DHS S&T Hails First-Ever Mobile Phishing Protection Feature

A mobile device security platform funded in part by the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) has been updated with a never-before-seen feature to help tackle one of the most persistent problems in Federal agency cybersecurity.

San Francisco-based Lookout has added phishing protection to its Mobile Endpoint Security platform, and S&T today announced that an update to Lookout’s platform–with the new mobile phishing feature and enhanced content protection capabilities–is being transitioned to the government and private sector and is now available for both iPhone and Android devices.

S&T calls the phishing protection “an important new and first-of-its-kind feature for mobile devices” aimed at preventing the theft of user credentials or delivery of malware through bogus links. While emails have been the primary attack vector for phishing scams, their prevalence is growing in both mobile applications and SMS text messages.

“Beyond simply detecting phishing attempts in SMS messages, the system also detects and prevents attacks that hide inside mobile apps, social media messages, and in personal and corporate email,” S&T said in a statement today. It added that the platform inspects connections at the network level, but doesn’t inspect message content, preserving end-user privacy.

The Federal government has certainly had its fair share of trials attempting to educate employees on the dangers of phishing scams, and results have been mixed. More and more devices are connecting to Federal networks, leading to programs like DHS’ Continuous Diagnostics and Mitigation Program seeking to monitor growing network traffic.

But more devices mean a larger attack surface, and more potential entry points that bad actors can use to target Federal networks. A white paper released by Lookout in April found that the rate at which people fall for phishing attacks on mobile phones has increased 85 percent every year since 2011.

“Simply managing a mobile device is not enough to protect sensitive government information,” said S&T Mobile Security Research and Development Program Manager Vincent Sritapan. “The device also must have mobile endpoint security that alerts IT and security personnel to potential attacks. Without proper mobile security, agencies cannot adequately protect against data compromises.”

In May, the National Institute of Standards and Technology issued a bulletin that suggested email was becoming “a more difficult medium for malicious entities to use as a penetration vector” and suggested that social media and web applications could be the next frontier for attacks. Lookout’s new platform appears a step toward curbing that potential new exploit trend.

On the email front, it seems DHS is leading the charge to good effect. In October of last year, it issued a binding operational directive that required government agencies to adopt Domain-based Message Reporting, Authentication, and Conformance (DMARC), a protocol that combats phishing by authenticating the identity of an email’s sender.

Recent research reveals that the Federal government leads other sectors in adopting this vital email safety tool, and a DHS official last month said that the agency is influencing the broader technology ecosystem to adopt better cybersecurity through tools like DMARC.

Verizon’s annual Data Breach Investigations Report found that 93 percent of the incidents it investigated involved financial pretexting and phishing, and organizations are nearly three times more likely to get breached by social attacks than via actual network vulnerabilities. As phishing attacks travel from traditional email to other platforms like mobile, DHS appears ready to invest in new technologies to meet the threat at its new destination.

Recent