Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Why your phone is now at risk.
Your phone is at risk as cybercriminals shift to a “mobile-first attack strategy,” having discovered you are far more likely to fall victim on your phone than a larger device. And given the amount of time we spend on our phones, an “insidious new attack vector — the pairing of social engineering with mobile devices,” is making the threat worse.
Today’s new report from the research team at Zimperium warns attacks on tens of millions of phones are now moving “beyond just traditional banking and payment fraud,” to “more treacherous” mishing (mobile phishing) lures that include “the downloading of malware capable of hijacking OTP (one-time-passwords) and verification codes, mimicking screen interfaces and the ability to steal enterprise application credentials.”
Behind this threat is a change of tactics, as devious new methodologies are developed, tested and then rolled out. This includes malicious links in emails that direct to legitimate websites when opened on PCs but dangerous websites when opened on mobiles, given it’s so much harder to detect on a small screen, and the increasing use of Quishing attacks, where QR codes replace links given the inherent trust in QR codes. All of which mandates new levels of wariness amongst iPhone and Android users.
Zimperium says such threats are amplified by the widespread use of employees’ own devices within the companies they work for, logging into corporate networks and accessing corporate systems. “This convergence has created an environment where a successful mishing attack can compromise both personal and enterprise security, potentially providing attackers with a direct access to critical corporate infrastructure and data.”
Nico Chiaraviglio, Zimperium’s Chief Scientist, warns that “mishing is not just an evolution of traditional mobile phishing tactics — it is an entirely new category of attack engineered to exploit the specific capabilities and vulnerabilities of mobile devices, such as cameras. Our research shows that attackers are increasingly leveraging multiple mobile-specific channels—including SMS, email, QR codes, and voice phishing (vishing) — to exploit user behaviors and expand their attack surface.”
And whereas email has always been the primary vulnerability, new attacks are more likely to target you by SMS or messaging app. This shift follows increased nervousness when opening attachments or clicking links in email. All made worse by AI advances, that make it even harder to detect a threat on a small screen before tapping.
Mobile phishing (“mishing”) entry points in 2024
Not only does SMS carry text-based phishing risks, but it’s also vulnerable to on-device malware hijacking 2FA codes in real time. The U.S. government warns users to stop using SMS codes for 2FA, and in recent days we have seen SMS codes intercepted to hijack Gmail and Outlook accounts. Zimperium highlights “SMS Stealer” malware, that is now “compromising accounts on more than 600 global services.”
The FBI, meanwhile, has warned users to delete all smishing texts given the alarming ramp-up in SMS attacks mimicking brands and local government agencies. As we have seen with recent FBI and police warnings into toll and disaster relief fraud, the ease of masking a sender ID, using brief text and a shortened link to mask a non-typical URL makes it all too easy to lure a user into clicking.
Zimperium also notes the geographical targeting of mobile attacks, again as seen with fake toll messages focusing on specific cities and states. “Modern mishing campaigns frequently employ geolocation-based redirection at country or even at the city level, allowing for highly targeted attacks. This enables precise targeting of specific regions or organizations, complicates detection by security researchers, increases campaign effectiveness through localization, [and] reduces detection rates.”
Some of this mandates new user training and awareness, and also strict rules on link and attachment handling. But when it comes to account credentials, there are now multiple reasons to shift from SMS to authentication apps or passkeys. As Microsoft has warned, we only get safer if legacy login methods are removed. So it’s not just a case of providing new ways to secure accounts, it needs the old ways shut down.
Mobile devices have become the “primary targets,” Zimperium warns. “The technical sophistication demonstrated by observed campaigns suggests this trend will continue to accelerate, demanding continued innovation in mobile-specific security controls.”
