Facts About Hostile Profile Takeover

Dave Jevans of Marble Security on the New Mobile Threatscape
Facts About Hostile Profile Takeover

What is hostile profile takeover, and why does this emerging threat pose such a risk to smart phone users? Dave Jevans, CTO of Marble Security, describes this and other new mobile threats.

See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries

It's the latest rage with fraudsters. They use spear phishing and social engineering techniques to trick mobile users into giving up control of their own device profile - often in just a couple of easy clicks.

"And what that [rogue] profile can do is turn off applications ... turn off Safari security settings, change Java script settings," Jevans says. "There's a whole set of things which were designed for enterprise control that can easily be done by any attacker on any website."

And if users don't have a mobile device management system on their device? Fraudsters can install one of their own. "And that is basically complete device takeover," Jevans says.

In an interview about mobile security, Jevans discusses:

  • The threat of hostile profile takeover;
  • The latest risks to Android and iOS users;
  • Fundamental mobile security controls to employ.

Jevans is the chairman of the board and CTO of Marble Security Inc. His career in Internet security spans more than 20 years, having held senior management positions at Tumbleweed Communications, Valicert, Teros, Differential and Iron Key. Serving on the CEO's technology council at Apple Computer, Jevans helped to develop the company's Internet strategy. He also worked in the advanced technology group at Apple and ran an engineering project involving advanced operating systems. Currently, he serves as the chairman of the Anti-Phishing Working Group.

Mobile Threats

TOM FIELD: Everybody today is talking about targeted attacks. What are some of the specific threats that you're seeing in the mobile space now?

DAVE JEVANS: We're seeing a big increase in targeted spear-phishing against employees inside of companies of all different sizes and in all different industries. We're seeing it in education. We're seeing it in healthcare. We're seeing it in Fortune 500 and government contractors. We're [also] seeing malicious applications, particularly SMS interceptors and redirector-type apps. We're [also] seeing the beginnings of a new type of targeted threat which is hostile profile takeovers, which allow you to take over all or part of a device.

Spear-Phishing Via Mobile

FIELD: You mentioned spear-phishing. I know it's a specific concern today. What I'd like to hear from you is: Why are mobile users even more susceptible to these attacks than say somebody that's sitting at a desktop or a laptop?

JEVANS: As we know, almost every advanced persistent threat over the last two years has involved spear-phishing targeting employees - a small number of them, sometimes one, two three or four employees - inside of a company to gain access into a company's networks. We're seeing targeted spear-phishing across all sectors of industry and government, seeing it in healthcare, education, in state and local governments, certainly in all forms of enterprise.

Users on mobile devices are much more susceptible to spear-phishing attacks for several reasons. The first is people with mobile devices are what I call "always on." They're reading their e-mails in many different places, not just at their desktop when they're in their office. They're reading them in the taxicab; they're reading them at the airport; they're reading e-mails sitting in meetings; they're reading e-mails after dinner time or when they're watching TV. They're much more susceptible to getting them, and getting them when they're fresh before the site has been detected or taken down.

Another reason is the screen real estate, frankly, of mobile devices, even of iPads, but particularly of your Androids and iPhone smart phones. That screen really makes it difficult for a user to determine if an e-mail address is legit or, more importantly, if a web link is legit.

The third reason is that users on mobile devices - particularly in bring-your-own-device environments - will probably have multiple e-mail accounts attached to that device. I've got three or four attached to my iPhone right now. There are multiple vectors to target employees, not just through the corporate e-mail system which may have very high levels of filtering on it. They may have a personal e-mail address and an attacker may choose to target users through that personal e-mail address.

The fourth reason is there's another alternate way of delivering spear-phishing, and that's through SMS. We're seeing a rise in what we call smishing, or SMS phishing, where users are being targeted with text messages that allegedly come from corporate IT telling them, for example, "Update your password. We've done a password reset." Or, "Install a new spam filtering profile on your mobile device. Please click here." Those are some of the real reasons why mobile users are measurably more vulnerable to spear-phishing attacks than those sitting in a corporate environment on their PC.

Hostile Profile Takeover

FIELD: At the top of this conversation, I mentioned hostile profile takeover. I would like to ask you about that. Tell us about the attacks, please, and why iOS device users especially need to be concerned about these?

JEVANS: This is a new type of attack which basically allows you to take over part or all of an iOS device particularly. There are two types of configuration profiles on an iPhone or an iPad. One's a configuration profile and the other is a device management profile. A configuration profile basically can be positioned to a user on a web page, so all you have to do is get a user to visit a webpage through a phishing attack, spear-phishing attack or random visitation to a malicious website, and that profile then is attempted to be installed on their device.

Now, those profiles can be unsigned. They don't have to be digitally signed. They're not verified by Apple. The user is asked to install it, and through social engineering that can be positioned as, "Here's your security update; here's your anti-spam update; here's this new thing that will speed up your iPhone." There are many different ways to trick a user into clicking install. All they have to do is click "Install this profile."

If they have a password set on their device, they have to enter their password. If they don't, the profile is just installed automatically. You can have a one- to two-click takeover. What that profile can do is turn off applications, [such as] all the Apple apps. I've got a proof of concept that's running live where, if you visit it, I can basically remove your iTunes, put something on there that looks like iTunes that isn't, and it can take you to my site where I can then socially engineer your passwords and other things. You can turn off Safari security settings, change JavaScript settings, allow untrusted TOS connections which allow me to start doing man-in-the-middle attacks and install X.509 certificates. There's a whole set of things which are designed for enterprise control that can easily be done by any attacker on any website.

But things get worse. If you haven't installed a mobile device management system on your user's devices, attackers can install one for you. That basically is complete device takeover. It allows your users' apps to be replaced or modified. It allows operating system changes. It allows the attackers to delete data on the device. Worst of all, through VPN settings, it can allow an attacker to route all of your user's traffic to a man-in-the-middle site. We really recommend having a mobile security product on every user's device, even in a bring-your-own-device environment, to protect against hostile profile takeover, to detect it, to alert and to block it.

Android's App Security Risks

FIELD: We picked on Apple a little bit; let's talk about Android. What are some of the specific application security risks that you're seeing with Android devices now?

JEVANS: I think the biggest overall problem is the fragmentation of the Android operating system and hardware environment. This is a wonderful thing in that it's an open operating system; anyone can download it, compile it and anyone can create a device. The downside of it is that there are over three-and-a-half thousand different versions of software combined with manufacturers out there. In some cases, some fragmentation reports you [can] combine hardware and software to 10,000 different settings. These are operating system versions, patch levels and security settings by all these different vendors and all these different devices. That creates a nightmare for security management and patch management. That's the biggest problem and [goes] back to having a security product on those devices that can help manage and detect the security threats that may be specific to each of these thousands of different versions.

We're seeing also a lot more malicious apps in the Android environment, and Google has done a good job with their Bouncer technology on their Play marketplace to try to detect these, but we know that it's not 100-percent effective and it never will be. We've also seen examples of apps that behave in one way when they're being analyzed and then, once they've been approved and distributed, they talk to a command-and-control center and behave differently. That happens to be true also on the iOS side.

The other issue we're seeing on Android are apps that users choose to load from other app marketplaces. There are numerous app marketplaces that are legitimate, but there are also well over a hundred that we're scanning that are not legitimate app marketplaces that will allow users to download malicious apps. In particular, we're seeing people take popular paid apps, like games, tampering with them and pushing them back out on to these rogue marketplaces where you can get a "game for free" but you've now willingly downloaded malware onto your Android device.

Fundamental Security Controls

FIELD: A few minutes ago, you mentioned mobile device management. What do you see in addition to MDM as some of the fundamental security controls that organizations need to assess and mitigate some of these risks?

JEVANS: At Marble, the way we look at it is a layered stack of security is critical. Mobile device management is the basic thing you need to control password enforcements and things of that nature. The next level is mobile application management which will allow you to push applications that you want to and make sure that they're up-to-date. Then, the top level is mobile security management, and this is a layer of dynamic protection that does things like application scanning: looking at a user's device, looking at what apps are on it and then analyzing those out in the cloud, looking for either malware or, more importantly, risky behaviors so that you can control risk to your network based on application behavior. We call that risk-based authentication where you look at not only the device settings, but also what apps are on it; how the user's accessing things; what are they accessing in the network; how sensitive are they, for example. An IT user might have more strict controls than a generic user who's only accessing e-mail, for example.

Then, you also need to look at things like DNS security, providing a real-time, anti-phishing feed, even if the user is not using your e-mail system and is using a Wi-Fi hotspot somewhere else. Those are some of the controls that need to be dealt with, implemented and assessed according to the risk of users in this new hostile environment we face.

2014 Threat Landscape

FIELD: Hostile environment is a key word. We've talked about hostile profile takeovers and spear-phishing. How do you see the threat landscape taking shape now as we walk toward 2014?

JEVANS: What I'm seeing is a rise in more and more malicious applications. We're also seeing much more risk around privacy-leaking applications. These are apps that might be legitimate but can effectively copy the entire address book of a user off a device and send it out to some place on the network. If that's connected to Active Directory, they basically uploaded your entire corporate directory out there, which creates perfect fodder for spear-phishing.

Spear-phishing is definitely on the rise. I've seen some surveys recently that we've worked with [saying] that up to 46 percent of companies that were surveyed are seeing an uptick in spear-phishing that they know about.

We're also seeing the rise of network attacks in 2014. These are DNS-based attacks, man-in-the-middle attacks and side-jacking attacks. These are primarily users on open Wi-Fi networks. What we're finding is that as more BYOD is happening and as more mobility is coming into the enterprise, users are using up ten different networks a month and IT probably controls one of them. There's a big risk there.

Lastly, specifically I'm seeing a lot more adoption of mobile in the healthcare environment, and HIPAA compliance is dreadfully poor on mobile devices.


About the Author

Information Security Media Group

Information Security Media Group (ISMG) is the world's largest media company devoted to information security and risk management. Each of its 37 media sites provides relevant education, research and news that is specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Its yearly global summit series connects senior security professionals with industry thought leaders to find actionable solutions for pressing cybersecurity challenges.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.