.<\/p>\n In the subsequent heart-pounding minutes, I called my bank and changed my PIN, user ID and passcode. Fortunately, after months of close monitoring, I\u2019ve not found anything amiss in my accounts \u2014 though I received three follow-up smishing messages, which I ignored.<\/p>\n Smishing \u2014 phishing attacks delivered via SMS \u2014\u00a0is one of the cybersecurity threats gaining traction in our increasingly mobile-first world. In 2018, 49 percent of<\/p>\n The night before I was to give a eulogy at my mother\u2019s memorial service, I was smished.<\/p>\n As someone who regularly writes about cybersecurity, I\u2019m not usually duped by a cybercriminal\u2019s tricks. But I was in a highly emotional state and not thinking clearly when the text arrived, appearing to be from my bank. \u201cSomeone has attempted to log in to your account,\u201d the message warned, and provided a link for me to click and verify my identity.<\/p>\n I clicked the link.<\/p>\n A legit-looking, mobile-optimized web page appeared, asking me to enter my debit card\u2019s PIN as a form of verification. Still not thinking clearly, I entered my PIN. When I didn\u2019t receive an SMS in return, informing me that my identity had been verified, I finally realized I\u2019d been scammed.<\/p>\n In the subsequent heart-pounding minutes, I called my bank and changed my PIN, user ID and passcode. Fortunately, after months of close monitoring, I\u2019ve not found anything amiss in my accounts \u2014 though I received three follow-up smishing messages, which I ignored.<\/p>\n Smishing \u2014 phishing attacks delivered via SMS \u2014\u00a0is one of the cybersecurity threats gaining traction in our increasingly mobile-first world. In 2018, 49 percent of respondents to Proofpoint\u2019s State of the Phish report<\/a> said they experienced either smishing or vishing (voice phishing) attacks, up slightly from 45 percent in 2017. Meanwhile, mobile malware incidents increased 550 percent in 2018, according to McAfee\u2019s 2019 Mobile Threat Report<\/a>. \u00a0<\/p>\n Why are attacks on mobile users growing? Because too often, they work.<\/p>\n \u201cMost of us check email first on our smartphones these days,\u201d said Chet Wisniewski, principal research scientist for security software developer\u00a0Sophos<\/a>. \u201cCriminals know this and hope you\u2019re not paying the same kind of attention to security that you would on a desktop or laptop. They know they may be catching you at a moment when you\u2019re distracted or in a rush.\u201d<\/p>\n At the same time, mobile browsers and email apps often don\u2019t enable you to easily verify a link before you click it. Plus, users are relying more on mobile\u00a0devices for work because the devices are becoming more powerful and sophisticated and sport bigger screens. Mobile devices also store a huge amount of information about us \u2014 and the companies we work for \u2014 that attackers seek to exploit.<\/p>\n Smishing attacks are of particular and growing concern because they\u2019re platform-agnostic, equally impacting iOS and Android users, Wisniewski said. \u201cSocial engineering attacks don\u2019t care which brand of phone you use.\u201d<\/p>\n Although cybersecurity professionals are usually aware of smishing attacks, many smartphone users aren\u2019t. And therein lies a challenge for CISOs and cybersecurity professionals, given the rise in attacks. According to Verizon\u2019s 2019 Mobile Security Index<\/a>, 85 percent of phishing attacks seen on mobile devices occur outside of email \u2014 e.g., in text messaging. \u201cWhile many organizations have filtering in place to block email-based attacks, far fewer have similar protection in place\u201d to guard against phishing attacks that occur outside of email, the report notes.<\/p>\n That\u2019s beginning to change, however. In the past year or so, Mobile Threat Defense (MTD) vendors have added protections against mobile phishing to their software, notes Patrick Hevesi, Senior Research Analyst on the Security, Identity and Risk team at Gartner<\/a>. MTD vendors with smishing protections include Lookout<\/a>, Symantec<\/a>, Zimperium<\/a>, Wandera<\/a> and McAfee<\/a>.<\/p>\n Training employees to recognize and report smishing attacks is crucial but uncommon, Hevesi says. \u201cMost organizations give their employees some level of email phishing training, but most don\u2019t offer much in terms of mobile security training,\u201d he adds.<\/p>\n Periodically conducting simulated smishing attacks with employees can help, just as sending fake phishing emails to users can help them learn how to spot the scams, notes security education organization Social Engineer, Inc<\/a>.<\/p>\n Related: Triton and the new wave of IIoT security threats<\/a><\/strong><\/p>\n You probably know that apps available outside the Google and Apple app stores can be dicey at best. What you might not realize is that criminals may try to trick you into downloading their malware apps in clever ways \u2014 such as sending you a text message.<\/p>\n For example, Android-based malware TimpDoor became a top mobile backdoor malware family in 2018, according to McAfee\u2019s 2019 Mobile Threat Report. The threat starts \u201cwith text messages informing users that they have voice messages to review,\u201d the report explains. \u201cThe included link to a voice-player app provides detailed instructions to enable apps from unknown sources. Clicking on the link installs a fake voice-messaging application that displays two messages. None of the buttons or icons work except the ones which play the included audio files.\u201d<\/p>\n TimpDoor runs in the background and uses the device as an entry point to internal networks, McAfee reports. The threat is likely to evolve into \u201cad click fraud, distributed denial-of-service attacks, and sending spam and phishing emails.\u201d<\/p>\n As with smishing, training users to spot and report scammy text messages is the first line of defense, along with mobile security apps that can scan devices and configurations for anomalous connections.<\/p>\n Malicious apps that attempt to access the data on your phone are a significant threat, especially in the Google Play store. Third-party flashlight apps are a frequently cited example. Even though iPhones and Android phones ship with flashlight functions, free third-party flashlight apps offer additional features such as flashing strobe lights. The problem is, some of these apps in the Google Play store ask for an absurd number of permissions.<\/p>\n \u201cOne Android flashlight app developer turned on every single possible permission so that the app could stay on while the phone is off, listen to phone calls, log your location, and access your contacts,\u201d said Hevesi. \u201cA flashlight app should only be allowed to access your camera\u2019s flash.\u201d<\/p>\n Hevesi recommends training users to carefully consider the permissions any downloaded app requests and deny any that seem excessive or unnecessary.<\/p>\n Wisniewski advises caution before downloading any free app, unless it\u2019s from a developer you know and trust (such as Microsoft, which offers free apps like To Do and OneNote) a free app that offers legitimate in-app purchases. \u201cDevelopers need to monetize their apps somehow, so they\u2019ll often create free apps like flashlight apps that secretly collect information about you and sell it to third parties,\u201d he explained. \u201cYou may have even given them the permission to do so if you accepted the licensing agreement without reading it, as most people do.\u201d<\/p>\n Related: The top 5 mobile security threats<\/a><\/strong><\/p>\n Fleeceware apps<\/a>, a term Sophos says it coined, are free (or low-cost) Android apps that provide simple functionality, such as barcode and QR code scanning. But, unbeknownst to you, the app regularly charges you large sums of money.<\/p>\n While you may have been led to believe the app is free, a fleeceware app in reality only gives you a short free trial, exploiting the Google Play store\u2019s free trials feature, Wisniewski explained. Once the trial ends, you may be charged hundreds of dollars (or Euros). For example, users who downloaded a particular Android GIF maker app and who forgot to cancel their subscriptions after the free trial were charged about $240. \u201cOn your credit card statement, the charge appears to be coming from Google,\u201d which may lead some to believe the charge is legitimate.<\/p>\n Most of the fleeceware apps have been removed from Google\u2019s app store, while a few that got through Apple\u2019s app gatekeepers were quickly removed, Wisniewski said. Nonetheless, fleeceware is yet another reason for mobile users to be vigilant about the apps they download from developers they don\u2019t know. Also, read the app\u2019s reviews carefully before downloading \u2014 and especially before giving an app developer your credit card to charge after a free trial ends.<\/p>\n Android apps that display hidden ads are becoming a more prevalent risk, said Armando Orozco, Malwarebytes\u2019<\/a> mobile malware analyst. \u201cWithout being overtly malicious, hidden adware components can be installed and run without your knowledge while providing a steady stream of income to bad actors,\u201d he says. \u201cThey typically come bundled in fake or repackaged apps to appear legit or in very similar copies of legitimate apps.\u201d<\/p>\n Here again, teaching users to closely scrutinize apps before installing them helps. In addition, many security apps for Android and iOS can locate and remove adware and malware.<\/p>\n Also known as SIM swapping or SIM hacking, SIM hijacking is when an attacker, through social engineering or other tactics, is able to switch your mobile phone number to a SIM card he possesses. Once the attacker controls your phone number, he can intercept two-factor authentication codes sent by text message, which in turn may enable him to access your email, banking, and other accounts. SIM swapping is also used to gain access to a victim\u2019s digital currency accounts, the FBI warns<\/a>.<\/p>\n To minimize the risks, contact your wireless service provider and set up a PIN, secret word, or another form of additional verification, advised Alex Heid, chief R&D officer for cybersecurity rating platform\u00a0SecurityScorecard. \u00a0<\/a><\/p>\n To be extra cautious, obtain a separate, private phone number that you only use for bank accounts and other financial institutions, Heid says. \u201cYour public phone number that\u2019s distributed to friends, family, business associates, social networks, and consumer services will be the first thing attackers will try to use if you\u2019re targeted for a SIM swap,\u201d he explains. \u201cIf you have a second, private phone number known only to you and your financial institutions, the likelihood of an attacker gaining access to your accounts through this method is reduced significantly.\u201d<\/p>\n So-called surveillanceware is designed to capture and transmit sensitive user information such as SMS messages, voicemails or audio recordings of phone conversations. For example, cybersecurity firm Lookout says that in 2019 it discovered \u201cMonokle,\u201d<\/a> a sophisticated set of custom Android surveillanceware tools developed by Russia-based Special Technology Centre, Ltd., a company the U.S. government sanctioned in connection to interference in the 2016 U.S. presidential election.<\/p>\n Monokle compromises a user\u2019s privacy by stealing personal data stored on an infected device and exfiltrates the information, said Bob Stevens, vice president of Americas for Lookout. \u201cMonokle is a great example of the larger trend of nation-states developing sophisticated mobile malware.\u201d<\/p>\n You and your organization can reduce mobile device risks by staying current on the latest, emerging threats; frequently training employees to recognize and avoid untrustworthy apps and links; enforcing the use of VPNs when connecting to public Wi-Fi networks; requiring the use of a password manager app\/service; updating mobile devices regularly; and using Mobile Threat Defense and Mobile Device Management tools.<\/p>\n But as I learned, even people who are usually savvy about cybersecurity can have a vulnerable moment and lower their guard. There\u2019s no way to completely eradicate that risk \u2014 it\u2019s called \u201cbeing human.\u201d<\/p>\n