April 15, 2021

min read

The Zero Trust Lesson Behind Mobile Phishing Against Australian Officials

Australia recently confirmed that a series of mobile phishing attacks were successfully executed on senior officials. According to The Sydney Morning Herald, the targets – which included Australia’s finance minister, health minister and ambassador to the U.S. – were sent messages asking them to validate new WhatsApp or Telegram accounts. Once they click on the link or download the app, the attacker gains access to the address book and is able to send messages pretending to be the target.

To anyone in cybersecurity, this tactic is not new, especially compared to other campaigns involving ransomware or surveillanceware. But this showed the effectiveness of phishing attacks on mobile devices, even against individuals who are surrounded by experienced security personnel, processes and procedures. In addition, it illustrated why Zero Trust, the idea that you need to verify the identity and risk of a user or device before providing access to applications and data, is critical and that mobile endpoints need to be part of it.

Why was this phishing campaign so effective?

Tablets and smartphones have become the center of how we interact and conduct business. If you are skeptical, check your weekly screen time report.

Gone are the days of the Nigerian prince who emailed our desktop computers. There are now countless mobile platforms for us to communicate with each other, and for scammers to send phishing messages with – including WhatsApp and Telegram.

Because we are so familiar with using mobile apps, we have also become accustomed to the authentication workflow of these apps. When I scroll down my SMS app, I seem to have just as many unknown numbers asking to validate my identity as I have texts from family and friends. It doesn’t take an attacker a lot of effort to craft scams that mimic these messages. It also doesn’t help that mobile devices have smaller screens and simplified user experience, which hides most of the telltale signs of phishing.

What does this have to do with Zero Trust?

According to the Morning Herald, the Australian Department of Foreign Affairs and Trade now operates on the basis that these senior officials’ phones are compromised. Out of caution, some of the cabinet ministers’ phones were actually replaced. I know the Australian government had their hands forced, but this is a great demonstration of Zero Trust.

The idea of Zero Trust is that nothing or no one should be trusted unless they are verified to be who or what they claim to be. Because the Australian Government cannot validate the health of these phones, it makes sense that they treat the devices with suspicion or simply swap them out.

The same principle should apply to an enterprise. Employees now work from anywhere. They are using networks and devices that you don’t control. Naturally, you should not give them unconditional access to your apps and data, whether it's to your data center via VPN or to SaaS applications like Microsoft 365, Salesforce or Workday.

Zero Trust applies to everything

When the world went remote, most security teams expanded the capacity of their VPNs to quickly enable their employees access to what they need. But this is an all-or-nothing approach that gives unlimited access to anyone that’s connected. Many of the endpoints your employees use while working remotely – especially tablets, smartphones and Chromebooks – are not managed by you. The networks being used are also not under your control.

This is why Zero Trust needs to be a critical pillar of every organization’s cybersecurity strategy. You cannot provide unrestricted access to anyone and any device anymore as your data moves freely from endpoints to cloud apps. Instead, you need to understand what’s going on with your users and endpoints so you provide precise access only to the apps and data needed. It’s only with complete visibility can you ensure that your employees and data are secure.

Here at Lookout, we have integrated endpoint security with secure access service edge (SASE). This means that we can secure your data from endpoint-to-cloud in a manner that respects personal privacy. Visit our SASE solution page to learn more.