In response to news that a 17-year-old was one of three people arrested in connection with the largest privacy and security breach in Twitter’s history and the bitcoin scam that saw the accounts of public figures such as Barack Obama, Bill Gates and Joe Biden hijacked for fraud, an expert with Point3 Security offers perspective and advice to protect against mobile phishing.
Chloé Messdaghi, VP of Strategy, Point3 Security:
Chloé Messdaghi is the VP of Strategy at Point3 Security. She is an ethical hacker advocate who strongly believes that information security is a humanitarian issue. Besides her passion to keep people safe and empowered online & offline, she is driven to fight for hacker rights. She is the founder of WeAreHackerz & the President and co-founder of Women of Security, a podcaster for ITSP Magazine’s The Uncommon Journey, and runs the Hacker Book Club.
She offers the following regarding this breaking story.
“As we’re learning, one of the young men arrested today was previously investigated back in April, and the Secret Service previously took 700K bitcoin from him.
“We’re in a time when people are generally overwhelmed and attackers know this and are actively exploiting it. That’s why we’re seeing a rise in mobile phishing in particular.
“Think about it: now more than ever, if someone gets a text on their mobile from a boss who doesn’t usually reach out that way, they’re likely to chalk it up to the interoffice lines of communications that have been blurred and rewritten by the Pandemic. And if an employee is then asked by someone purporting to be their boss with a message saying “we have a serious problem” and to please call a helpdesk number immediately, they’re more likely to comply before thinking things through – again, because the Pandemic has made people overwhelmed and eager to respond to security threats.
“On top of that, mobile is a much better way to phish someone versus laptop computing – studies say that even well informed users are 3x more likely to fall for a phishing link on a small screen vs. a desktop, because it’s harder visually and logistically to double check a link. There needs to be a lot more conversations about mobile phishing in particular, and any phishing really. Rule #1 must be: Always question everything you get, including and especially anything from your employer.
“Here’s some common phishing-through-mobile approaches: SMS messages that warn of a security situation or ask the recipient to “click here to validate;” URL padding – where a bad actor takes a legitimate domain and adds malicious extensions onto it, that can lead elsewhere – but the recipient doesn’t know because when they get the SMS message, only the main domain shows; malicious Tiny URLs – we see these a lot, and they take the unsuspecting recipient to an insecure and dangerous site; and mobile verification code scams – those are the most popular.
“Again, the first rule must be that if a number’s not familiar and already saved in the recipient’s contacts – they really need to double check it and make Google their ‘search buddy’ by seeing if there’s anything to be learned about the number.
“Bad actors are exploiting our surreal-reacted emotional state and lack of focus to make money.
“Also, it’s important to differentiate attackers from hackers. Attackers are the malicious/bad actors – in contrast, hackers find and report vulnerabilities without exploiting them. Stories that mislabel bad actors as hackers actually hurt the hacker community, who are trying to keep everyone safe by finding and de-escalating problems.”