Zimperium warns of growing threat of sophisticated mobile phishing attacks targeting executives
A new report out today from mobile security platform provider Zimperium Inc. is warning of the growing sophistication of spear phishing campaigns targeting corporate executives, particularly through their mobile devices.
For the past few months, researchers at Zimperium's zLabs have observed spear-phishing attempts that demonstrate social engineering sophistication with threat actors impersonating trusted business platforms and internal communications that leverage mobile devices to improve the effectiveness of the attacks. More recently, the researchers analyzed a targeted campaign that leveraged DocuSign Inc. in an impersonation scheme that attempted to harvest corporate credentials from company executives.
The investigation into the DocuSign impersonation campaign revealed a multi-stage attack that was meticulously crafted to exploit trust and urgency. The campaign began with a well-designed email appearing to originate from DocuSign with the email containing a link that prompts the recipient to review an urgent document, a common tactic used to exploit a sense of authority and immediacy.
Once a user clicked on the link was clicked, they were redirected through several stages designed to evade detection. At first, the link led to a legitimate-looking domain to obscure its malicious origin. From there, it then redirected to a compromised university website to leverage its credibility to avoid raising suspicion.
The final destination of the attack path varied depending on the type of device being used. Mobile users were presented with a cloned Google LLC sign-in page designed to steal credentials, while desktop users were redirected to legitimate Google pages to avoid detection. The device-specific targeting is noted as highlighting a focus on mobile users, where security defenses are often not as strong as those found on standard computers.
For the bonus round, the attackers employed CAPTCHA verification to add an additional layer of sophistication to the scheme and make the dubious landing page look more legitimate.
The attackers were also found to set up domains and SSL certificates only days before the phishing emails were sent, suggesting a high degree of planning that further made their phishing attempts harder to detect.
"Attackers are continuing to rapidly evolve their tactics and techniques to circumvent traditional phishing detection techniques, especially when it comes to mobile-specific phishing campaigns," the report notes.
The researchers advise that companies should focus on educating employees, especially executives, about spotting phishing attempts and suspicious links. Companies are also advised to prioritize mobile device security and keep security policies and detection tools updated to stay ahead of new threats.
Discussing the report, Mika Aalto, co-founder and chief executive officer at human risk management platform provider Hoxhunt Oy, told SiliconANGLE via email that "the most important thing that companies can do is to shift left and equip senior management and employees with the skills and tools to recognize and safely report a mobile phishing attack."
"We can hope that technical filters and endpoint detection and response technologies quickly develop to be able to pick up these highly obfuscated, native code-based Malware attacks and pinpoint irregular signals and traffic," Aalto added.