CYBER DEFENSE MAGAZINE | Here is security’s dirty little secret: leaked mobile data represents an exponential increase in the enterprise attack surface. Why is it that spear phishing attacks have increased by 38 percent overall in Q2 of last year? Spear phishing is a phenomenally effective cyber-attack strategy that targets a specific user and organization in an attempt to obtain unauthorized access to confidential data. Mobile usage has created a treasure trove of information: calendars, contacts, call logs, location info, and a host of other types of data — information that can be accessed by hackers and other third-parties via insecure mobile apps.
Why Your Data is Fueling Spear Phishing Attacks and What YouCan Do About It
By Domingo Guerra – As our personal and professional lives become more and more intertwined, so do the opportunities for cyber criminals to harness employee information as a way to infiltrate business networks. In an enterprise environment, there are thousands, if not tens of thousands of apps running on BYOD and corporate-owned mobile devices.
The sheer volume of personal and corporate information being shared across mobile devices and mobile applications, has driven savvy cyber criminals to engage in creative attacks, such as spear phishing, to gain access to valuable data. If an infected app is in use, corporate data is instantly put at risk and confidential information can fall into the wrong hands before the employer or employee have any clue as to how it happened.
Smarter Enterprise, Smarter Criminal
As protection and security tactics continue to expand and evolve, so do those of cyber criminals. Gone are the days of being able to easily identify cyber schemes as hackers today are doing their homework. Their reconnaissance typically includes gaining access to contacts and calendar information through risky behaviors in mobile apps, laying the groundwork and blueprint for a spear phishing attack.
Spear phishing is a phenomenally effective cyber-attack strategy that targets a specific user and organization in an attempt to obtain unauthorized access to confidential data. Spear phishing is not a technique used by ‘random hackers’ but rather conducted by savvy cyber criminals looking for financial gain, trade secrets, and other personal and corporate information.
A recent study found that 91 percent of attacks involved spear phishing. In other words, more than 9 out of 10 attacks use spear phishing methods to sidestep enterprise security mechanisms in order to breach the network through the actions of an unsuspecting insider. Everyone from interns to C-level executives could be victims and unwitting accomplices in a spear phishing attack.
An attacker is not necessarily interested in the employee, rather he or she is looking for a way into the corporate system to access personal identifiable information (PII) of other employees as well as data on customers, passwords, security clearances, and even financial information.
How it Works
Here is security’s dirty little secret: leaked mobile data represents an exponential increase in the enterprise attack surface.
Why is it that spear phishing attacks have increased by 38 percent overall in Q2 of last year? What data are attackers using to enable them to craft increasingly sophisticated malware-laden attachments and emails in ever-larger numbers?
One answer lies in the ‘digital exhaust’ that mobile usage has created—a treasure trove of information: calendars, contacts, call logs, location info, and a host of other types of data—information that can be accessed by hackers and other third-parties via insecure mobile apps.
Once an attacker has completed his or her reconnaissance and gained access to one employee’s data, the difficult part is done, and he or she now has everything needed to launch a successful spear phishing attack.
By selecting a recent calendar entry or meeting, the attacker can determine other meeting attendees and devise an email which references the meeting. The email can include a malware-laden attachment with a name related to the meeting’s subject. By matching contacts to co-workers, the attacker can then create text suitable to the contact’s role and title. All of this leads the recipient to believe that the email is coming from a trusted source, and once the attachment is opened, the initial stage of the breach has begun.
How to Prevent Spear Phishing Attacks
Spear phishing attacks work because they are believable – they look like safe communications. For enterprises to truly be able to not only identify, but also prevent spear phishing attacks, a two-step process is needed. The first step is employee education: it is crucial that employees are aware of the potential risk and behaviors that come with the sharing of corporate data on both personal and professional devices.
For example, many employees are simply unaware of how something as seemingly harmless as an app asking permission to access their calendar on their personal device can lead to the leaking of corporate data. The second step is for enterprises to adequately invest in the ability to scan and analyze employee mobile apps for risky behaviors, hidden actions, and mobile malware.
Being able to locate a risky behavior in an app is like finding a needle in a haystack. Without the proper tools in place, it’s hard to see the problem until it is too late. Thus, for enterprises, it is crucial to understand the interaction between mobile apps and enterprise data as well as how these can be used together in different types of attacks.
By recognizing, understanding, and acknowledging various threat types, like spear phishing, enterprises can then take the necessary precautions to manage and prevent cyber attacks.
About the Author
Domingo Guerra, President & Co-Founder, Appthority Born and raised in Monterrey, Mexico, Domingo Guerra moved to the United State at the age of 18 to pursue his passion for technology. He is a contributor to the Appthority App Security blog and authors Appthority’s App Risk Management Report, which exposes the security risks of iOS and Android’s most popular apps. Guerra has Product Design, Development and Operations experience across multiple industries, having released products and secured patents in the Semiconductor, Robotics, Datacenter, and Mobile Security industries. He holds a BS from The University of Texas at Austin, an MS from Stanford University, and an MBA from Santa Clara University.
Read the original article starting on page 46 of Cyber Defense Magazine here.