Enterprises suffer surge in mobile phishing attacks

Cybercriminals are increasingly adopting a 'mobile-first' attack strategy to infiltrate enterprise systems by targeting weak, unsecured, and unmanaged mobile endpoints, recognizing mobile as a major entry point to corporate networks and sensitive data.

A new report from Zimperium zLabs shows a significant rise in mobile phishing -- or 'mishing' -- a technique that employs various tactics specifically designed to exploit vulnerabilities in mobile devices.

What stands out is the report reveals 82 percent of phishing sites now target mobile devices, and 25 percent of protected devices worldwide encounter malware. 76 percent of phishing sites targeting enterprises are using HTTPS. Employees are less likely to notice these phishing attempts because of mobile’s smaller screen sizes and less visible security indicators, such as hidden URL bars.

"It is undeniable that mobile devices and applications have become the most critical digital channels to protect in our organizations," says Shridhar Mittal, chief executive officer of Zimperium. "In today's digital age, where 71 percent of employees leverage smartphones for work tasks, enterprises must effectively protect their mobile endpoints by adopting a multi-layered security strategy including mobile threat defense and mobile app vetting. Our zLabs researchers meticulously analyzed the nature of mobile attacks, uncovering an attack surface within enterprises that requires a strategic and mobile-centered response."

Along with the rise in mishing, zLabs researchers have unveiled the dangers of sideloading apps -- the practice of installing mobile apps on a device that are not from the official app stores. Financial services organizations saw 68 percent of its mobile threats attributed to sideloaded apps. In fact, zLabs researchers find that mobile users who engage in sideloading are 200 percent more likely to have malware running on their devices than those who don’t.

The zLabs research team detected 1,421 CVEs in Android devices tested, representing a 58 percent increase from 2022, with 16 of these vulnerabilities exploited in the wild. iOS devices tested saw 269 CVEs, representing a 10 percent increase, 20 of them being exploited in the wild. Despite frequent updates -- 24 for Android and 35 for iOS in 2023 -- enterprises are finding it difficult to manage updates across all devices, highlighting the need for proactive mobile security strategies beyond platform updates.

"Mishing attacks and mobile malware are increasingly evading detection, often going unnoticed by businesses," says Chris Cinnamo, senior vice president of product management at Zimperium. "To effectively navigate this evolving mobile threat landscape, enterprise security teams must prioritize the attacks specifically targeting employee mobile devices. Without proactive measures, these attacks will continue to weave into enterprises, exploiting the sensitive data and disrupting organizational operations."

The full report is available from the Zimperium site.

Image credit: sadi.s.junior/depositphotos.com