In a report published in 2011, IBM revealed that mobile users are three times more likely to fall for phishing scams compared to desktop users. This claim was based on accessed log files found on Web servers used to host websites involved in phishing campaigns.
Almost a decade later, we continue to see different organizations reporting an increased trend in phishing attacks targeting the mobile market. Surprisingly, phishers seem to have tipped the scales to a new preferred target: iPhone users. Wandera, a mobile security solutions provider, has observed that iOS users experience twice as many phishing attacks compared to their Android counterparts.
Mobile phishing by the numbers
Below is a quick rundown of current noteworthy mobile phishing statistics to date:
In the latest “Phishing Activity Trend Report”(PDF), the Anti-Phishing Working Group (APWG) has revealed that the Payments industry continues to rank as the top targeted sector by phishing threat actors (36%) in Q1 2018.
This same APWG report also claims that 35% of all phishing sites were using HTTPS and SSL certificates.With Google now labeling non-HTTPS website as “Non-Secure,” expect to see more phishers abuse the accepted concept that HTTPS sites are trustworthy and legitimate.
In their report, “2018 State of Phish”, Wombat Security hailed smishing, short for SMS phishing, as the attack vector to watch. This is due to its increased media reporting in 2017, which they believe will continue to trend, especially in countries with low awareness of mobile phishing.
PhishLabs stated in its “2018 Phishing Trends & Intelligence Report”(PDF) that Email/Online Services is the top targeted industry in the second half of 2017 (26.1%), with a high concentration of phishing URLs mimicking Microsoft Office 365 login pages. This suggests that there is an increasing trend of phishing campaigns targeting businesses.
This same PhishLabs report has also noted a dramatic increase of phishing campaigns banking on the trust of users towards software-as-a-service (SaaS) companies (7.1%). Such attacks are said to be non-existent before 2015 but have more than doubled in two succeeding years.
Phishing attacks are no longer exclusive to emails, especially on mobile. A mobile device’s inherent design and features have made it possible for phishers to create ways on how they can get into users’ heads and get their hands on vital personal and business data.
While many users are quite familiar with what phishing looks like on the desktop, these same users are not as familiar with smishing or vishing—and other types of phish one might encounter on the mobile—as they are with email phishing.
SMiShing
SMiShing is phishing done through SMS. Android expert and Senior Analyst Nathan Collier has written about a smishing message a colleague received on their Android device that purportedly originating from a human resources company, promoting an open albeit fake position of Prime Agent for Amazon.
iOS users also have their share of spotted smishing campaigns. Below is a smishing message posted publicly on Reddit as a warning to other iPhone users:
Screenshot of an iOS SMS phishing message. Courtesy of Redditor u/jamesmt87.
Your Apple ID has been disabled until we hear from you , Prevent this by confirming your informations at {bit.ly URL} Apple inc“>
Vishing
Vishing, or voice-mail phishing (at times, it also stands for VoIP phishing), is phishing done with the use of a device’s call feature. An attempt can be considered vishing if the potential phisher (1) leaves a recorded message to the target that something is wrong, (2) leaves a number that the target can use to call back, or (3) cold calls the target. Point two is precisely the tactic used by an iOS phishing scam that Ars Technica Editor Sean Gallagher revealed in a July 2018 post. According to Gallagher, an email directs users to a fake Apple website, which pops up a dialog box to start a call to a purported agent that goes by “Lance Roger at AppleCare.” AppleCare is Apple’s extended warranty service.A vishing pop-up dialog box. Courtesy of Ars Technica.
In Android’s corner, we have the latest variant of Fakebank, a mobile Trojan that is capable of intercepting bank SMS and inbound and outgoing calls. A user, for example, making a call to a legitimate bank gets redirected to scammers who are posing as agents working for the bank. Security researchers have spotted this variant in affected apps geared towards Korean bank clients.
Other types: messenger phishing, social phishing, and ad-network phishing
Apps continue to shape a user’s mobile experience for the better. Without them, one may likely just consider their phones as a pricey paperweight.
These brilliant little programs have made it possible for users to both access their personal and work emails while away from a desktop computer, keep in touch with family and friends via messaging platforms while on the go, share and access media in real-time, and stave off boredom while waiting.
Phishers, unfortunately, have leveraged the power of apps to their advantage. And the internet is rife with stories of people who got (or nearly got) phished via mobile apps.
Take, for instance, the Facebook message that used Messenger as a launchpad to spread a purported “viral video” of the recipient complete with their picture and name, and a number indicating the view count.
Screenshot of a Facebook Messenger phish. Courtesy of Security For Real People.
Clicking this “video” sent mobile users to a fake Facebook Videos login screen, wherein they were then encouraged to key in their Facebook credentials. Doing so sent a similar video bait to contacts, not to mention scammers hijacking the accounts of those who fell for this trick.
This is a case of messenger phishing. It is a type of phishing attempt that uses messaging services on mobile devices. Examples of these services are WhatsApp, Instagram, Viber, Skype, Snapchat, and Slack.
Then there’s social phishing, which is an attempt that abuses social networking sites to spread a phishing campaign. Below is a capture of a phishing message sent to a recipient via LinkedIn’s InMail feature:
Screenshot of a LinkedIn InMail phish. Courtesy of KnowBe4.
Here’s another case of social phishing: A Twitter account posing as NatWest bank inserted itself into a live conversation between a NatWest bank client and NatWest’s official Twitter channel in an attempt to present a bogus quick fix to the current concern the real bank was attempting to address.
Malwarebytes has caught a fake NatWest Twitter account red-handed.
Finally, ad-network phishing. On mobile, ads can come in many forms: They can be in free apps, on web pages the user visits, and as a pop-up notification or banner. Because apps communicate with other services (like an ad network) at the background, they can potentially expose mobile users to risks like a phishing campaign (at best) or malware (at worst).
We’d be remiss if we don’t mention phishing apps. These are fake apps that bank on the names of popular online brands, usually promising one or more perks if downloaded and installed. Such is the case of multiple fake Instagram apps that were pulled from the Google Play store after being found to collect credentials. These apps have been downloaded 1.5 million times, and they promise to boost follower count, post likes, and comments.
Mobile phish spotting
Mobile phishing attempts are quite a challenge to detect, more so for the uninitiated and the unacquainted. Regardless of your level of know-how or your computing platform of choice, as a rule of thumb, it is always best to familiarize yourself with common phishing tactics and trends. We already have a great and very comprehensive list of red flags that can guide you in determining phishing attempts in general. However, mobile users can significantly benefit from our listing of tell-tale signs of potential mobile phishing attempts (below) just as well:
The message comes out of the blue, claiming that you either (1) won a prize, (2) have an account or subscribed service suddenly deactivated (often without disclosing a reason), or (3) there is a very urgent need for you to do something to address a problem. Such claims are tried-and-tested social engineering ploys that more often than not give the game away.When it comes to being truly notified for actual breaches and that steps must be taken to mitigate its effects, however, it is best for users to avoid clicking links in these notifications (which we agree is faster and more convenient) in favor of going directly to the legitimate domain (either by loading it from bookmark or manually typing in the address in the address bar) and logging in from there.
The message comes from an unknown number or sender. And if it claims to be from a service you actually use, be doubly cautious. As it’s near impossible to determine on mobile if the service provider is who they say they really are, you might be better off verifying any claims for yourself, just like in the above point, and checking for logged suspicious activities. If you’re still a bit bothered, contact your service provider’s customer support department.
The message comes with a bogus hyperlink, which may be obvious to some but not to others. It pays to be very familiar with URLs of official web addresses of services you use online. If you feel or think that something is off, even if you’re unsure what is triggering this, err on the side of caution and avoid clicking that link.
The message comes with a shortened URL. Shortening URLs is an excellent method to make effective use of space that has a limited character count. Unfortunately, this can be abused to mask potentially malicious URLs from being detected at first glance.
If the message or caller asks for personal information, if not more information, from you. A majority of legitimate and reputable businesses don’t call or send messages asking for sensitive information. In some cases, banks do call if they suspect potential fraud activity with your account. They do this to check that you are who you say you are. However, there are certain information they will never ask you to divulge, such as your account PIN or Social Security Number (SSN).
If the message or caller doesn’t address you by your name. Again, a majority of businesses know who their clients are and will always address you by your name.
If the URL you get directed to doesn’t have a green padlock. Yes, having HTTPS on a website is no longer a solid proof that one is not on a malicious page, but there are still a lot of phishing campaigns out there that forgo using HTTPS.
If the URL you get redirected to appears to be right, but also has unexplained dashes after it. Phishers are already using a technique called URL padding, wherein they pad the subdomain, which consists of a legitimate website address, with hyphens to hide the real domain and create believability.Screenshot of a fake Facebook login screen where phishers used URL padding. Courtesy of PhishLabs.
In this example, the complete URL is hxxp://m.facebook.com----------------validate----step1.rickytaylk[dot]com/sign_in.html, where
rickytaylk[dot]com
is the domain and m.facebook.com----------------validate----step1 is the long subdomain. Users would likely find it difficult to view the complete URL given the mobile’s small screen size, but what they can do is copy the URL and paste it on a notepad app. From there, users can scrutinize the URL more effectively.
A word on homograph attacks: Yes, they work on mobile devices, too. Fortunately, many of modern internet browsers are already programmed to display the Punycode version of domains that contain confusables (or non-English characters that visually appear similar to one or more English alphabets).
Users seeing a Punycode URL on their mobile browser could be alerted that they’re on a page they’re not supposed to be on. And this is a good thing. However, not all apps that accept and display text have considered the possibility of homograph attacks. According to Wandera’s research, many communications and collaboration tools used by employees on both Android and iOS don’t flag Punycode URLs as suspicious.
“Only Facebook Messenger, Instagram and Skype provided an opportunity for the user to identify the punycode URL by either showing a preview of the webpage with the xn prefix, or, in the case of skype, by not providing a hyperlink for domains using unicode, meaning users can’t click through from the message.” writes Liarna La Porta, Content Marketing Manager for Wandera, in a blog post. “While these apps are not providing the best methods of defense, they at least provide an opportunity to asses suspicious links more closely.”
Phish-proof no more?
In April of 2017, a Lithuanian man who posed as Quanta Computer, a Taiwanese electronics manufacturing company, successfully conned two big names in the tech industry, each paying him over $100M. These companies eventually got the bulk of their money back, but not after making headlines that made readers gasp. Who were these phishing victims? They’re Google and Facebook.
When it comes to a target’s low potentiality to fall for a phishing lure, it appears that tech savviness is slowly becoming a non-factor. It is challenging enough for desktop users to successfully determine a believable phish. With mobile devices, which already have a size limitation and more potential attack points, users are doubly challenged, especially if the adversary is motivated enough to steal the sensitive corporate data stored in them.
Indeed, phishing has branched beyond email. And using commodity-level phishing protection on mobile is inadequate in defending users from attacks. Being truly phish-proof (or akin to it) may require necessary adjustments on the side of both man and machine: improved security features on mobile devices and their apps, and knowing the red flags and what steps to take to adequately respond to a phishing attempt are key.
Recommended reading:
“Phishing attacks on modern Android” (direct PDF link here)
April 18, 2024 - The Federal Trade Commission (FTC) has reached a settlement with online mental health services company Cerebral after the company was charged with failing to secure and protect sensitive health data.
