In 2020, malicious hackers targeting government workers’ devices drastically sharpened the focus of their phishing efforts on obtaining victims’ login credentials—as opposed to delivering malware—making for more invasive and persistent attacks, according to a report from mobile security firm Lookout.
“Over 70% of phishing attacks against government organizations sought to steal login credentials, which is a 67% increase from 2019,” reads a key finding from the report released Wednesday. The report makes use of data from nearly 200 million devices and over 135 million mobile apps specific to government agencies Lookout serves.
The firm posits that the shift to remote work brought on by the pandemic will endure and is causing more government entities to consider telling their workers it’s OK to “bring your own device,” or BYOD. But a look at the numbers in 2020 suggests increased use of such policies could lead to a new blindspot that hackers are already exploiting.
“Malicious actors have embraced mobile phishing because they can use any one of the hundreds of apps on the average person’s mobile device,” the report reads. “Attackers can socially engineer targets on a personal level through social media apps, messaging platforms, games and even dating apps. An attacker will target particular individuals, including department heads, law enforcement officials, city superintendents, revenue officers or other government officials to gain privileged access to the data they want to steal.”
This greater surface area could also increase the success of tactics like password spraying—where adversaries find the password for one app or device and test it against others—which the Cybersecurity and Infrastructure Security Agency said was a factor, along with plain old guessing, in the ..