All posts

Experts Warn of Escalating Mobile Phishing Threats to iOS and Android Devices

Jul 11, 2024


iVerify Team

A person looking down at their mobile device whilst sitting with their laptop
A person looking down at their mobile device whilst sitting with their laptop
A person looking down at their mobile device whilst sitting with their laptop

Smartphone users are facing growing danger as mobile threats are on the rise. These small yet sophisticated mobile devices hold as much information as a computer and are far less protected. Cybercriminals know users and corporations alike have a false sense of security when it comes to smartphones, and that's why 80% of phishing attacks target mobile devices, according to the latest Verizon Mobile Security Index. Furthermore, employees are 6-10 times more likely to fall victim to a smishing attack, according to Verizon's MSI, than an email attack, making it much easier for threat actors to deliver a successful credential harvesting attack through smishing.

Last week, Symantec announced a new smishing campaign targeting iPhone users in the United States. There are 147 million iPhone users in the United States, nearly half of the population, to spotlight the potential dangers of this smishing campaign. This attack attempted to harvest Apple ID credentials by sending text messages to iPhone users pretending to be Apple to steal credentials that can unlock corporate credentials, credit card information, and other personal and business information. 

Smishing Attacks Lead to Big Corporate Breaches

Recent reporting by Krebs on Security indicates that the alleged leader of the cybercrime group Scattered Spider was arrested in Spain. The group is suspected of hacking Twilio, LastPass, DoorDash, Mailchimp, and nearly 130 other organizations over the past two years – often by exploiting mobile phones.This illustrates the high stakes companies face when securing mobile phones. 

"Investigators say Scattered Spider members are part of a more diffuse cybercriminal community online known as 'The Com,' wherein hackers from different cliques boast loudly about high-profile cyber thefts that almost invariably begin with social engineering — tricking people over the phone, email, or SMS into giving away credentials that allow remote access to corporate internal networks."

According to Krebs, the cybercrime campaign by Scattered Spider that started in 2022 involved countless SMS-based phishing attacks against major companies by stealing credentials from their employees. These attacks stole usernames, passwords, and one-time codes to log into company systems. One of Scattered Spider's first big victims was Twilio, whose systems were subsequently exploited to attack at least 163 of its customers.

Then Scattered Spider hit Mailchimp, whose stolen employee credentials enabled them to steal data from 214 customers in the cryptocurrency and finance industries.

Next, they attacked LastPass, and the investigation ultimately resulted in the company disclosing that attackers gained access to source code, encrypted copies of customer vaults, and their corporate vault (a critical asset accessible to only four employees at the time). 

Underestimating Mobile Threats is Risky Business

Conventional wisdom says that defending against smishing is challenging for security teams due to the diverse range of mobile devices, service providers, and messaging apps employees use to access corporate systems and get their jobs done. Unlike email, which generally conforms to standard protocols and can be filtered at the network level, SMS messages are delivered directly to users' devices through their mobile carriers. This decentralized delivery mechanism makes it hard to protect mobile devices adequately. In this case, conventional wisdom is driving complacency in organizations, giving cybercriminals the advantage as millions of corporate and BYOD devices are sitting unprotected, leaving access to sensitive information like company emails, trade secrets, or credentials like passwords, SAML or OAuth tokens, private keys, or API keys.

iVerify recently partnered with Return on Security to investigate the complacency issue further and found that structural barriers, including fragmented responsibility within organizations, make things complicated. Standout exceptions are government agencies and companies that have intellectual property to protect. Still, every mobile device is vulnerable and should be protected across all organizations, just like networks and other endpoints that have been protected for years.

Secure Your Mobile Devices with Mobile EDR

iVerify offers advanced mobile EDR solutions that combine threat detection and mobile forensics with automated response and remediation for enterprise-level protection against sophisticated threats, including mobile malware, unpatched vulnerabilities, smishing, and credential theft, ensuring maximum privacy and security.

iVerify is fundamentally different from legacy mobile security. Legacy mobile security products are limited to signature-based threat detection and offer virtually no response capability. iVerify uses heuristic-based threat hunting to identify threats and infected devices, including the industry's most sophisticated Pegasus detection capability. This makes iVerify the only solution to offer a complete mobile EDR solution that detects threats and quickly responds to eliminate the impact of compromised BYOD and corporate-owned mobile devices across the enterprise, greatly reducing the likelihood of a corporate breach. 

Take control of your mobile security with Request a demo to experience our advanced features firsthand at Secure your devices now.