Monday September 16, 2019
Home Lead Story Advanced SMS ...

Advanced SMS Phishing Attacks Affecting Android Phones: Report

However, Sony refused to acknowledge the vulnerability, stating that their devices follow the OMA CP specification

0
//
Data,Privacy
A French soldier watches code lines on his computer during the International Cybersecurity forum in Lille, northern France, Jan. 23, 2018. VOA

A security flaw in Samsung, LG, Sony, Huawei and other Android smartphones has been discovered that leaves users vulnerable to advanced SMS phishing attacks, Check Point Research — the threat intelligence arm of cybersecurity firm Check Point Software Technologies Ltd. said on Thursday.

Researchers at the cybersecurity firm said certain Samsung phones are the most vulnerable to this form of phishing attack because they do not have an authenticity check for senders of Open Mobile Alliance Client Provisioning (OMA CP) messages.

“Given the popularity of Android devices, this is a critical vulnerability that must be addressed. Without a stronger form of authentication, it is easy for a malicious agent to launch a phishing attack through over-the-air (OTA) provisioning.

“When the user receives an OMA CP message, they have no way to discern whether it is from a trusted source. By clicking ‘accept’, they could very well be letting an attacker into their phone,” Slava Makkaveev, Security Researcher, Check Point Software Technologies, said in a statement.

The affected Android phones use OTA provisioning, through which cellular network operators can deploy network-specific settings to a new phone joining their network.

americans, inactive
FILE – A worker sits a computer at the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, Va., Aug. 22, 2018. VOA

However, researchers at Check Point found that the industry standard for OTA provisioning — the OMA CP, includes limited authentication methods and remote agents can exploit this to pose as network operators and send deceptive OMA CP messages to users.

The message tricks users into accepting malicious settings that route their Internet traffic through a proxy server owned by the hacker.

Also Read: Lenovo Launches Three New Smartphones in India

The findings were disclosed to the affected vendors in March; Samsung included a fix addressing this phishing flaw in their Security Maintenance Release for May (SVE-2019-14073), LG released their fix in July (LVE-SMP-190006), and Huawei is planning to include UI fixes for OMA CP in the next generation of Mate series or P series smartphones.

However, Sony refused to acknowledge the vulnerability, stating that their devices follow the OMA CP specification. (IANS)

Next Story

New Report Reveals Employee Errors Lead to Over Half of Cybersecurity Incidents

“Taking a comprehensive, multi-layered approach — which combines technical protection with regular training of IT security specialists and industrial network operators — will ensure networks remain protected from threats and skills stay up to date,” Shebuldaev said

0
Data,Privacy
A French soldier watches code lines on his computer during the International Cybersecurity forum in Lille, northern France, Jan. 23, 2018. VOA

Despite automation, human factor can put industrial processes at risk. A new report has revealed that employee errors or unintentional actions lead to over half of cybersecurity incidents in industrial networks.

Organisations are experiencing a shortage of professionals to handle new threats, said the report from cybersecurity firm Kaspersky.

Organisations are also worried that their operational technology and industrial control system (OT/ICS) network operators are not fully aware of the behaviour that can cause cybersecurity breaches, according to the report titled “State of Industrial Cybersecurity 2019”.

These challenges make up the two major concerns relating to cybersecurity management and go some way in explaining why employee errors cause half of all industrial control system incidents — such as malware infections — and also more serious targeted attacks.

americans, inactive
FILE – A worker sits a computer at the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, Va., Aug. 22, 2018. VOA

In almost half of companies (45 per cent), the employees responsible for IT infrastructure security also oversee the security of OT/ ICS networks, combining this task with their core responsibilities.

Such an approach may carry security risks. Although operational and corporate networks are becoming increasingly connected, specialists on each side can have different approaches and goals when it comes to cybersecurity.

Also Read: Google, Wipro to Speed up Digital Shift of Enterprises: Report

“This year’s study shows that companies are seeking to improve protection for industrial networks. However, this can only be achieved if they address the risks related to the lack of qualified staff and employee errors,” said Georgy Shebuldaev, Brand Manager, Kaspersky Industrial Cybersecurity.

“Taking a comprehensive, multi-layered approach — which combines technical protection with regular training of IT security specialists and industrial network operators — will ensure networks remain protected from threats and skills stay up to date,” Shebuldaev said. (IANS)