How mobile management can thwart phishing attempts
- By Patrick Marshall
As any cybersecurity expert will testify, the weakest link in an organization’s security is humans. And one of the most common human cyber-failings is clicking on malicious links.
The proliferation of smartphones has greatly expanded the risks of phishing attacks designed to deliver malware, steal user credentials or access government systems containing sensitive information and data on millions of Americans. While most phishing attacks on desktop and laptop computers come via email, according to Bob Stevens, vice president for federal sales for Lookout, a mobile security company, “a mobile device attack vector can be in email, in an app itself, in a text message or through a browser.”
Lookout, funded in part by the Department of Homeland Security's Science & Technology (S&T) Directorate, recently added unique protection against phishing attacks to its Mobile Endpoint Security platform that will prevent humans from clicking on malicious links.
According to Stevens, the new feature relies on a blacklist of URLs that have been identified by Lookout and two third-party companies that track phishing attacks. The Mobile Endpoint Security platform scans all outbound URLs at the network level -- whether they are in emails, texts, social media posts, apps or websites -- and blocks users from clicking on any links already on the blacklist. The system then alerts the user as well as mobile systems managers in real time that the connection may be harmful.
Of course, relying on a blacklist to detect phishing means safety depends on rapid identification and listing of malicious URLs. Stevens said Lookout’s blacklists are updated at least daily. It’s worth bearing in mind, however, that the blacklist approach would not work against a determined phisher -- say, a nation state -- with resources to rapidly generate new URLs for each attack.
Relying on blacklists also leaves open the possibility of “false positives,” with links to legitimate sites being blocked. Stevens said he was not aware of any instances of false positives.
Still, the new feature is undoubtedly a big plus. “These advancements in mobile threat defense will protect sensitive data, such as personally identifiable information, on mobile devices and enterprise networks and greatly increase the security of the federal government’s mobile systems for mission-critical activities,” S&T Mobile Security Research and Development Program Manager Vincent Sritapan said when announcing the mobile phishing protection. “Without proper mobile security, agencies cannot adequately protect against data compromises.”
According to DHS, new features will block other malicious behaviors in third-party apps and detect side-loaded apps that transfer files between devices as well as advanced network threats such as man-in-the-middle attacks.