Security news that informs and inspires

Threat Actors Pivot to Credential Theft in Government Mobile Phishing Attacks


A new Lookout report highlights a tangle of government mobile device security challenges, including the use of outdated or unmanaged devices, and a rise in phishing attacks targeting credentials.

Threat groups are increasingly on the hunt for credentials in their phishing attacks targeting the mobile devices of government employees, with almost half of mobile phishing attacks in 2021 aimed at stealing government credentials in a rise from the previous year.

That’s according to a new report by Lookout, which reviewed data from 2021 and the first half of 2022 specific to its federal, state, and local government user base. The government-specific data is collected from telemetry data of more than 200 million devices and more than 175 million apps. The report found that mobile phishing attacks targeting federal, state and local government staffers’ credentials increased from 31 percent in 2020 to 46 percent in 2021, while those delivering malware decreased slightly from 79 percent in 2020 to 70 percent in 2021.

“Malware delivery continues to represent roughly 75 percent of all mobile phishing attacks across all industries,” according to Lookout researchers in the Wednesday report. “However, when targeting federal, state, and local government entities, threat actors are increasingly using phishing attacks for harvesting credentials rather than delivering malware.”

Overall, researchers saw a steady increase in mobile phishing attempts for state and local governments across both managed and unmanaged devices, with attempts increasing by 48 percent for managed devices and 25 percent for unmanaged devices from 2020 to 2021. Lookout researchers noted that this climb has continued through the first half of 2022.

Phishing attacks targeting the government sector can have a range of malicious purposes. In March, the FBI warned that U.S. election and other state and local government officials in at least nine states received invoice-themed phishing emails, which in some cases were sent from compromised legitimate email addresses. The emails, observed in October 2021, shared similar attachment files and were sent close in time, which the FBI said suggested a “concerted effort” to target election officials. The phishing emails led recipients to a website designed to steal their login credentials.

"There’s a lucrative underground market in the dark web for stolen credentials/stolen information," said Steve Banda, senior manager for security solutions with Lookout. "We don't expect this to slow down any time soon. Cybercriminals are financially motivated to steal and sell credentials in these forums. This data is ultimately used by attackers to gain deeper access into government systems. Once authenticated, they can move laterally within an environment often without being detected, exfiltrating sensitive information that can be used in nefarious ways."

Unmanaged Devices and Hybrid Workforces

Overall, researchers also found that employees across federal, state, and local governments increased their reliance on unmanaged mobile devices by 55 percent between 2020 to 2021. This rise in usage of unmanaged devices is due to the continued popularity of remote and hybrid work environments on the heels of the pandemic, with many employees depending on personal mobile devices like smartphones, tablets and Chromebooks to some capacity for work. The mixing of personal and work mobile devices creates a particular challenge for organizations trying to prevent phishing attacks, as it expands companies’ threat surface and adds unmanaged devices into the mix. For instance, an attacker that has compromised an employee on a personal device could gain access if the employee checks corporate email on that device.

“One of the biggest technological challenges facing all government entities has been the rapid shift to telework in recent years,” said Lookout researchers. “Security teams are acutely aware of the emerging risks that come from using cloud apps and having a workforce that connects using endpoints they have no visibility into.”

At the same time, Lookout’s report found several other security issues across government mobile devices. Almost 50 percent of state and local government employees are running outdated Android operating systems, for instance, meaning that they are vulnerable to various flaws.

These mobile security challenges are partly what the Biden administration’s 2021 cybersecurity executive order has sought to overcome, with mandates that require agencies to increase visibility into endpoints, implement security measures for cloud services and comply with event logging requirements. Federal agencies have until 2024 to implement the various security measures - like multi-factor authentication (MFA) and encryption of network traffic - under the zero-trust architecture strategy.