An open-ended period of widespread remote work at all levels of government fueled an aggressive surge in mobile phishing attacks designed to steal public-sector employees’ credentials, according to research published Wednesday by the security firm Lookout.
Mobile phishing attempts exploded in 2020, as government workers from the federal level on down were sent home due to COVID-19 and became increasingly reliant on phones, tablets and other portable devices. While those devices have helped employees remain productive through the pandemic, they also boosted the number of active endpoints on government networks.
Research early in the health crisis found that the proliferation of mobile devices used to conduct government work — especially employees’ personal phones and laptops — broadened the attack surface for threats like ransomware by adding millions more endpoints. But that also created an opportunity for malicious actors who specialize in mobile phishing efforts, which can target dozens of apps on a single device.
“Mobile devices have unlocked previously untapped potential for your organization, enabling your employees to work however and from wherever they’re the most productive,” the Lookout report reads. “These modern endpoints, alongside cloud applications, now provide the same access to your sensitive data and confidential information as traditional computer endpoints. As a result, cyberattackers have built strategies to target both mobile devices and desktops to ensure they find vulnerable entry points into your infrastructure.”
And while basic phishing tactics haven’t changed much during the pandemic, attacks are becoming more sophisticated by focusing more on credential theft and long-term network access rather than just malware delivery, said Steve Banda, a senior manger for security solutions at Lookout.
“SolarWinds really exemplifies where we’re going with this and showcases well the ultimate intention is to get inside and stay inside,” Banda told StateScoop, referring to the suspected Russian espionage campaign that infiltrated the supply chains of major IT vendors, leading to breaches of federal agencies, large corporations and at least three state governments.
Between 2019 and 2020, Lookout reported, the amount of state and local agencies that experienced credential-harvesting phishing attacks jumped from 56% to 80%, an increase of about 42%, while the percentage of agencies reporting malware-delivery attacks dropped by more than half from 69% to 31%. (The increase in credential harvesting was even more severe at the federal level, which experienced a 90% spike.)
Moreover, Lookout found, state and local employees have been far more likely to be exposed to phishing attacks than their federal counterparts. According to the company, one in 30 federal workers was subjected to an attempt in 2020, but that rate jumped to one in 13 at the state and local levels.
Banda said that difference can be attributed to the fact that state and local governments have been far more likely to adopt “bring your own device” policies, rather than issuing managed enterprise devices.
“What’s the breakdown in mobile strategy?” he said. “From our analysis, nearly a quarter of state and local government employees have adopted a BYOD strategy. With that comes your general exposure.”
By comparison, just 9% of federal employees use their own devices while working remotely, according to Lookout.
Banda said the best mitigation strategies are greater adoption of mobile phishing detection software and stronger mobile endpoint detection and response systems. And even in government agencies that rely on workers’ personal devices, he said there can be a stronger emphasis on updating operating systems.
Still, whether agencies issue devices or have employees use their own, that can be a challenge: According to Lookout, 99% of government Android users were running out-of-date versions of the operating system.