You’ve got mail? You’ve got malware

ElevenPaths    2 May, 2018
A few weeks ago I was ‘compromised’. A well-known vulnerability was exploited and I was left financially exposed, with my reputation potentially at risk. “What happened?” I hear you cry? Well, my debit card was cloned. Not necessarily the end of the world, but a big inconvenience.
Rogue transactions were credited back into my account, a new card issued and no real harm was done. But then the ‘payment declined’ messages started to occur. Certain services I use keep my card details on record for repeat use – my Amazon account, a razor blade subscription, eBay, etc. Basically anything that isn’t a Direct Debit or Standing Order. So it was whilst in this frame of mind – willingly adding new card details to various provider websites – that I was nearly caught out by something which could have been far more damaging.

The great thing about mobility is its ease of use and familiarity – after all my smartphone never leaves my side. Like most of us today it’s helped me become an adept multi-tasker, happily watching TV whilst flicking through Strava, Facebook, email and 101 other apps. But as I watched, another payment declined email came through, this time from Netflix. I clicked on the link to add my new card details but something didn’t look quite right. I noticed that they asked for data not relevant in the UK and it appeared to have a look and feel that wasn’t the normal, professional Netflix site I’m familiar with. Given a little less concentration, I could have easily tapped in my card details and be back to square one; inputting details into a fake site only to be compromised again.
But that’s not all. Debit card fraud can be quickly spotted given its scale and impact, and the remedial measures can be relatively pain-free. The bad guys may want my card details for fraud, but what could be far more valuable and damaging is access to my device, its apps and the data they hold. Enterprise data, customer data, personal data. Mobile malware, i.e. malicious software that is designed specifically to target mobile device systems such as a smartphone or tablet, is predicted to rise to its highest level in 2018, and Gartner say that only 30% of businesses will have a mobile threat defence strategy come 2020.
When you couple with this with the fact that businesses are opting for a mobile first strategy, you see a worrying lack of broad awareness or widespread take up of initiatives to introduce adequate controls. Something you’d never do with any other endpoint. If I’d added my new card details, there is a good chance I could have been compromised further –‘Thank-you Mr H’, ‘Download our new app Mr H’ – and suddenly there is mobile malware on the device. You might think ‘only a fool would do that’, but we’ve been here before right? The human factor will always be a weak element of your cyber protection strategy, and given the ease of use of mobile, it’s the next threat vector to be dealt with.
So whether it’s dodgy app stores, suspect public Wi-Fi, or SMS phishing, there’s a good chance that where you thought you had mail, you’ve actually got malware.
But we can help. From secure mobility solutions to help with encryption, authentication and mobile device management, to Next-Generation Firewall to support intrusion prevention and malware protection, you can combine your in-house resources with our expertise to build a comprehensive security portfolio.
We also offer a malicious apps test.  It’s free, simple and has had a 100% success rate. Which might sound like a bold claim, but of all the enterprises we’ve worked with who took the test, we found mobile malware was on all of their devices. I wonder what it’s doing, don’t you?
Now. Back to the TV and Facebook.
Lee Hargadon
Head of Enterprise Mobility, O2
This post was published on April 7th in 

Leave a Reply

Your email address will not be published.