Author: Sohail Najar
No other technology has impacted us like the mobile phone. The fastest growing manmade phenomenon ever, it grew from zero to 7.2 billion in three decades. Today there are more mobile phones than humans and they are growing almost five times faster than the rate at which the population of the world is growing. These facts are enough to prove how popular mobile phones have become. This rapid growth has also led to lot its exploitation and with each year, new types of vulnerabilities are added. More than 90% of the attacks start from phishing . In this article we will talk about how one can help themselves and others from this epidemic.
Phishing through mobile is relatively easy with better success rate of stealing the information than through computers, laptops or other electronic media due to the following reasons:
- Usability: - We use our mobile phones day in and day out. Statistics reveal that the amount of time spent on Smartphone has increased to more than 30 hours per month. So, more one us their mobiles, more are the chances of revealing private information to a hacker.
- Screen Size: - Smaller screen size would make it difficult for the user from distinguishing between a phishing site and a genuine website. The applications (or apps) developed are made relatively simple to entertain different screen size which also make it easy for the hackers to replicate it.
- Security Indicators: - There are very few application indicators which can evaluate how secure and authentic an application is.
- Behavioral: - We are accustomed to entering our password in familiar and repeated setting which make it more vulnerable to attack with higher success rate.
- Inadequate Identity Indicators: - As far as apps are concerned , there are very few identity indicators available and fewer people who use it. So a user is not able to distinguish between apps from legitimate and non-legitimate source.
Nobody wants to reveal information to strangers who can misuse it for their own benefit especially the sensitive information like credit/debit card details, your personal information, your personal data etc. But before we tell you what you can do to not accidentally supply the information to a stranger, you need to understand the way in which they can attack you. No attack is possible without a data transfer medium, and mobile phones these days, use plethora of mediums from short distance mediums (like infrared, NFC, S Beam etc.) to long distance mediums (like Bluetooth, Wi-Fi, 3G, 4G etc.). Let us look at how an attacker can exploit these mediums for his benefits
- Wi-Fi Phishing Attack: - Wi-Fi has become one of the imperative needs in our life. Whether it is your office or your favorite café or your home, the need to remain connected is all time high. So Wi-Fi has indeed become an integral part of our life and hence a hotspot for the attacker too. While using Wi-Fi, it is easy to set up a fake Access Point (AP) as a user cannot validate the authenticity of APs they are connecting to. Hence, an attacker can setup an AP with SSID that looks like as a legitimate one. For example, he can create an AP near Starbucks with a cousin SSID: Starbucks Wi-Fi or similar names. Once the victim is connected to a fake AP, the attacker can misdirect the user to fraudulent sites or proxy servers which appear to the user as legitimate websites.
- Bluetooth Phishing attack: - Bluetooth is a wireless technology standard for exchanging data over a short range. Bluetooth enabled phones have a serious security flaw that allow users to connect to the device without the user’s permission. Once the attacker gets access to your phone through Bluetooth, he can get access to your files, call logs, phonebook, connect to your internet etc. It doesn’t end there, he can change the contact number, send you a phishing message, make you download malware by making you believe it’s a genuine one . So once you get into his trap, you are most likely to reveal your secure information to him assuming he is genuine.
- SMS Phishing or SMShing: - It uses cell phone text messages to deliver the bait to induce people to divulge their personal information. In many cases, such texts are sent via emails which are difficult to trace. If the sender's number is a small number or some texts like ‘516000’ or ‘DM-YATR’ instead of an actual phone number, it is an indication that it is coming from email.
- Voice Phishing or Vishing: - In this, attackers use telephone systems to impersonate a legitimate company and steal the personal information from the bait. Some attackers use Voice over IP (VOIP) features like caller id spoofing by which they could choose any number to call the bait. To the bait, it appears to be coming from the legitimate source. It is even difficult for the legal authorities to monitor or trace such calls which make such type of phishing attack more dangerous.
- Mobile Web Application Phishing Attack: - On an average Smartphone user uses more than 24 apps per month which gives attacker 24 spots per user to attack. Due to the small screen size, most of the apps have simple designs which make it easy for an attacker to replicate. There are typically four ways by which you could be directed to these phishing websites which are:-
- App ->App: - In this user is directed to other phishing application from the legitimate application and thus the user doesn’t get suspicious about such phishing apps and reveals his data.
- App -> Web: - In this user is directed to the website by the legitimate application. As the screen size of the mobile is usually small the user doesn’t verify the credentials of the websites. So next time, if you are directed to any website from your Facebook or twitter account you should think before providing any information
- Web ->App: - In this user is directed to phishing app from the web browser which appears to be a legitimate app. As there is no security application indicator which can distinguish between the legitimate and the phishing app, user ends up revealing his information. So next time, your browser directs you to your Facebook app, you should check properly if it opens the legitimate Facebook or the fake one.
- Web -> Web: - In this user is directed to another phishing website from the legitimate website. This is the most common attack as it is useful to attack computer users as well.
- Others Probable Phishing: - There are new data transfer mediums like S Beam, NFC which could be exploited in the near future by the attackers to target you. Although there are still no signs of such attacks but one should be alert of any such attacks which can use mechanisms similar to the ones mentioned above
This is just the broad classification of how the phishing attacks are possible on your mobile device. So a thief is right in your pocket and is just waiting for you to make one mistake. So now the question is what can you do to prevent yourself from such traps? Suspicion is the key to prevention. So let’s find out where you should keep your eye of suspicion on.
- Check before connecting: - One should always ensure that they are connecting to the right or legitimate AP or hotspot (in case of Wi-Fi and Bluetooth respectively) connection.
- Secure Connection: - Pay attention to the site’s security connection — if the URL appears correct but it isn’t preceded by https, it’s almost certainly not legitimate.
- Check URL: - Compare the address of the sender to the address that usually appears when you get an email from this person or organization — it’s probably a fake.
- Check Sender: - Watch for spelling mistakes or other telltale signs of a phishing scam – if you’re reading an email supposedly from Facebook but the address that appears when you hover over the link to visit Facebook to retrieve that message doesn’t show a URL with www.Facebook.com anywhere in it, it’s not legitimate.
- Check Redirection: - If you are redirected to a new page when you open the message, check the URL of this page. If it isn’t in line with where you expected to be, leave immediately.
- Make Whitelist: - Make the list of trusted vendors (called whitelist) and try to install applications, download content or retrieve information from these trusted vendors only. Even if you face any phishing attack, it’s easy for you to detect and report.
- Use Application Identity Indicators: - User cannot reliably tell what web site is currently loaded in the browser or what application is currently running. So the user should dedicate a small portion of the screen to application identity because websites and applications can replicate each other with the high degree of accuracy.
- Use Updated Antivirus: - Antivirus keeps track of the websites, application and even messages coming from a non-legitimate user and could help you track it. One should keep the antivirus updated to keep your phone aware of such websites and vendors.
- Be Suspicious: - Whenever you are providing any information on any medium, you should check all the credentials and authenticity. A little suspicion can help you avoid falling into traps.
Current defense mechanisms against phishing attacks in a mobile environment are still inadequate. Therefore, there is a need of an anti-phishing solution which can work on the recipient as well as the transmission mode. The landscape of the digital world is changing day by day with users spending more time on their phones and tabs rather than their laptops or computers. Phishing attacks are going to grow and the need of an Anti-phishing solution is a must for this changing landscape.