By Hossain Shahriar, Tulin Klintic and Victor Clincy
Kennesaw State University, Marietta, Georgia, USA
Mobile phishing is an emerging threat in today’s connected world. In a mobile phishing attack, an attacker usually sends an SMS message containing links to phishing web pages or applications which, if visited, ask for credential information. Attacks can also be initiated via email messages loaded in the browser of mobile devices.
Mobile Phishing Attack Techniques
1. Small Screen and Partial Display of URLs
Mobile devices and smart phones mostly have a small screen. Those small screens make it harder to see the full URLs when users click to the links. Also, the companies keep their mobile web sites simple to be able to use the small screen more efficiently. Moreover, some of them cannot even put their own logo due to limited screen size. Therefore, many users are not aware when they are not at official web sites while browsing on the Internet.
When a fake site URL and a legitimate site URL are compared, the differences in URL can be hidden due to small size of the screen and URL bar. Figure 1 shows a sample of fake PayPal page (left) and its URL address compared to the legitimate one (right). While legitimate address has secure protocol, HTTPS, the fake site does not. In addition, the fake page has some additional text which may not be visible at all to users at some browsers. Besides the URL address, the fake-site does not display the original PayPal logo. In addition, they pull the attention to the other images to trick the users.
Figure 1. Fake paypal web page and URL (left) vs. real paypal web page and URL (right).
2. Accessibility to App Store
Another channel to reach to the end users is via application stores, called application phishing. Android 09Droid phishing application is one good example that was intended to gather users’ banking credentials  . It has been reported that the 9Droid phishing application was uploaded to potential victims through the Android market app store, where most of the other apps are legitimate. Figure 2 shows a snapshot of a set of fake mobile
Figure 2. Screenshot of 09Droid banking applications with price information
uploaded to Android App market.
banking applications uploaded in Android marketplace (the picture taken from a mobile device) with pricing information. Note that the targeted companies are mostly from North America, and the pricing was in GBP, leaving the prospective North American customers in the dark.
It is unknown what the application performed behind the scene. However, it opens a login web page. It is likely that the application’s goal was to steal user credentials. Banking apps that were developed by 09Droid have been pulled from Android market ever since. The targeted companies include Sun Trust, Chase, Wachovia, Bank of America, and Wells Fargo.
Phishing attacks are applicable for Apple app that runs on iPad and may have larger screen size. Marble Security implemented a fake iTunes App to show how phishing works on an iOS iPad. First, a phishing email is sent to users informing them they need to install a “mandatory” SpamArrest page and enter university credentials (see Figure 3 for an example of email)
Figure 3. Screenshot of a phishing email targeting university employees.
Once the user follows the instruction, believing that it is legitimate, the application sets a new user profile. iOS allows applications to create unsigned and unverified profiles (as shown in Figure 4).
Figure 4. Screenshot of iOS allowing unsigned and unverified profile.
Then, a user enters the password of the device if it has been set earlier. The last step is to delete the original iTunes app, and install the new fake one (see Figure 5). At this point, the fake iTunes app can be used to steal login credentials to the iTunes store easily.
Figure 5. Original iTunes app removed and fake iTunes app installed.
Another popular phishing method is using SMS messages; this method is called “smishing”. It works the same way as phishing, but instead of an email, a victim receives a text message that asks for banking credentials or to claim a prize.
Once the user receives the smishing message from a phone number, it is recommended to inform the cell phone carrier. If the number presents as 5000, it means it has been sent from an email instead of a cell phone. Figure 6 shows a snapshot of a smishing attack where a spoofed link is provided as part of SMS with an alluring message to a potential victim (winning a lottery).
Figure 6. Screenshot of smishing.
4. Wi-Fi and Vishing
Wi-Fi phishing occurs when a user connects to the Internet via Wi-Fi hot-spots. Evil twin is an example where attackers set up a Wi-Fi to eavesdrop on wireless communications where there is a legitimate Wi-Fi hot-spot, such as at a Starbucks.
Vishing, voice mail phishing, is a phishing attack on mobile devices into Bluetooth phishing or Voice over IP phishing to reach users’ identification or financial information. Other vishing schemes may play a message about a local or regional bank in the area by recording the greeting message of a real bank. Scammers attempt to greet victims and lure them into providing credentials for online banking.
This article is an excerpt from a technical paper, titled –“Mobile Phishing Attacks and Mitigation Techniques” published at Journal of Information Security Vol.06 No.03(2015), Article ID:57634,6 pages 10.4236/jis.2015.63021
Download the Paper - LINK
Copyright © 2015 by authors and Scientific Research Publishing Inc.
This work is licensed under the Creative Commons Attribution International License (CC BY).