Joining the dots: phishing and ransomware

Phishing and ransomware are inextricably linked. Phishing is the number one delivery mechanism for getting malicious exploits, including ransomware, into mobile devices. According to MobileIron’s latest research, 60% of IT decision makers agree that phishing is the most significant threat faced by their organisation.

Advanced persistent threat actors are now chaining sophisticated exploits to not only grab user credentials, but also redirect victims to phishing websites where they could unknowingly download malware onto their mobile devices. Almost weekly there is a private company, government department, school or hospital in the news whose data is being held hostage by ransomware.

What is phishing?

Phishing attacks are social engineering attacks that aim to steel your confidential data. They are commonly seen to be the most common cause of data breaches. In fact, Verizon’s 2020 Data Breach Investigation Report found that phishing attacks were responsible for 22% of all data breaches to some extent.

Phishing attacks play on the fact that humans have never been good at cybersecurity. We are often easily tricked or deceived into divulging our usernames and passwords by sophisticated social engineering attacks. MobileIron’s latest research found that C-Suite executives are a popular target – 54% believed they had been targeted by a phishing attack in the last year.

Traditionally, email and email attachments have been the most common vectors, but more recently, text, multimedia messages, and ad networks have played a more tactical role. These can all be used to persuade you to tap a hyperlink and enter an official-looking website. That link will then redirect the victim to a malicious website to harvest their user credentials, and then potentially drop, install, and execute a malicious payload onto their mobile device or within running random access memory used by file-less malware.

What is ransomware?

Ransomware is malware whose sole purpose is to extort money from the victim. Once a user’s credentials are known via a phishing attack, threat actors can then grab additional valuable information on the mobile device, then escape the device and move laterally onto connected network nodes in search of additional critical data to steal. Afterward, they can then block or encrypt data, before sending out a ransom note, usually expecting payment in cryptocurrency to allow you to unblock or decrypt your data.

Most recently, fitness technology giant Garmin fell victim to such an attack where hackers supposedly demanded a $10 million ransom fee in order to return the organisation’s stolen data.

How can we fight back?

In order to best defend against both phishing and ransomware attacks, businesses should look to deploy a multi-vector approach. This should start with an always-on detection and remediation solution at the device level. This will provide on-device protection against phishing attacks, even when the device has limited internet connectivity, or is connected to a risky WiFi network.

Next, a cloud-based URL lookup service that uses machine learning to protect an entire device and its contents is required. More sophisticated cloud-based threat databases deploy multiple, real-time, crowdsourced phishing feeds and are updated more frequently to immediately block the up to 5,000 known malicious domains and websites that get created every day.

This can then be augmented by network-level detection that uses DNS servers to automatically block additional malicious domains and websites using threat intelligence sources. Public DNS servers from OpenDNS, Quad9, Cloudflare, and Google provide this capability, and can be deployed onto mobile devices and laptops via DHCP at work or on a home wireless router.

The Chrome browser enables safe browsing by default. Chrome, Edge, and Firefox browsers also have phishing protection capabilities that can all be enabled by a unified endpoint management (UEM) platform and silently installed onto a fleet of managed mobile devices and laptops.

Phishing protection features are often part of mobile threat detection (MTD) software, but MTD goes further than just protecting against phishing attacks. MTD can also provide additional protection from application threats, network threats, and device-level threats, such as when a device has been jailbroken.

Preventing access

UEM platforms can also deploy and enforce multi-factor authentication (MFA), meaning that businesses can get rid of passwords and log-in credentials that are easy for hackers to steal, and replace them with more secure modes of access, such as biometrics. To prevent phishing, take away the bait.

Additionally, split tunnel VPNs can be configured and deployed to managed mobile devices by using a per-app VPN. Per-app VPN removes the threat of users being redirected to malicious websites and unknowingly downloading drive-by malware. A split-tunnel VPN allows the mobile device user to connect to the corporate network and surf the insecure internet at the same time via that split- tunnel connection. Per-app VPN solves this by only allowing the specific corporate approved app (as opposed to malware) and its associated traffic through the secure tunnel and connection to the access gateway, and then finally to the on-premises, data centre, or cloud-based corporate resource.

Tackling the twinned threats of ransomware and phishing requires businesses to block all of a hacker’s potential avenues to corporate data. Combining this with the ability to quickly detect and remediate on-device threats can go a long way towards preventing costly attacks. Layering defence mechanisms to reflect this is crucial. Without taking these steps, enterprises may leave themselves vulnerable to phishing, ransomware and unprecedented levels of business disruption.

Contributed by Brian Foster, SPV of product management at MobileIron

5 1 vote

Article Rating