Report: Mobile Phishing to Steal Government Credentials Increased 67% in 2020

In 2020, malicious hackers targeting government workers’ devices drastically sharpened the focus of their phishing efforts on obtaining victims’ login credentials—as opposed to delivering malware—making for more invasive and persistent attacks, according to a report from mobile security firm Lookout.

“Over 70% of phishing attacks against government organizations sought to steal login credentials, which is a 67% increase from 2019,” reads a key finding from the report released Wednesday. The report makes use of data from nearly 200 million devices and over 135 million mobile apps specific to government agencies Lookout serves.

The firm posits that the shift to remote work brought on by the pandemic will endure and is causing more government entities to consider telling their workers it’s OK to “bring your own device,” or BYOD. But a look at the numbers in 2020 suggests increased use of such policies could lead to a new blindspot that hackers are already exploiting.

“Malicious actors have embraced mobile phishing because they can use any one of the hundreds of apps on the average person’s mobile device,” the report reads. “Attackers can socially engineer targets on a personal level through social media apps, messaging platforms, games and even dating apps. An attacker will target particular individuals, including department heads, law enforcement officials, city superintendents, revenue officers or other government officials to gain privileged access to the data they want to steal.”

This greater surface area could also increase the success of tactics like password spraying—where adversaries find the password for one app or device and test it against others—which the Cybersecurity and Infrastructure Security Agency said was a factor, along with plain old guessing, in the hacking campaign that compromised several federal agencies.

Federal agencies have not taken to BYOD as much as those at the state and local level. “Nearly one-quarter of state and local government employees use personal unmanaged devices, outpacing the nearly 9% in the federal government,” according to the report. Still, 1 in 30 federal government workers was exposed to phishing threats in 2020, Lookout said, adding that’s a significant attack surface “because it only takes one successful phishing attempt to compromise an entire agency.”

Federal agencies also saw a more significant uptick than state and local agencies in credential harvesting over malware delivery last year. 

“In 2020, over three-quarters of phishing attacks sought to steal credentials,” the report reads. “When compared to 2019, credential theft attacks against federal agencies increased at a rate of 90 percent while malware delivery decreased at a rate of 47 percent.” 

Lookout also flagged a dangerous increase in third-party software development kits, or SDKs, which impacts government entities and the private sector equally. These are used by advertisers and can often contain vulnerabilities that threat actors can exploit, the firm said.

“This level of app threat exposure may be here to stay as advertising SDKs increasingly show up in mobile apps,” the report said, noting, “some of the government-agency risks caused by malicious apps include: compliance violations due to data handling practices, excessive permissions that allow an app to see data in other apps on the device, access to the camera and microphone to spy on the user, access to the device’s file system [and] connections to servers in foreign countries.”