TWOFIVE ABUSE SEMINAR MOBILE TRENDS & THREATS UPDATE - ADAM MCNEIL, SENIOR THREAT RESEARCH ENGINEER
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
TwoFive Abuse Seminar Mobile Trends & Threats Update Adam McNeil, Senior Threat Research Engineer Proofpoint, Cloudmark Division 3rd March, 2022 © 2022 Proofpoint. All rights reserved
1. Trends Update
Abuse: Smishing and Malware increasing globally and
throughout the region
© 2022 Proofpoint. All rights reserved
Global Abuse and Smishing Generally Increasing
Aggregate Global Abuse Reports, Aggregate Global Smishing Reports,
since January 2019 since January 2019
Total Reports / Complaints
-19 -19 r- 19 r- 19 - 19 -19 l-19 g- 19 -19 t -19 v-19 c- 19 -20 -20 r- 20 r- 20 - 20 -20 l-20 g- 20 -20 t -20 v-20 c- 20 -21 -21 r- 21 r- 21 - 21 -21 l-21 g- 21 -21 t -21 v-21 c- 21 -22 -22 9 9 9 9 9 19 9 9 19 9 9 19 0 0 0 0 0 20 0 0 20 0 0 20 1 1 1 1 1 21 1 1 21 1 1 21 2 2
Jan Feb Ma Ap May Jun Ju Au Se p Oc N o D e Jan Feb Ma Ap May Jun Ju Au Se p Oc N o D e Jan Feb Ma Ap May Jun Ju Au Se p Oc N o D e Jan Feb n-1 b-1 r- 1 r- 1 y- 1 n- l-1 g- 1 p- t -1 v-1 c- n-2 b-2 r- 2 r- 2 y- 2 n- l-2 g- 2 p- t -2 v-2 c- n-2 b-2 r- 2 r- 2 y- 2 n- l-2 g- 2 p- t -2 v-2 c- n-2 b-2
Ja Fe Ma Ap Ma Ju Ju Au Se Oc N o D e Ja Fe Ma Ap Ma Ju Ju Au Se Oc N o D e Ja Fe Ma Ap Ma Ju Ju Au Se Oc N o D e Ja Fe
Ø Abuse, spam, smishing, and mobile malware continues to rise
Ø Month-to-month variations remain common, but trend line is upward with increasing
“trickery” and focus on lures that succeed
Ø Focus today is on threats to Japan and region, primarily Smishing and Malware
© 2022 Proofpoint. All rights reserved
Proofpoint Witnessing Rapid Expansion in Smishing
270% increase in Global smishing reports 1H 2021 versus 2H 2020
Smish attacks are on the rise†
Ø 61% of Global enterprises,
Ø 81% of US enterprises,
Ø 64% of Australian enterprises, and
Ø 56% of Japanese enterprises report employees have faced smishing attacks
Smish unawareness remains too high globally†
Ø 69% of people globally are unaware;
Ø 65% of people in US,
Ø 75% of people in Australia, and
Ø 81% of people in Japan are unaware of smishing
• According to the Council of Anti-Phishing Japan: “Be aware, SMS [smishing/abuse] tends
to be misidentified as genuine”
• Within US, 73% of the businesses report being compromised at some level due to smishing
† Proofpoint. ”2021 State of the Phish”, 2021.
https://www.proofpoint.com/us/resources/threat-reports/state-of-phish/
© 2022 Proofpoint. All rights reserved
Smishing Represents a Tangible Risk
Smishing Impacts Players Throughout the Mobile Value Chain
Consumer Impact
Ø Loss of personal information
Ø Financial loss
• Japan: 1.13 billion Yen lost due to online banking fraud according to Statista
• Australia: A$3.1 million in losses directly related to SMS message scams (Australian Competition & Consumer Commission)
• US: Greater than $86 million loss from smishing alone, circa 2020 (US Federal Trade Commission)
Mobile Network Operator Impact
Ø Brand erosion and decreased consumer trust due to consumer vulnerability
Ø Large volume smishing and malware attacks cause direct impact on MNO operations/expense
Ø Increased customer support calls and complaints plus follow up with device sanitization causes financial loss
Enterprise/Corporate Impact
Ø Brand erosion due to impersonation attacks and consumer misidentification of bona fide corporate communications
Ø In January 2022, 86 different brands were abused in Japan††, steadily increasing
Ø Top-10 brands abused in Japan represent 82% of attacks; Top-3: Amazon, Apple, and DoCoMo are prominent††
†† Council of Anti-Phishing Japan
https://www.antiphishing.jp/report/monthly/202109.html
© 2022 Proofpoint. All rights reserved
Regional Smishing Trends: US and UK
US Smishing Reports, UK Smishing and FluBot
since January 2019 Reports, since January 2020
0
1
2
0
0
0
1
1
1
0
1
0
1
0
0
0
1
1
1
2
0
0
0
1
1
1
n-2
b-2
n-2
b-2
n-2
b-2
9 0 1 2
r-2
g-2
v-2
r-2
g-2
v-2
l -2
l -2
9 9 -19 9 0 0 -20 0 1 1 -21 1
y-2
y-2
r-2
t -2
r-2
t -2
9 0 1
n-2
p-2
c-2
n-2
p-2
c-2
n-1 r- 1 y- 1 l-1 v-1 n-2 r- 2 y- 2 l-2 v-2 n-2 r- 2 y- 2 l-2 v-2 n-2
Ju
Ju
Ap
Ap
Ma
Ma
p p p
Oc
Oc
No
No
Au
Au
Fe
Ma
Fe
Ma
Fe
Ju Ju Ju
Ja
Ja
Ja
Ma Ma Ma
De
De
Ju
Ju
Ja No Ja No Ja No Ja
Se
Se
Ma Se Ma Se Ma Se
Ø Mid- to late-year slowdowns are common, there is variance, but trend is upward
Ø US: steady growth in smishing since beginning 2019
Ø UK: reports of smishing nearly nonexistent in UK in early 2019, aggressive growth
past couple of years, including FluBot attack starting April 2021
© 2022 Proofpoint. All rights reserved
Regional Smishing Trends: New Zealand
NZ Smishing Reports, NZ Smishing + FluBot Reports,
since January 2020 since July 2020
Smishing in Dec. 2021
scaled down by 2x to
fit in graph
20 n-20 l-20 20 21 n-21 l-21 21
1
2
0 1
0
0
1
1
1
0
1
0 0 20 1 1 21 2 2
1
0
1
1
1
2
0 0 0 1 1 1
0
0
1
1
1
0 1
n-2
b-2
n-2
b-2
g- 2 e p- Oct -2 ov-2 ec- g- 2 e p- Oct -2 ov-2 ec-
g-2
v-2
r-2
g-2
v-2
n-2 eb-2 ar- 2 pr- 2 ay- n-2 eb-2 ar- 2 pr- 2 ay-
l -2
l -2
y-2
n-2 eb-2
t -2
r-2
t -2
p-2
c-2
n-2
p-2
c-2
Ju
Ju
Ap
Ma
Oc
Oc
No
No
Ju Ju
Au
Au
Fe
Ma
Fe
Ja
Ja
De
De
Ja Ju Ja Ju Ja
Ju
Se
Se
F M A M Au S N D F M A M Au S N D F
Ø New Zealand smishing increased in late 2020
Ø FluBot and other attacks have driven up complaints since late 2021
© 2022 Proofpoint. All rights reserved
Regional Smishing Trends: Japan
Japan Phishing & Smishing Reports,
January 2020 – January 2022
-20 -20 - 20 -20 -20 v- 20 c- 2
0 -21 - 21 r- 2
1 - 21 y- 2
1 -21 -21 - 21 -21 -21 v- 21 c- 2
1 -22
Jun Jul Aug Sep Oct No De Ja n Feb Ma Apr Ma Jun Jul Aug Sep Oct No De Ja n
Ø Data from Council of Anti-Phishing Japan
Ø Midyear slowdown as seen elsewhere, growth restarted in August and generally has
continued
© 2022 Proofpoint. All rights reserved
Rise in Package Delivery Lures
UK Reported Smishing - 4Q2021
Parcel / Package Notification 70.5%
Merchant & Consumer Brands 1.9%
Watch Out for Bogus Delivery Notifications / Alerts
Financial / Banks 1.6%
• Last few quarters have seen increasingly lure Picture and Image Related 0.5%
Telecoms & Media 0.4%
activity related to delivery services, and package Miscellaneous and Other 25.1%
delivery notifications Global Smishing - 4Q2021
Merchant & Consumer Brands 28.9%
Parcel / Package Notification 26.0%
• Increase is consistent globally Telecoms & Media 16.9%
Financial / Banks 5.1%
– Seen within New Zealand and Japan Picture and Image Related 1.3%
– Lures for downloading malware have leveraged Miscellaneous and Other 21.9%
parcel and package delivery NZ Reported Smish+FluBot - 4Q2021
Parcel / Package Notification 80.6%
Picture and Image Related 7.9%
• Marked change in lures from 2020 and early 2021 Merchant & Consumer Brands 7.7%
Financial / Banks 0.9%
Telecoms & Media 0.4%
Miscellaneous and Other 2.5%
© 2022 Proofpoint. All rights reserved
2. Smishing & Threat Examples
Regional: Smishing Examples
Malware: Overview and Insights
MoqHao and the Roaming Mantis group
© 2022 Proofpoint. All rights reservedPackage Delivery Smish Leading to Credential Theft
• The final webpage of this attack is an
authentic-looking Visa page seeking
• The smish lure has an exception credentials
related to the payment with a URL • Upon entering data on previous
for resolution page, Amazon payment method
• Common smish lures utilize Amazon needs to be updated
• The URL landing page is an imposter
and package deliveries Amazon page • This update requires a credit card
• This bogus notification shows up in • Page requests phone or email and
series with previous legitimate Amazon account password
Amazon notifications
© 2022 Proofpoint. All rights reservedJapan Smishing Examples - Sagawa
• In this smishing attack, parcel delivery is alerted
because the “recipient” was not home
• Recipient becomes a victim if tricked to schedule
another delivery and provide personal information
Some source images from
https://twitter.com/NaomiSuzuki_/media
© 2022 Proofpoint. All rights reservedRegional Malware Trends: Japan
URL's used in attacks targeting mobile devices
2021
Ø Data from JPCert
Ø URL's targeting mobile devices
increasing
Ø Midyear slowdown as seen elsewhere;
growth restarted in 4Q2021 & 2022
• Trend is consistent globally
– URL's for downloading malware have
leveraged parcel and reservation
apps, Covid-19, and financial
messages.
© 2022 Proofpoint. All rights reservedPackage Delivery Smish Leading to Malware
• Common malware lures utilize
delivery notices, reservation apps for
Covid-19 vaccination
• SMS messages direct users to visit
websites hiding behind URL
shortener services or Dynamic DNS
providers
• Malicious websites may be crafted to
appear as legitimate websites from
known companies
• The final page delivers the
• The page informs the user how
• Fake notice for Docomo Anshin malware file.
to install the malicious
Security
application to their device • Installation is not complete until
user completes the installation
process
© 2022 Proofpoint. All rights reservedFluBot Aggressive Mobile-based Malware Attack
Sophisticated worm-like malware attack. In the wild in Europe since November, 2020
Mobile Network Operator (MNO) Impact • Lures have varied
Ø Brand erosion and decreased consumer trust due – Initially used package delivery lures, including DHL,
to consumer vulnerability FedEx, Correos, Royal Mail, others…
Ø Increased customer complaints and tech support – Subsequent lures have included
follow up assisting subscribers to sanitize devices • Google, and other, fake voice-mail notifications
• generic “message” alerts and notifications
Subscriber and Enterprise Employee Impact • In low quantities using BBC, awards, boarding passes,
Ø Loss of Personal information and data and miscellaneous retailers
Ø Smishing of banking credentials – In the UK and Europe current most prominent lures
are the voicemail notification and shipping lures
Ø FluBot places “overlay” screens impersonate
legitimate apps to steal login credentials directly from • Authentic-looking message or notification has link
the subscriber to compromised website prompting download of
Ø 15k to 20k infected devices in UK legitimate-looking Android Application Package
(APK)
Ø 3k to 4k infected devices in the NZ alone
© 2022 Proofpoint. All rights reservedRecent SMS Malware
• Attackers are increasingly using malware to steal credentials and other
personal information
• Globally multiple mobile malware variants have been seen in 2021
• Software and implementations vary but there is similarity between the attacksRoaming Mantis
Threat group utilizing SMS attack vector to target Android and iOS since 2017
Highly Attacked Regions Features of Attack Chain Leveraging multiple malware
• Japan, • Russia, • Multilingual • MoqHao (XLoader),
• South Korea, • India, • DNS Hijacking • FakeSpy
• China, • Iran, • App (Android & iOS) local phishing • FakeCop (SpyAgent)
• Bangladesh, • Vietnam, • Banking Trojan • Wroba (Funkybot)
• France • Germany • Crypto mining • SmsSpy
• Message stealer
• Backdoor
Ø Chinese speaking attack group that leverages various malware packages and Remote
Access Trojans (RATs)
Ø Primary objective appears to be the theft and harvesting of personal information and
credentials from devices
© 2022 Proofpoint. All rights reservedRoaming Mantis - SmsSpy
*******
Landing page from McAfee SmsSpy example
Ø SmsSpy is a frequent malware used by the Roaming Mantis attack group
Ø If the victim installs and authorizes the malware, SmsSpy becomes the messaging
app and takes over full control of the device
© 2022 Proofpoint. All rights reservedCollaboration with Organizations Around the Globe
© 2022
2021 Proofpoint. All rights reservedReducing Abuse – Doing What You’re Doing and…
What else is needed?
1. More/continued collaboration across the ecosystem: MNOs, government
entities, pertinent industry groups, and major consumer brands
2. Need to discourage attackers by making it less easy and less lucrative to
perform smishing
– Making it less easy…making it more difficult to attack – encouraging more deployment of
anti-abuse infrastructure improvements in the MNO
– Making it less lucrative requires continued and increased collaboration (better tracking,
increased likelihood of arrests)
3. Provide better User experience and protections
– Enabling and improving subscriber, end-user, reporting mechanisms and tools
– Need major brands to issue alerts when their brand is smished/phished
© 2022 Proofpoint. All rights reserved© 2022 Proofpoint. All rights reserved
You can also read
