This is the final post of our series on mobile social engineering. Over the past two months, we’ve covered five topics that we feel cover the most common methods of mobile attack and exploitation based on social engineering.
There have been a few recurring themes throughout the series:
- Almost all of the different techniques of attack are interconnected.
Some of the attacks like phishing and malvertising are based on similar ideas, others such as scareware and fake apps tend to appear together as part of an attack campaign.
- The consequences of social engineering attacks vary.
From theft and fraud to espionage.
- While the general concepts behind many of the attacks remain the same, the vectors of attack are constantly evolving and advancing.
If several years ago only a strong adversary such as a nation state could hope to perfectly clone a bank’s website, design a beautiful fake app or replicate a two-factor authentication procedure – nowadays we are witnessing commercial and private attackers adopting the same practices.
- Both iOS and Android are equally as vulnerable to social engineering.
The supposedly “impregnable” iOS App Store was fooled by a fake TOR app for over 4 months. iOS is quickly catching up to Android with regard to many kinds of attack – social engineering is part of this trend.
- There will always be a user – whether a beginner or a more advanced user – falling for a mobile scam.
The human element is unavoidable. In many cases, the scams are hidden and disguised and almost impossible to escape. In an enterprise environment, this leads to a compromised device accessing the corporate network or resources.
So,what should you do?
- Apply prevention best practices. These won’t eliminate all the issues as the human element will inevitably play a role. However, this will reduce the attack surface to efficiently focus on those attacks that eventually surpassed these measures.
- Apply detection measures to identify compromised devices in the enterprise network
- Mitigate the risk of the mobile attacks – from blocking sensitive communications to preventing the exfiltration of confidential information
- Apply remediation controls. These include effectively removing the malware and forensics.
Prevention best practices include:
- Instruct employees to pay attention when opening emails, clicking on links and downloading apps. Things to watch out for include spelling mistakes, design flaws and strange URLs should all cause users to question the legitimacy of a communication.
- Instruct employees to pay attention to overly detailed requests for user data. For example, legitimate companies typically don’t require the user to submit banking credentials.
- Enforce secure communication procedures. For example, always use a VPN or other secure channel when accessing the corporate network or enterprise resources and apps.
- Enforce employees to download only from official marketplaces, and stick to official apps. Once again, this won’t completely eliminate compromise as fake apps have appeared in official marketplaces. However, this will eliminate infection of those fake apps that appear in third party marketplaces. It’s important to stress, that even though this practice is undoubtedly worthwhile, it’s not bullet-proof. As recently as May 2014, attackers have succeeded in repackaging legitimate apps with malicious code and uploading them to the official Google Play Store.
Mitigation best practices include:
- Identifying malicious C&C servers. A device that is in constant or periodic communication with a remote server can signify a security breach.
- Identify jailbroken or rooted mobile devices connecting to the enterprise network. Jailbreaks and rooting are a prerequisite of many kinds of malware. By keeping tabs on the status of employees’ devices, it’s possible to nip an attack in the bud. Once a device has been identified as jailbroken – this should trigger more detailed analysis to detect suspicious behaviour.
- Identify apps with dangerous permissions as well as suspicious behaviour. Most apps shouldn’t have access to secure data and controls within a device. If a flashlight app is trying to access the contact list – something is wrong. An analysis of application behavior can be critical when attempting to accurately identify malicious behaviors. If the messaging app is active while the device is locked, something isn’t right.
- Prioritize the different risks and dangers to your enterprise and act accordingly. Identifying critical and highly sensitive devices and resources. This way you can mitigate potential threats in a way that reflects the threat posed to your organization.
- Identify unsecure communication channels. In a post-Heartbleed world, it’s clear that encryption protocols and procedures don’t always guarantee secure communications. Make sure your employees know when they’re on a vulnerable channel (i.e a rogue hotspot).
Identifying threats quickly and efficiently, as well as minimizing the damage an infected device can cause should be an enterprise priority. Attackers keep moving forward and enterprises need to move forward with them.