Threat Actors Pivot to Credential Theft in Government Mobile Phishing Attacks - Duo Security

Threat groups are progressively connected the hunt for credentials successful their phishing attacks targeting the mobile devices of authorities employees, with astir fractional of mobile phishing attacks successful 2021 aimed astatine stealing authorities credentials successful a emergence from the erstwhile year.

That’s according to a caller study by Lookout, which reviewed information from 2021 and the archetypal fractional of 2022 circumstantial to its federal, state, and section authorities idiosyncratic base. The government-specific information is collected from telemetry information of much than 200 cardinal devices and much than 175 cardinal apps. The study recovered that mobile phishing attacks targeting federal, authorities and section authorities staffers’ credentials accrued from 31 percent successful 2020 to 46 percent successful 2021, portion those delivering malware decreased somewhat from 79 percent successful 2020 to 70 percent successful 2021.

“Malware transportation continues to correspond astir 75 percent of each mobile phishing attacks crossed each industries,” according to Lookout researchers in the Wednesday report. “However, erstwhile targeting federal, state, and section authorities entities, menace actors are progressively utilizing phishing attacks for harvesting credentials alternatively than delivering malware.”

Overall, researchers saw a dependable summation successful mobile phishing attempts for authorities and section governments crossed some managed and unmanaged devices, with attempts expanding by 48 percent for managed devices and 25 percent for unmanaged devices from 2020 to 2021. Lookout researchers noted that this ascent has continued done the archetypal fractional of 2022.

Phishing attacks targeting the authorities assemblage tin person a scope of malicious purposes. In March, the FBI warned that U.S. election and different authorities and section authorities officials successful astatine slightest 9 states received invoice-themed phishing emails, which successful immoderate cases were sent from compromised morganatic email addresses. The emails, observed successful October 2021, shared akin attachment files and were sent adjacent successful time, which the FBI said suggested a “concerted effort” to people predetermination officials. The phishing emails led recipients to a website designed to bargain their login credentials.

"There’s a lucrative underground marketplace successful the acheronian web for stolen credentials/stolen information," said Steve Banda, elder manager for information solutions with Lookout. "We don't expect this to dilatory down immoderate clip soon. Cybercriminals are financially motivated to bargain and merchantability credentials successful these forums. This information is yet utilized by attackers to summation deeper entree into authorities systems. Once authenticated, they tin determination laterally wrong an situation often without being detected, exfiltrating delicate accusation that tin beryllium utilized successful nefarious ways."

Unmanaged Devices and Hybrid Workforces

Overall, researchers besides recovered that employees crossed federal, state, and section governments accrued their reliance connected unmanaged mobile devices by 55 percent betwixt 2020 to 2021. This emergence successful usage of unmanaged devices is owed to the continued popularity of distant and hybrid enactment environments connected the heels of the pandemic, with galore employees depending connected idiosyncratic mobile devices similar smartphones, tablets and Chromebooks to immoderate capableness for work. The mixing of idiosyncratic and enactment mobile devices creates a peculiar situation for organizations trying to forestall phishing attacks, arsenic it expands companies’ menace aboveground and adds unmanaged devices into the mix. For instance, an attacker that has compromised an worker connected a idiosyncratic instrumentality could summation entree if the worker checks firm email connected that device.

“One of the biggest technological challenges facing each authorities entities has been the accelerated displacement to telework successful caller years,” said Lookout researchers. “Security teams are acutely alert of the emerging risks that travel from utilizing unreality apps and having a workforce that connects utilizing endpoints they person nary visibility into.”

At the aforesaid time, Lookout’s study recovered respective different information issues crossed authorities mobile devices. Almost 50 percent of authorities and section authorities employees are moving outdated Android operating systems, for instance, meaning that they are susceptible to assorted flaws.

These mobile information challenges are partially what the Biden administration’s 2021 cybersecurity enforcement bid has sought to overcome, with mandates that necessitate agencies to summation visibility into endpoints, instrumentality information measures for unreality services and comply with lawsuit logging requirements. Federal agencies person until 2024 to instrumentality the assorted information measures - similar multi-factor authentication (MFA) and encryption of web postulation - nether the zero-trust architecture strategy.