Threat groups are increasingly looking for credentials in their phishing attacks targeting government employees’ mobile devices, with nearly half of mobile phishing attacks in 2021 aimed to steal credentials. government identification, an increase over the previous year.
That’s according to a new report from Lookout, which looked at data from 2021 and the first half of 2022 specific to its federal, state, and local user base. Government-specific data is collected from telemetry data from over 200 million devices and over 175 million apps. The report found that mobile phishing attacks targeting the credentials of federal, state and local government employees rose from 31% in 2020 to 46% in 2021, while those spreading malware declined slightly, from 79% in 2020 to 70% in 2021.
“Malware delivery continues to account for approximately 75% of all mobile phishing attacks across all industries,” according to Lookout researchers in Wednesday’s report. “However, when targeting federal, state, and local government entities, threat actors are increasingly using phishing attacks to harvest credentials rather than distribute malware.”
Overall, researchers found a steady increase in mobile phishing attempts for state and local governments on both managed and unmanaged devices, with attempts increasing by 48% for managed devices and 25% for devices unmanaged from 2020 to 2021. Lookout researchers noted that this increase has continued through the first half of 2022.
Phishing attacks targeting the government sector can have a range of malicious objectives. In March, the FBI warned that US election officials and other state and local governments in at least nine states had received bill-themed phishing emails, which in some cases were sent from legitimate email addresses compromised. The emails, observed in October 2021, shared similar attachments and were sent shortly after, which the FBI said suggested a “concerted effort” to target election officials. The phishing emails led recipients to a website designed to steal their login credentials.
“There is a lucrative underground market on the dark web for stolen credentials/stolen information,” said Steve Banda, head of security solutions at Lookout. “We don’t expect this to slow down anytime soon. Cybercriminals are financially motivated to steal and sell credentials in these forums. This data is ultimately used by attackers to gain deeper access to government systems. Once authenticated, they can move laterally within these forums in an environment often undetected, exfiltrating sensitive information that can be used maliciously.”