As businesses and users around the world become increasingly connected through mobile cloud-based platforms and services, cybercriminals are devising phishing strategies that specifically exploit these connections. One example was the recent attack on cloud communications company Twilio that led to a series of security breaches.
Attackers first gained access to Twilio’s network through employee credentials that had been stolen via SMS phishing. From there, the attackers accessed sensitive data from one of Twilio’s customers, a popular encrypted messaging app provider called Signal. The attackers were then able to identify several of Signal’s real-world users, subjecting them to individually targeted phishing attacks.
This demonstrates the ease with which attackers can quickly jump from one target to the next in a world connected via the cloud and mobile services.
In Asia, The Cyber Security Agency of Singapore (CSA) recently reported a 17 percent increase in unique Singapore-hosted phishing URLs from the 47,000 seen in 2020. While perhaps not yet as complex, the growing trend of mobile phishing has already been felt across the Asia Pacific with devastating effects. Hundreds of OCBC bank users were defrauded to the tune of $6.33 million via SMS scams that somehow appeared in the same SMS thread as legitimate messages from OCBC for transaction alerts and one-time passwords (OTPs).
Senior IT and security leaders across the Asia Pacific should therefore pay close attention to news of security breaches for lessons on how to protect their organizations. With threat actors targeting employees for upstream attacks, how can companies assess their security posture and keep networks safe from mobile phishing?
A robust cloud security strategy to counter new forms of phishing
Phishing has evolved significantly over the years, as the introduction and rapid adoption of mobile devices into the work environment have opened new methods of phishing attacks. Attackers take advantage of the fact that many individuals are less cautious around unsolicited messages via SMS or instant messaging app compared to their work emails. Also, the smaller screen size and simplified user interface of mobile phones make it easier to hide red flags that would be spotted from a desktop monitor.
For threat actors lacking experience, the malware-as-a-service market also offers phishing kits at relatively cheap prices. This gives attackers with little to no technical expertise the ability to launch complex phishing campaigns against specific organizations.
Since mobile phishing attacks can come through channels outside of a security team’s control, organizations of every type and size should implement a robust cloud security strategy that can automatically detect anomalous behavior and reduce detection time. It is critical that every organization has advanced security capabilities that can detect malicious activity beyond just the traditional network, especially as attackers move across different devices, networks, and apps to execute their attacks.
Train employees to be vigilant and spot red flags
As employees are frequently the first point of contact for mobile phishing attacks, there should be regular training and reminders on basic cyber hygiene. Attackers are getting better at building slick, realistic phishing campaigns that disguise red flags on mobile devices. However small they are, red flags can still be spotted by paying attention to important details.
For example, in an attack that triggers a targeted employee’s Multi-Factor Authentication (MFA) solution, the location on the notification might be incorrect. If an employee is located in Singapore and the notification was triggered from any other location, they should deny the access request and notify their security team immediately. Another sign would be abnormal communications. For example, one of the three Signal users specifically targeted in the Twilio breach reported receiving a text message verification code in the middle of the night.
Employees should be reminded to always take a few seconds to look over any messages for giveaways of malicious intent, such as a location discrepancy, intentionally misspelled words, or suspicious URLs. Those seconds of critical thinking could save an organization from a data breach. Employees who detect anything suspicious should immediately contact IT and security teams to verify the validity of the message. In the event of a legitimate mobile phishing attempt, the rest of the company can be alerted to be mindful of similar attacks.
The Twilio-Signal breach is one of many sobering reminders of just how vulnerable organizations can be in a world connected via the cloud. As businesses continue to adopt and offer cloud-based services to add value to their customer experience, and remote working remains part of the new norm across the Asia Pacific, leaders must take the necessary steps to protect their organizations and employees from increasingly complex and targeted mobile phishing attacks.
Don Tan is Senior Director APAC at Lookout.
TechNode Global INSIDER publishes contributions relevant to entrepreneurship and innovation. You may submit your own original or published contributions subject to editorial discretion.
Cybersecurity in the age of hybrid work