What Petroleum Marketers Need to Know About Mobile Device Fraud

Petroleum marketers already have been victims of ransomware – malicious software that holds your data captive until you pay fraudsters a ransom for its release.

In this case, the crooks’ most common way into the company’s information system is generally through email phishing campaigns enticing employees to click on a link or open a file that ultimately installs malware onto the computer.

  • Related Content: Read how QuikTrip outsmarted potential fraudsters.

Workshop leaders at recent industry tradeshows have called attention to phishing problems, offering ways not only to spot these attacks but providing tips for training employees to avoid clicking on malicious links and files.

However, just when oil marketers may be getting wise to phishing campaigns – and hopefully moving on to spot even more elaborate “spear” phishing schemes – another worrisome tactic has emerged: SMiShing.

In case you haven’t guessed, that’s the text version of a phishing campaign, in which the crook lures the mobile user to download malicious applications that can lead to mobile device fraud.

Verizon addressed SMiShing schemes and mobile malware, in general, in a small section within its recently released 2018 Data Breach Investigations Report. SMiShing is just one delivery method used to infect a mobile device.

And evidence points to mobile malware as a small but rapidly growing problem.

In its report, Verizon said that though data breaches involving mobile devices are uncommon, mobile malware is still a “legitimate” concern. Mobile intrusions could increase as the use of mobile technology continues to grow. Verizon also noted that a few notorious organized crime rings successfully have employed mobile malware recently, which could lead other crooks to copy their tactics.

“There is evidence that some actors are expanding from traditional user devices and beginning to target mobile,” the report said, noting that mobile devices are used for enterprise data access and communication.

The prospects could be devastating. Hackers commonly target not just financial and personal data, but log-in information. Mobile phones house two-factor authentication credentials, Verizon pointed out.

“Applications with capabilities of capturing and exfiltrating data do exist and organizations need to be mindful of the potential impact of a compromised corporate mobile device,” Verizon said. “As mobile devices often provide privileged access to the enterprise environment and hold two-factor authentication credentials, these classes of malware and device-based attacks can result in more damage than adware or click fraud.”

 The Verizon report touched on five top categories of malware that could infect mobile devices from a Lookout Mobile Security analysis of Android and IOS apps:

  • Adware, which displays advertisements over the top of other applications;
  • Chargeware, which charges users for services without proper notification;
  • Riskware, with code and libraries that reduce a device’s security;
  • Spyware or surveillanceware, which gathers sensitive information for a third party; and,
  • Trojans, which “masquerade” as legitimate applications.

Mobile users are not just vulnerable to SMiShing. Phishing also becomes a bigger threat on a mobile device, according to recent research from mobile security solutions provider Lookout Inc.

And not only phishing emails — but phishing websites.

“When you see how convincing phishing sites or webpages crafted to trick individuals into giving over their information can be, it’s not hard to understand why it’s such an effective medium for attackers,” Lookout said.

The mobile security firm said a study of its client base suggests that the rate at which people are falling for phishing attacks on mobile devices has increased, climbing an average of 85% per year since 2011. In spite of being protected by traditional phishing protection and education, 56% of Lookout users received and tapped a phishing URL on their mobile device from 2011-2016, the company said.

“Mobile devices are connected outside traditional firewalls, typically lack endpoint security solutions, and access a plethora of new messaging platforms not used on desktops,” Lookout’s report warned. “Additionally, the mobile user interface does not have the depth of detail needed to identify phishing attacks, such as hovering over hyperlinks to show the destination.”

IBM research suggests that mobile users are three times more likely to fall for phishing scams, Lookout noted in its analysis. Even the small size of the screen and much smaller lettering make people more vulnerable to scams on a phone than on a desktop.

What’s worse, Lookout said that mobile devices open all-new attack methods for criminals. “Attackers take advantage of SMS and MMS as a means of phishing, as well as some of today’s most popular and highly used personal social media apps and messaging platforms such as WhatsApp, Facebook Messenger and Instagram,” the mobile security firm wrote in its report.

Commonly, experts have advised business owners like petroleum marketers to beware of the human factor – that human error can be the greatest security weakness.

However, Lookout said that on mobile devices, not just people, but apps are a concern.

“URLs are not only used or accessed (clicked on) by end users. Apps use URLs in their code base to communicate and pull down information in real-time. Attackers can use this functionality to phish individuals. This creates a new attack surface for enterprises to worry about: ‘benign apps’ accessing malicious URLs,” the security firm said.

With oil marketers’ growing use of mobile technology to interface with customers, vendors and employees, their risk of mobile device infection undoubtedly is increasing.

So while you assess and manage the risks your business faces due to data breaches on employee desktops, don’t forget the threat to mobile devices. These smaller devices may pose an even bigger data security liability.   

Oil ExpressStay one step ahead of fraud with real-world tips you can use right now. Try Oil Express free for 2 weeks for  coverage of all the biggest risks, challenges and issues facing petroleum marketers today.


Tags: C-stores, Fraud