Cyber Criminals Love You For Using Phones!

antstang/Shutterstock.com

Safeguarding your data by protecting your computers? Great. SMARTPHONES are by far your biggest weakness in cybersecurity today…. And that’s really no surprise to us Cyber Security experts!

Your Smartphone Is Their #1 Target

Some cyberattacks are targeted at a specific individual or company. The victim is selected because they are a high-value target to the threat actors. High value most often means rich financial gains for the threat actors. But sometimes their goal is to exfiltrate sensitive or private documents, intellectual property, or industrial secrets. Occasionally, the entire motive is to cause trouble for the victim. Hacktivists, for example, will try to destroy the victim’s IT systems and information. They want to cause operational and reputational damage to the victim. High value doesn’t always mean money.

Often the attackers are sophisticated organized crime cyber groups or state-sponsored advanced persistent threats groups (APTs). Many of the attacks they launch are against knowledgeable, well-defended targets, and are very difficult to accomplish. They require significant financial backing, top-tier technical skills, a lot of manpower, and operational guidance and control.

The recent attack on FireEye is a case in point. The attack was so sophisticated that investigators believe the perpetrators are a state-sponsored APT. The value, in this case, was stealing the software tools that FireEye uses to probe its customers’ cyber defenses.

By contrast, other cyber attacks try to snare as many victims as possible. No individual target is singled out. The threat actors are playing a numbers game today where we are clearly a “Smartphone Society”.

The numbers are staggering just since 2021…..

  • There are currently 300 million cell phones being used just in the U.S.A.
  • There is an estimated 15 Billion Phones in the world.

Apps and Data Leaks

Phones can run apps. It’s one of their biggest attractions. They’re easy to install and the majority are free. Unfortunately, they can be a cause of data leakage. The developers of the apps need to make money. If they are not charging for the app you have to ask yourself how are they funding development.

The answer is by selling information about you, such as your phone and app usage statistics, your contacts, communications, browsing habits, geographical location, your installed apps, and more. And these are the”legitimate” apps such as the McDonalds app which records, tracks, and documents ALL of the above information and is a BLESSING for any law enforcement / Cyber Security Forensic Investigators such as us).

The worst examples of these apps also capture login credentials and passwords for websites you visit, VPNs that you use, and any of your data & metadata (basically anything on your phone).

Riskware is the name used for free apps that offer to do something entertaining or useful—and actually deliver on that promise—but secretly siphon off information and send it back to the app publishers to be sold to advertisers or criminals. Riskware is different from a phone becoming infected with covert malware. With riskware, the owner of the smartphone chooses to install the app and is aware that it is going to be added to their device.

With the steady blurring that is happening between people’s personal digital lives and their corporate digital lives, most users will be able to get their personal and their business email on the same phone, and it is common for people to juggle multiple inboxes on the same device, often in a blended view. Riskware, or other more malicious apps, will happily harvest data whether it is personal or corporate.

Staff who haven’t been issued with a corporate phone will have a private phone, and they’ll bring it to their place of work and want to connect to the Wi-Fi. Personal phones should be relegated to the guest Wi-Fi or to another Wi-Fi segment set up for employees’ personal devices. They must not be allowed to connect to the main network.

MDM systems can block known bad apps and query unknown apps. Once vetted, the apps are either permitted or blocked. The hard part is to do this in a way that doesn’t overwhelm technical staff and that doesn’t grate on your users. A centralized management system and clear guidance provided when the phone is allocated will help on both fronts.

Choose Your Phone Brand Carefully

The well-documented ban prohibiting US federal contracts from being awarded to Huawei and several other Chinese companies is based on suspicions that the Chinese government could—using provisions in China’s 2017 National Intelligence Law—coerce manufacturers to plant back-doors and other spycraft mechanisms into their products.

Summary: In just under a year the two companies involved made over USD $5 Million dollars just by sending advertisements to the phones. Being the victim of adware is bad enough, but the same techniques could be used to deploy more insidious strains of malware such as keystroke loggers and other spyware. This amount DOES NOT COUNT any $$$ earned indirectly via the PII (Personal Identifying Information such as SSN/DOB/IRS information) easily seen, screenshots and then shared on the Deep or Dark Web. How about them accessing the phone owner/user’s bank account, their emails, credit cards saved, etc.? Yes, this is why it is uncountable in terms of total damage.

Smishing Attacks

Smishing attacks are phishing attacks delivered by SMS message instead of email. This delivery method has several advantages for the threat actors:
  • They don’t need to dress the message in the colors, fonts, and other trappings of corporate livery to make it look convincing.
  • People expect SMS messages to be short and sweet. They don’t expect to be told the entire story in the SMS. It is commonplace to click a link in an SMS to learn more and to get the finer detail.
  • People will more readily overlook poor grammar and misspellings in an SMS message. We’re all used to predictive text mishaps and while this shouldn’t happen in a corporate SMS message, that conditioning makes us more forgiving with that type of error than we would be in a corporate email.
  • In the space-restricted world of SMS messages, shortened URLs are the norm. And shortened URLs can be used to hide the real destination of the link.
  • It is easy to fake—or spoof—the number that sent an SMS message. If you receive an SMS from a telephone number that matches a contact in your address book, your phone will believe that is who sent it. The SMS messages will be identified as having come from that contact and they will be placed in the conversation list for that contact, alongside all of the genuine messages from that contact. All of that adds to the illusion that the message is genuine.

End-point protection suites usually have clients for cellphones, and these will go some way toward preventing malware installations. The most effective defense. of course. is to read articles like these to BE EDUCATED AND EMPOWERED to be aware of smishing, to recognize fraudulent messages, and to delete them immediately.

Loss of Devices

Losing a phone puts a tremendous amount of information about the owner of the phone at risk. If the phone has a poor password or PIN it won’t take long for the threat actors to discover it. PINs based on significant dates are a poor choice. Clues to the dates can be often be found in your social media posts.

Using a strong password or PIN and turning on encryption are good measures to protect the data—both personal and corporate—inside your phone. Installing or configuring tracking options is a good idea so that you can see the location of the device. This can aid recovery.

If you have added a Google account to your phone, Google’s Find My Device should be turned on automatically. Apple has a similar service called Find my iPhone. A third-party centralized system might better suit some corporate needs.

SIM Swapping

You don’t need to lose your device to lose control over it. When you buy a new phone you can transfer the existing number to the new device and activate that as your current ‘live’ handset.

If scammers can gather some information about you they can ring your phone provider and have your number transferred to a handset that is under their control, in a sting called SIM Swapping. To make the transition to your new phone as smooth as possible, both Apple and Google will download copies of all your apps, settings, and data to the new handset. Unfortunately, it is under the control of the threat actors.

A variant on this is to use social engineering techniques to obtain a (say) 5G SIM card for the victim’s phone number, either online or at an outlet. The threat actor then calls the victim and pretends to be from the victim’s phone provider informing them of a free upgrade to 5G. They tell them that an upgrade code will shortly follow. They then text the victim the activation code that came with the fraudulently acquired 5G SIM card. When the victim activates the service it doesn’t upgrade their old 4G SIM. Instead, it ceases the service to it and activates the new 5G SIM. The threat actors have effectively cloned your phone.

These are targeted attacks. The victims have something on their phones that makes the effort worthwhile. The most famous cases of these have targeted cryptocurrency traders or individuals with high-value cryptocurrency accounts. Swapping the SMs allow their digital wallets to be accessed. Individual losses have amounted to tens of millions of dollars.

Public Wi-Fi and Network Spoofing

Phones and other mobile devices are great because of their portable nature, and because they let us get online wherever there is a Wi-Fi connection that we can join. But you need to be careful when you are on public Wi-Fi. Everyone who is using that Wi-Fi is on the same network, and the threat actors can use a laptop and some network packet capture and analysis software to snoop on what your cellphone is sending and receiving. So what you might have thought was private is not private at all.

You shouldn’t use public Wi-Fi if you are going to need to enter a password to log in to one of your sites or to check your email. Don’t do anything sensitive like online banking or using PayPal or any other payment platform. Don’t do anything that will reveal any of your personally identifiable information. Checking the sports scores or catching up on the news is fine. If you’re doing anything else, you should always use a Virtual Private Network (VPN). A VPN sends your data down a private encrypted tunnel making it impossible for threat actors to see.

For a couple of hundred dollars, threat actors can buy portable devices that act as Wi-Fi access points (WAPs). They’ll set up camp in a coffee shop or other public space, and configure their dummy WAP to have a name similar to the genuine free Wi-Fi connection.

Unsuspecting victims—usually those in a rush—will connect to the threat actor’s bogus Wi-Fi instead of the genuine free Wi-Fi. The threat actor’s Wi-Fi is connected to the genuine Wi-Fi so the victim does get online, but everything that the victim types is captured by the threat actor’s device. A VPN will keep you safe in this circumstance too.

A reputable VPN is a must if you are going to be using public Wi-Fi for anything other than the most mundane web browsing. Of course, if you have a really high data quota in your phone package you might not need to join a public Wi-Fi at all.

And while we’re talking about public spaces, avoid publicly shared phone charge points. If they have been compromised they can inject malicious code into your phone.

It’s a Computer, So Patch It

The modern phone is a computer in your pocket that you happen to be able to make calls on. It has an operating system, it runs apps, and you should have some sort of end-point protection suite running on it. All of these should be the current versions and kept patched up to date.

This can be more of a challenge with Android phone than with other devices. Different handset manufacturers blend their own integrations into vanilla Android before distributing it. Samsung, HTC, Sony, and others all provide their own modifications to Android. This slows down the release of Android patches because the patch has to be released to the manufacturers from Google, and then embellished by the third-party manufacturers before it is released to the end users.

Don’t Forget the Users

Adopt good business practices such as app vetting, deploying encryption, and Mobile Device Management. Tell your employees to:

  • Use strong PINs, passwords, or fingerprint recognition.
  • Always use a VPN on public Wi-Fi.
  • Turn off Bluetooth and Wi-Fi when you’re not using them.
  • Be careful what apps you download. Research them first.
  • Turn on backups.
  • Avoid public phone charge points. Carry a booster battery instead.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.