Why your phone is now at risk.
Your phone is at risk while cybercriminals go to a “first mobile attack strategy”, after discovering that you were much more likely to be the victim of your phone than a larger device. And given the time we spend on our phones, a “new insidious attack vector – the association of social engineering with mobile devices”, aggravates the threat.
The new report of the research team to Zimperium Warn the attacks on tens of millions of phones now move “beyond simple banking fraud and payment fraud”, with “more treacherous” lures of Mishing (mobile phishing) which include “downloading malware Capable of diverting the OTP (punctual passwords). and verification codes, imitation of screen interfaces and the possibility of stealing business application identification information. »»
Behind this threat is a change in tactics, because new sneaky methodologies are developed, tested and then deployed. This includes malicious links in emails that are direct to legitimate websites when they are open to PCs but dangerous websites when they are open to mobiles, since it is so much more difficult to Detect on a small screen, and the growing use of soaking attacks, where QR codes replace links given the confidence inherent in QR codes. All this requires new levels of mistrust between iPhone and Android users.
Zimperium claims that these threats are amplified by the widespread use of employees’ own devices within companies for which they work, connecting to business networks and accessing business systems. “This convergence has created an environment where a successful mishing attack can compromise personal and business security, potentially offering attackers direct access to infrastructure and critical data.”
Nico Chiaraviglio, chief scientist of Zimerium, warns that “Mishing is not only an evolution of traditional phishing tactics – this is a whole new category of attacks designed to exploit the specific capacities and vulnerabilities of Mobile devices, such as cameras. Our research shows that attackers are increasingly exploiting several channels specific to mobiles – including SMS, emails, QR codes and vocal phishing (Vishing) – to exploit user behavior and extend their surface of attack. »»
And while emails have always been the main vulnerability, new attacks are more likely to target you by SMS or messaging application. This change follows increased nervousness when opening attachments or click ties by e-mail. All aggravated by AI advances, which makes it even more difficult to detect a threat on a small screen before typing.
Mobile phishing entry points (“Mishing”) in 2024
Not only do SMS include risks of textual phishing, but it is also vulnerable to cojacking 2FA of embezzlement of malicious software on periphery in real time. The US government warns users to stop using SMS codes for 2FA, and in recent days, we have seen SMS codes intercepted on Gmail and Outlook diversion accounts. Zimperium highlights malware “SMS Stealer”, which “compromises accounts on more than 600 world services”.
The FBI, meanwhile, warned users Remove all fishing texts Given the alarming rise in SMS attacks imitating local government brands and agencies. As we have seen with the recent warnings of the FBI and the police to fraud to tolls and help in the event of a disaster, the ease of masking an ID of the sender, using a brief text and a shortened link To hide a non -typical URL, it is too easy to attract a user to click.
Zimperium also notes the geographic targeting of mobile attacks, again as we see with false toll messages focusing on specific cities and states. “Monday campaigns frequently use redirection based on geolocation in the country or even at the city level, allowing very targeted attacks. This allows precise targeting of specific regions or organizations, complicates the detection of safety researchers, increases the efficiency of the countryside by location, [and] reduces detection rates. »»
Part of this requires training and awareness of users, as well as strict rules on the management of links and the attachment. But with regard to account identification information, there are now several reasons to switch from SMS to authentication or Passkeys applications. As Microsoft warned, we are only sure if the inherited connection methods are deleted. It is therefore not only a question of providing new ways to secure accounts, it needs to close the old tracks.
Mobile devices have become the “main targets”, warns Zimperium. “The technical sophistication demonstrated by the observed campaigns suggests that this trend will continue to accelerate, requiring continuous innovation in specific mobile safety controls.”
