Symantec Mobile Threat Defense: Prevent Mobile Phishing with Advanced URL Reputation

Update: August 28, 2019

This blog has been updated to reflect SEP Mobile’s availability on Android of a feature that that allows mobile users to share a URL with WebPulse directly through SEP Mobile and get reputation information in real-time.

The evolving use of the Internet over the last few decades has brought with it immense opportunity to improve the way organizations communicate, work and access information. But with opportunity also comes risk: malicious actors are increasingly transmitting sophisticated malware, fraudulent content, and other security hazards across web-based links and apps, with user data and privacy hanging in the balance.

The risk to enterprise is compounded by the upsurge in mobile usage. Employees are increasingly demanding the ability to work from anywhere and on their preferred devices, with corporate resources being accessed more and more outside of the corporate firewall. This opens organizations up to additional attack vectors over which they may have little visibility or control, such as risky or malicious content accessed by employees on their mobile devices. As Verizon’s 2019 Mobile Security Index points out, employees are more likely to click on a phishing link on their mobile device than on a traditional endpoint. They readily grant apps excessive permissions that can be exploited, or they install apps from pirate app stores which can contain malicious code. They even access inappropriate, and sometimes unsafe, content such as adult, illegal, or gambling sites on their mobile devices.

With the sheer number of websites and apps available today, how can organizations and their mobile users navigate the murky waters of what is safe and what is not? Solutions exist that apply standard web security and URL filtering to mobile to protect against risky content threats, but these solutions are fraught with inaccuracies and false positives. The answer to addressing these risks lies in web intelligence – the deepest and most robust web threat intelligence in the world. In fact, any organization that cares about protection from mobile phishing and malicious apps must ask itself: do we have the best intelligence to combat these threats?

Powerful URL reputation for mobile

For the most effective protection against mobile threats, enterprises need intelligence based on the wisdom of the crowd and powerful web security technology. Symantec’s Modern OS Security team offers this by integrating Symantec Endpoint Protection Mobile (SEP Mobile), our enterprise mobile security solution, with Symantec’s WebPulse infrastructure, which provides unparalleled web threat intelligence.

Containing over a decade of data – longer than any other cloud security solution – WebPulse draws on the experience of real users who, together, access tens of millions of websites daily. Crowd-sourced intelligence comes directly from WebPulse’s integration with security products across Symantec’s entire portfolio, including its endpoint, email, web and mobile security solutions. These products generate 8 billion web requests every day, enabling WebPulse’s systems to more accurately identify traffic patterns and rate URLs.

The WebPulse framework also leverages inputs from the Symantec Global Intelligence Network (GIN) – the world’s largest civilian threat intelligence database – to deliver the fastest and most accurate website categorization and risk assessment in the market. The GIN is fed by threat information from more than 175 million Symantec Endpoint Protection users and 3000 threat researchers and engineers.

WebPulse’s analysis of URL requests is performed in real-time and users receive feedback in milliseconds. URL category information is used to allow or block a request and can be utilized by organizations to create granular polices for web access.

SEP Mobile extends the power of WebPulse’s URL reputation to modern endpoints, ensuring they receive the same level of protection as traditional endpoints. Employees can safely access the web and apps on their mobile devices, without having to worry about false positives and productivity or latency issues, and organizations reduce the risk that devices will bring malware into the corporate network.

Use Cases

Organizations can leverage SEP Mobile’s integration with WebPulse to protect against various mobile threats, such as:

SMS phishing: SEP Mobile analyzes URLs in incoming SMS messages and uses WebPulse to receive a classification and risk score in real-time. If a link is determined to be malicious, the message is automatically placed in the “SMS junk” tab on iOS devices, so SMS phishing messages are blocked even before an end-user engages with them. On Android, users will be alerted to the risk, enabling them to delete the message from their device.

In addition to using WebPulse to determine the reputation of URLs sent in SMS messages, SEP Mobile can provide another layer of protection through text analysis. Using machine learning, we built a model that can quickly identify suspicious words and patterns in messages, helping us better understand the context and intent of the sender. By looking at both URL reputation and the contextual information of the message, we increase the accuracy of identifying SMS phishing, thereby reducing false positives and negatives.

Risky or unwanted web content: SEP Mobile uses client-side or server-side web filtering to block malicious or unwanted content on mobile devices. When server-side VPN tunneling is enabled, once a mobile user taps on a link, SEP Mobile tunnels the device traffic through Symantec’s Web Security Service which inspects the traffic, detects any malicious code, and governs web access according to the organization’s security policy. The gateway compares a URL request against WebPulse’s URL reputation engine and warns end users in real time if the link is risky before they can proceed.

Alternatively, organizations can use SEP Mobile’s on-device inspection to filter URLs, domains, and IPs end users are attempting to access. This approach does not require a VPN tunnel. Content classified by an organization’s policy as malicious, phishing, illegal, extreme, scam or any other unapproved categories is blocked.

Risky or unwanted apps: SEP Mobile’s app analysis engine performs various types of analysis, including static, dynamic, and crowd-wisdom, to expose malicious or undesired behavior in apps. All the URLs that an app communicates with are sent to WebPulse which inspects them and provides insight about their reputation, for example if they are associated with malicious sites, botnet servers, and specific countries. SEP Mobile leverages this information to determine URL classification and risk rating. An organization can define an unwanted app policy based on these insights.

The below shows SEP Mobile’s analysis of a Pokemon Go repackaged app found to be communicating with malicious URLs. The details include the risk rating of the URLs, the countries they are associated with, and whether the communication is encrypted.

SEP Mobile customers benefit from the above protection actions immediately and seamlessly, and protections are constantly evolving.  On Android, customers can also share a URL with WebPulse directly through the SEP Mobile app and get reputation information in real-time. Any text, from any source (email, SMS, browser, etc.) can be shared, and if it contains a URL, the SEP Mobile app will find it and analyze it using WebPulse. End users will receive the result in real-time so they know whether to go into the link or not. This feature will soon be available for iOS as well. 

Staying one step ahead of mobile threats

SEP Mobile with WebPulse delivers advanced protection against mobile phishing and other risks across the mobile threat landscape. Leveraging WebPulse, we provide organizations built-in web threat intelligence based on vast telemetry amassed from millions of traditional and modern endpoints protected by Symantec web security products. It’s like going after a global criminal by relying on the local police force vs. a multi-national law enforcement body with massive robust intelligence. Which one would you choose?