Growing trends such as Bring Your Own Device (BYOD) have presented business with the challenge, not only of keeping up to date with the wide range of mobile devices coming on to the corporate network, but also the massive task of maintaining control over these devices from a security perspective, as these devices become a prime target for cyber criminals looking to propagate mobile malware.
Back to the future
The issue of mobile malware is one that has risen from near obscurity, to a very real and concerning problem that is facing businesses, and the reason behind this is simply that cybercriminals go where the users are and where the money is. In 2012, there were only a small percentage of malicious threats on mobile devices, most of which were based on classic scams attempting to convince users to enter sensitive information into a website that replicates a bank’s website, for instance.
In 2013 however, mobile malware has become far more complex and prolific, because mobile users represent a huge target for cyber criminals. Recent research from IDG showed that 70 % of those employees surveyed, are already accessing the corporate network and business-critical apps using a personally owned mobile device, including phones and tablets, and 80 % access email from their personal devices. Therefore mobile users in the workplace have become a ‘back door’ entrance for cyber criminals to gain access to corporate networks and the sensitive information or IP that resides there.
In the “traditional” desktop world, cybercriminals today can purchase exploit kits on the underground market and utilise malware networks (or “malnets”) to continually launch malware attacks on users, but to date, exploits that target mobile devices have not yet appeared.
However, tried and tested techniques such as propagating malware through pornography, spam and phishing that have worked well in the desktop world are now successfully migrating to the mobile world. What makes these ‘old-school’ techniques so effective is that they are by their very nature device agnostic, and are easily able to expand attacks to target mobile devices to convince users to provide credentials or other confidential information.
Another aspect that makes the mobile an appealing target for cybercriminals is the fact that mobile versions of websites are often crafted and hosted by third parties. This means that the URL might not be a good indicator of the relative safety of the site. On a desktop PC, untrustworthy URLs are easy to spot as the screen is much larger and viewing the full web address is straight forward and clear.
When trying to access certain sites on a mobile device, users are often redirected to a different site, and this practice essentially conditions users to be comfortable with going to a strange URL that doesn’t necessarily seem to match up with what they are looking for. This behavioural difference and inability to differentiate between a legitimate URL and an illegitimate one, gives attackers an edge that they can leverage to deceive mobile users.
How to solve a problem like mobile malware?
Mobile devices open up vast opportunities for the business and for the user, giving the user the ability to become more productive and gain access to a wealth of information and corporate assets wherever they are. It also provides businesses with the opportunity to make cost savings on hardware and help them to maintain an efficient and happy workforce.
Yet, many businesses have not yet put tools and practices in place to allow users to make good, safe choices.
When we think about security under the lens of mobile devices, some risks decrease, some increase and some stay the same. For example, passwords are more vulnerable on a mobile device because of its portable nature, user’s details are easily exposed to an onlooker. Mobile devices have also bucked the trend of hiding passwords as you enter them, and typically expose the password, character by character, to ensure that your entry is correct.
It is also often harder to make good choices about the links you visit on a mobile device. Many times these links are truncated or shortened via a service such as “Bitly”, which impedes a user’s ability to make an informed decision about their destination.
Lastly, a recent phishing attack from “PayPal” demonstrated how easy it is to be tricked into giving up your personal information to a cyber criminal on a mobile device. In this attack, users received a perfectly formatted, grammatically correct phishing email informing them that Paypal had detected suspicious activity during the user’s last transaction.
The email goes on to say that PayPal has temporarily blocked the account until the user verified the account by clicking on a link. Simple methods like these, which are seemingly legitimate in appearance, are what we will continue to see over the coming years, and without educating users or having proper security policies in place, business are leaving the corporate network exposed.
Extending an enterprise-class web security solution to include mobile devices is a good first step towards protecting your employees. By closing the mobile security gap and enabling controlled access to corporate assets with appropriate policy controls, businesses can proactively protect themselves against this evolving mobile threat landscape while capitalising on the innovation and productivity of a mobile workforce.