Experts warn that hackers are now focusing their new phishing attacks on mobile devices, which are generally weaker and more often unmanaged than laptops or desktops.
Zimperium’s new “2024 Global Mobile Threat Report” claims that 82% of phishing sites now target mobile devices. And as hackers adopt a mobile strategy on a larger scale, they’re using multiple techniques to compromise corporate systems.
Additionally, three-quarters (76%) of phishing sites targeting large enterprises use HTTPS, a secure communications protocol that increases the perceived legitimacy of malicious websites and makes victims less alert. Victims are also less likely to notice security indicators, such as the URL bar, due to the smaller screen real estate on mobile devices.
Move fast
Speaking of increasing legitimacy, in late March 2024, researchers at Netcraft discovered a unique phishing-as-a-service tool called Darcula.
The tool allows criminals to send messages using the Rich Communication Services (RCS) protocol for Google Messages and iMessage, instead of the usual Short Message System (SMS). This increases the sense of legitimacy and makes it impossible to intercept or block the messages based on their content alone (as the messages are end-to-end encrypted).
For hackers interested in mobile phishing (or “mishing,” as Zimperium calls it), they know that time is of the essence. Almost immediately after a phishing site is created, it becomes operational. A quarter are up and running within 24 hours of creation, it was said.
Shridhar Mittal, Chief Executive Officer at Zimperium, warned that the only logical solution is to adopt a layered security strategy that includes mobile threat defense and mobile app monitoring.