By Hossain Shahriar, Tulin Klintic and Victor Clincy
Kennesaw State University, Marietta, Georgia, USA
Mobile
phishing is an emerging threat in today’s connected world. In a mobile phishing
attack, an attacker usually sends an SMS message containing links to phishing
web pages or applications which, if visited, ask for credential information. Attacks can also be initiated via email messages loaded in the browser of
mobile devices.
Mobile
Phishing Attack Techniques
1. Small
Screen and Partial Display of URLs
Mobile
devices and smart phones mostly have a small screen. Those small screens make
it harder to see the full URLs when users click to the links. Also, the
companies keep their mobile web sites simple to be able to use the small screen
more efficiently. Moreover, some of them cannot even put their own logo due to
limited screen size. Therefore, many users are not aware when they are not at
official web sites while browsing on the Internet.
When a fake
site URL and a legitimate site URL are compared, the differences in URL can be
hidden due to small size of the screen and URL bar. Figure
1 shows a sample of fake PayPal page (left) and its URL
address compared to the legitimate one (right). While legitimate address has secure protocol, HTTPS, the fake site does not.
In addition, the fake page has some additional text which may not be visible at
all to users at some browsers. Besides the URL address, the fake-site does not
display the original PayPal logo. In addition, they pull the attention to the
other images to trick the users.
Figure 1. Fake paypal web page and URL (left) vs. real paypal web page and URL (right).
2. Accessibility
to App Store
Another
channel to reach to the end users is via application stores, called application
phishing. Android 09Droid phishing application is one good example that was
intended to gather users’ banking credentials [8]
. It has been reported that the 9Droid phishing application was uploaded to
potential victims through the Android market app store, where most of the other
apps are legitimate. Figure
2 shows a snapshot of a set of fake mobile
Figure 2. Screenshot of 09Droid banking applications with price information
uploaded to Android App market.
banking
applications uploaded in Android marketplace (the picture taken from a mobile
device) with pricing information. Note that the targeted companies are mostly
from North America, and the pricing was in GBP, leaving the prospective North
American customers in the dark.
It is
unknown what the application performed behind the scene. However, it opens a
login web page. It is likely that the application’s goal was to steal user
credentials. Banking apps that were developed by 09Droid have been pulled from
Android market ever since. The targeted companies include Sun Trust, Chase,
Wachovia, Bank of America, and Wells Fargo.
Phishing
attacks are applicable for Apple app that runs on iPad and may have larger
screen size. Marble Security implemented a fake iTunes App to show how phishing
works on an iOS iPad. First, a phishing email is sent to users informing them
they need to install a “mandatory” SpamArrest page and enter university
credentials (see Figure
3 for an example of email)
Figure 3. Screenshot of a phishing email targeting university employees.
Once the
user follows the instruction, believing that it is legitimate, the application
sets a new user profile. iOS allows applications to create unsigned and
unverified profiles (as shown in Figure
4).
Figure 4. Screenshot of iOS allowing unsigned and unverified profile.
Then, a user enters the password of the device if it has been set
earlier. The last step is to delete the original iTunes app, and install the
new fake one (see Figure
5). At this point, the fake iTunes app can be used to steal login
credentials to the iTunes store easily.
Figure 5. Original iTunes app removed and fake iTunes app installed.
3. Smishing
Another
popular phishing method is using SMS messages; this method is called “smishing”. It works the same way as
phishing, but instead of an email, a victim receives a text message that asks
for banking credentials or to claim a prize.
Once the user receives the
smishing message from a phone number, it is recommended to inform the cell
phone carrier. If the number presents as 5000, it means it has been sent from
an email instead of a cell phone. Figure 6 shows a snapshot of a smishing
attack where a spoofed link is provided as part of SMS with an alluring message
to a potential victim (winning a lottery).
Figure 6. Screenshot of smishing.
4. Wi-Fi and Vishing
Wi-Fi phishing
occurs when a user connects to the Internet via Wi-Fi hot-spots. Evil twin is an
example where attackers set up a Wi-Fi to eavesdrop on wireless communications
where there is a legitimate Wi-Fi hot-spot, such as at a Starbucks.
Vishing, voice
mail phishing, is a phishing attack on mobile devices into Bluetooth phishing
or Voice over IP phishing to reach users’ identification or financial
information. Other vishing schemes may play a message about a local or regional
bank in the area by recording the greeting message of a real bank. Scammers
attempt to greet victims and lure them into providing credentials for online
banking.
Publication Details
Publication Details
This article is an excerpt
from a technical paper, titled –“Mobile Phishing Attacks and Mitigation
Techniques” published at Journal of Information Security Vol.06 No.03(2015),
Article ID:57634,6 pages 10.4236/jis.2015.63021
Download the Paper - LINK
Copyright © 2015 by authors
and Scientific Research Publishing Inc.
This work is licensed under
the Creative Commons Attribution International License (CC BY).