As customers, companies and the world at large go mobile, mobile threats are moving into the top tier of challenges enterprises face. Some of these threats are technical in nature. For instance, when a security researcher discovered a flaw in Verizon’s mobile email application, the company’s emergency response capabilities were put to the test and a security patch was issued within 48 hours.

However, mobile technology poses exceptional security challenges because mobile links are pervasive and mobile users are on the go, distracted and less likely to notice suspicious messages. This means mobile threats can be insidious and subtle, leveraging human factors to create vulnerabilities.

Another security researcher is arguing that AT&T is now facing such a challenge as scammers send fraudulent messages to customers that cannot be readily detected. In this case, there is no purely technical fix, pointing to the need for security awareness in all aspects of mobile operations.

An Odd Bit of Code

As Charlie Osborne reports at ZDNet, mobile security researcher Randy Westergren Jr. was exploring the application programming interfaces (APIs) of his Verizon My FiOS mobile email account when he noticed a couple snippets of code were using his account username.

Since he was already logged in, changing his username should have had no effect. However, Westergren said he could enter another username and gain full access to that user’s mailbox to both read and send emails. Because of the way APIs are used and reused by developers, Westergren further suspected all the carrier’s email applications could be vulnerable.

He got in touch with Verizon at once. Within 48 hours, the company developed a security patch, confirmed it with Westergren and released it across the company network. This rapid response closed one vulnerability door, but it underlines the mobile security risks that can arise from subtle flaws in application development.

Exploiting the Human Factor

Meanwhile, according to The Hacker News, security researcher Dani Grant found vulnerabilities in AT&T’s mobile text messages to users. However, unlike the errant code in Verizon’s email APIs, these vulnerabilities cannot be resolved with a purely technical fix because they rely on misleading human users.

One of these vulnerabilities involves so-called “short codes,” or abbreviated phone numbers, whose legitimacy users cannot readily confirm. A related vulnerability involves links to websites with names such as “” that contain no clues associating them with AT&T. Because of this, users are inadvertently trained to be too trusting; they won’t suspect links that have no apparent connection to the company. Grant notes the same subtle flaw extends to the formatting of text messages, which are not consistent in capitalization and other formatting details. Again, the result is weaker user awareness of oddities that might tip them off to a fraudulent phishing message.

A Spectrum of Mobile Threats and Vulnerabilities

Correcting these particular mobile threats is not a matter of issuing a code patch, but rather of updating policies regarding aspects such as website names and text formatting. This cannot be done overnight, and doing it effectively will require mobile security awareness among technical specialists, marketers and others who shape messages to the public.

As mobile links become even more pervasive, the scope of mobile threats will only grow. Enterprises must be aggressive when testing and analyzing code, responding to detected vulnerabilities and training everyone involved in mobile data links to have security awareness.

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities. Figure 1 — Exploitation timeline However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…