{"id":14036,"date":"2018-12-10T08:10:02","date_gmt":"2018-12-10T16:10:02","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2018\/12\/10\/news-7803\/"},"modified":"2018-12-10T08:10:02","modified_gmt":"2018-12-10T16:10:02","slug":"news-7803","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/12\/10\/news-7803\/","title":{"rendered":"Something else is phishy: How to detect phishing attempts on mobile"},"content":{"rendered":"<p><strong>Credit to Author: Jovi Umawing| Date: Mon, 10 Dec 2018 15:00:56 +0000<\/strong><\/p>\n<p>In <a href=\"https:\/\/securityintelligence.com\/mobile-users-3-times-more-vulnerable-to-phishing-attacks\/\" target=\"_blank\" rel=\"noopener\">a report<\/a>\u00a0published in 2011, IBM revealed that mobile users are three times more likely to fall for phishing scams compared to desktop users. This claim was based on accessed log files found on Web servers used to host websites involved in phishing campaigns.<\/p>\n<p>Almost a decade later, we continue to see different organizations reporting an increased trend in phishing attacks targeting the mobile market. Surprisingly, phishers seem to have tipped the scales to a new preferred target: iPhone users.\u00a0Wandera, a mobile security solutions provider, has observed that\u00a0<a href=\"https:\/\/zvelo.com\/mobile-phishing-scams-targeting-apple-id-2018\/\" target=\"_blank\" rel=\"noopener\">iOS users<\/a>\u00a0experience\u00a0<a href=\"https:\/\/www.wandera.com\/about-wandera\/wandera-in-the-media\/press-archive\/iphone-users-suffer-twice-many-mobile-phishing-attacks-android-users\/\" target=\"_blank\" rel=\"noopener\">twice as many<\/a>\u00a0phishing attacks compared to their Android counterparts.<\/p>\n<h2>Mobile phishing by the numbers<\/h2>\n<p>Below is a quick rundown of current noteworthy mobile phishing statistics to date:<\/p>\n<ul>\n<li>In the whitepaper <em><a href=\"https:\/\/info.lookout.com\/rs\/051-ESQ-475\/images\/Lookout-Phishing-wp-us.pdf\" target=\"_blank\" rel=\"noopener\">&#8220;Mobile phishing 2018: Myths and facts facing every modern enterprise today&#8221;<\/a>\u00a0<\/em>(PDF), Lookout has determined that the rate at which users are tapping phishing links has grown an average of 85% since 2011.<\/li>\n<li>In the latest <em><a href=\"https:\/\/docs.apwg.org\/reports\/apwg_trends_report_q2_2018.pdf\" target=\"_blank\" rel=\"noopener\">&#8220;Phishing Activity Trend Report&#8221;<\/a>\u00a0<\/em>(PDF), the Anti-Phishing Working Group (APWG) has revealed that the Payments industry continues to rank as the top targeted sector by phishing threat actors (36%) in Q1 2018.<\/li>\n<li>This same APWG report also claims that 35% of all phishing sites were using <a href=\"https:\/\/blog.malwarebytes.com\/glossary\/hyper-text-transfer-protocol-secure-https\/\" target=\"_blank\" rel=\"noopener\">HTTPS<\/a> and SSL certificates.\n<p><a href=\"https:\/\/blog.malwarebytes.com\/101\/2017\/09\/google-reminds-website-owners-to-move-to-https-before-october-deadline\/\" target=\"_blank\" rel=\"noopener\">With Google now labeling non-HTTPS website as &#8220;Non-Secure,&#8221;<\/a> expect to see more phishers abuse the accepted concept that HTTPS sites are trustworthy and legitimate.<\/li>\n<li>In their report, <a href=\"https:\/\/www.wombatsecurity.com\/state-of-the-phish\" target=\"_blank\" rel=\"noopener\"><em>&#8220;2018 State of Phish&#8221;<\/em><\/a>, Wombat Security hailed <a href=\"https:\/\/blog.malwarebytes.com\/glossary\/sms-phishing-smishing\/\" target=\"_blank\" rel=\"noopener\">smishing<\/a>, short for SMS phishing, as the attack vector to watch. This is due to its increased media reporting in 2017, which they believe will continue to trend, especially in countries with low awareness of mobile phishing.<\/li>\n<li>PhishLabs stated in its <em><a href=\"https:\/\/info.phishlabs.com\/hubfs\/2018%20PTI%20Report\/PhishLabs%20Trend%20Report_2018-digital.pdf\" target=\"_blank\" rel=\"noopener\">&#8220;2018 Phishing Trends &amp; Intelligence Report&#8221;<\/a>\u00a0<\/em>(PDF) that Email\/Online Services is the top targeted industry in the second half of 2017 (26.1%), with a high concentration of phishing URLs mimicking Microsoft Office 365 login pages. This suggests that there is an increasing trend of phishing campaigns targeting businesses.<\/li>\n<li>This same PhishLabs report has also noted a dramatic increase of phishing campaigns banking on the trust of users towards software-as-a-service (SaaS) companies (7.1%). Such attacks are said to be non-existent before 2015 but have more than doubled in two succeeding years.<\/li>\n<li>Wandera stated that <a href=\"https:\/\/www.wandera.com\/mobile-phishing-attacks\/\" target=\"_blank\" rel=\"noopener\">48% of phishing attacks happen on mobile<\/a>. They also claim that iOS users are <a href=\"https:\/\/www.wandera.com\/mobile-phishing-attacks\/\" target=\"_blank\" rel=\"noopener\">18X more likely<\/a> to fall for a phish than to download malware.<\/li>\n<\/ul>\n<h2>Mobile phishing scam types<\/h2>\n<p>Phishing attacks are no longer exclusive to emails, especially on mobile. A mobile device\u2019s inherent design and features have made it possible for phishers to create ways on how they can get into users\u2019 heads and get their hands on vital personal and business data.<\/p>\n<p>While many users are quite familiar with what phishing looks like on the desktop, these same users are not as familiar with smishing or <a href=\"https:\/\/blog.malwarebytes.com\/glossary\/Vishing\/\" target=\"_blank\" rel=\"noopener\">vishing<\/a>\u2014and other types of phish one might encounter on the mobile\u2014as they are with email phishing.<\/p>\n<h3>SMiShing<\/h3>\n<p><strong>SMiShing\u00a0<\/strong>is phishing done through SMS. Android expert and Senior Analyst <a href=\"https:\/\/blog.malwarebytes.com\/author\/nathanmwb\/\" target=\"_blank\" rel=\"noopener\">Nathan Collier<\/a>\u00a0has written about <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2018\/09\/mobile-menace-monday-sms-phishing-attacks-target-the-job-market\/\" target=\"_blank\" rel=\"noopener\">a smishing message<\/a>\u00a0a colleague received on their Android device that purportedly originating from a human resources company, promoting an open albeit fake position of Prime Agent for Amazon.<\/p>\n<p>iOS users also have their share of spotted smishing campaigns. Below is a smishing message posted publicly <a href=\"https:\/\/www.reddit.com\/r\/iphone\/comments\/66azsj\/if_you_get_this_message_ignore_it_this_is_a_scam\/\" target=\"_blank\" rel=\"noopener\">on Reddit<\/a>\u00a0as a warning to other iPhone users:<\/p>\n<div id=\"attachment_26537\" style=\"width: 610px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"26537\" data-permalink=\"https:\/\/blog.malwarebytes.com\/101\/2018\/12\/something-else-phishy-detect-phishing-attempts-mobile\/attachment\/apple-id-smish-reddit\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/apple-id-smish-reddit.jpg\" data-orig-size=\"1242,801\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"apple-id-smish-reddit\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/apple-id-smish-reddit-300x193.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/apple-id-smish-reddit-600x387.jpg\" class=\"wp-image-26537 size-large\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/apple-id-smish-reddit-600x387.jpg\" alt=\"\" width=\"600\" height=\"387\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/apple-id-smish-reddit-600x387.jpg 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/apple-id-smish-reddit-300x193.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/apple-id-smish-reddit.jpg 1242w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/p>\n<p class=\"wp-caption-text\">Screenshot of an iOS SMS phishing message. Courtesy of Redditor u\/jamesmt87.<\/p>\n<\/div>\n<blockquote>\n<p><em>Your Apple ID has been disabled until we hear from you ,<br \/> <\/em><em>Prevent this by confirming your informations at {bit.ly URL}<br \/> <\/em><em>Apple inc<\/em><\/p>\n<\/blockquote>\n<h3><span lang=\"EN-US\">Vishing<\/span><\/h3>\n<p><b><span lang=\"EN-US\">Vishing<\/span><\/b><span lang=\"EN-US\">, or voice-mail phishing (at times, it also stands for <a href=\"https:\/\/blog.malwarebytes.com\/glossary\/voice-over-internet-protocol-voip\/\" target=\"_blank\" rel=\"noopener\">VoIP<\/a> phishing), is phishing done with the use of a device\u2019s call feature. An attempt can be considered vishing if the potential phisher (1) leaves a recorded message to the target that something is wrong, (2) leaves a number that the target can use to call back, or (3) cold calls the target. Point two is\u00a0precisely the tactic used by an iOS phishing scam that Ars Technica Editor Sean Gallagher revealed in <a href=\"https:\/\/arstechnica.com\/information-technology\/2018\/07\/click-on-this-ios-phishing-scam-and-youll-be-connected-to-apple-care\/\" target=\"_blank\" rel=\"noopener\">a July 2018 post<\/a>. According to Gallagher, an email directs users to a fake Apple website, which pops up a dialog box to start a call to a purported agent that goes by \u201cLance Roger at AppleCare.\u201d AppleCare is Apple\u2019s extended warranty service.<\/span><\/p>\n<div id=\"attachment_26538\" style=\"width: 610px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"26538\" data-permalink=\"https:\/\/blog.malwarebytes.com\/101\/2018\/12\/something-else-phishy-detect-phishing-attempts-mobile\/attachment\/arstech-smish-shot\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/arstech-smish-shot.jpg\" data-orig-size=\"800,585\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;1532790750&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;1&quot;}\" data-image-title=\"arstech-smish-shot\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/arstech-smish-shot-300x219.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/arstech-smish-shot-600x439.jpg\" class=\"wp-image-26538 size-large\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/arstech-smish-shot-600x439.jpg\" alt=\"\" width=\"600\" height=\"439\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/arstech-smish-shot-600x439.jpg 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/arstech-smish-shot-300x219.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/arstech-smish-shot.jpg 800w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/p>\n<p class=\"wp-caption-text\">A vishing pop-up dialog box. Courtesy of Ars Technica.<\/p>\n<\/div>\n<p>In Android\u2019s corner, we have the latest variant of <a href=\"https:\/\/www.infosecurity-magazine.com\/news\/fakebank-android-banking-trojan\/\" target=\"_blank\" rel=\"noopener\">Fakebank<\/a>, a mobile <a href=\"https:\/\/blog.malwarebytes.com\/glossary\/trojan\/\" target=\"_blank\" rel=\"noopener\">Trojan<\/a>\u00a0that is capable of intercepting bank SMS and inbound and outgoing calls. A user, for example, making a call to a legitimate bank gets redirected to scammers who are posing as agents working for the bank. Security researchers have spotted this variant in affected apps geared towards Korean bank clients.<\/p>\n<p>Vishing can also be <a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/hacking-the-business-email-compromise-\/d\/d-id\/1328497?\" target=\"_blank\" rel=\"noopener\">a part of<\/a> a greater <a href=\"https:\/\/blog.malwarebytes.com\/glossary\/business-email-compromise-bec\/\" target=\"_blank\" rel=\"noopener\">business email compromise (BEC)<\/a>\u00a0attack.<\/p>\n<h3>Other types: messenger phishing, social phishing, and ad-network phishing<\/h3>\n<p>Apps continue to shape a user\u2019s mobile experience for the better. Without them, one may likely just consider their phones as a pricey paperweight.<\/p>\n<p>These brilliant little programs have made it possible for users to both access their personal and work emails while away from a desktop computer, keep in touch with family and friends via messaging platforms while on the go, share and access media in real-time, and stave off boredom while waiting.<\/p>\n<p>Phishers, unfortunately, have leveraged the power of apps to their advantage. And the internet is rife with stories of people who got (or nearly got) phished via mobile apps.<\/p>\n<p>Take, for instance, the Facebook message that used Messenger as a launchpad to spread <a href=\"https:\/\/www.securityforrealpeople.com\/2017\/03\/facebook-messenger-phishing-scam.html\" target=\"_blank\" rel=\"noopener\">a purported &#8220;viral video&#8221;<\/a>\u00a0of the recipient complete with their picture and name, and a number indicating the view count.<\/p>\n<div id=\"attachment_26539\" style=\"width: 610px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"26539\" data-permalink=\"https:\/\/blog.malwarebytes.com\/101\/2018\/12\/something-else-phishy-detect-phishing-attempts-mobile\/attachment\/fb_scam_bait-david-longenecker\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/FB_scam_bait-david-longenecker.png\" data-orig-size=\"640,619\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"FB_scam_bait-david-longenecker\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/FB_scam_bait-david-longenecker-300x290.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/FB_scam_bait-david-longenecker-600x580.png\" class=\"wp-image-26539 size-large\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/FB_scam_bait-david-longenecker-600x580.png\" alt=\"\" width=\"600\" height=\"580\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/FB_scam_bait-david-longenecker-600x580.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/FB_scam_bait-david-longenecker-300x290.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/FB_scam_bait-david-longenecker.png 640w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/p>\n<p class=\"wp-caption-text\">Screenshot of a Facebook Messenger phish. Courtesy of Security For Real People.<\/p>\n<\/div>\n<p>Clicking this &#8220;video&#8221; sent mobile users to a fake Facebook Videos login screen, wherein they were then encouraged to key in their Facebook credentials. Doing so sent a similar video bait to contacts, not to mention scammers hijacking the accounts of those who fell for this trick.<\/p>\n<p>This is a case of <strong>messenger phishing<\/strong>. It is a type of phishing attempt that uses messaging services on mobile devices. Examples of these services are WhatsApp, Instagram, Viber, Skype, Snapchat, and Slack.<\/p>\n<p>Then there\u2019s <strong>social phishing<\/strong>, which is an attempt that abuses social networking sites to spread a phishing campaign. Below is a capture of a phishing message sent to a recipient via LinkedIn\u2019s InMail feature:<\/p>\n<div id=\"attachment_26540\" style=\"width: 610px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"26540\" data-permalink=\"https:\/\/blog.malwarebytes.com\/101\/2018\/12\/something-else-phishy-detect-phishing-attempts-mobile\/attachment\/knowb4-linkedin-phish\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/KnowB4-linkedin-phish.png\" data-orig-size=\"1188,1090\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"KnowB4-linkedin-phish\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/KnowB4-linkedin-phish-300x275.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/KnowB4-linkedin-phish-600x551.png\" class=\"wp-image-26540 size-large\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/KnowB4-linkedin-phish-600x551.png\" alt=\"\" width=\"600\" height=\"551\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/KnowB4-linkedin-phish-600x551.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/KnowB4-linkedin-phish-300x275.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/KnowB4-linkedin-phish.png 1188w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/p>\n<p class=\"wp-caption-text\">Screenshot of a LinkedIn InMail phish. Courtesy of KnowBe4.<\/p>\n<\/div>\n<p><span lang=\"EN-US\">Here\u2019s another case of social phishing: A Twitter account posing as NatWest bank <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2016\/08\/scammers-sneak-into-customer-support-conversations-on-twitter\/\" target=\"_blank\" rel=\"noopener\">inserted itself into a live conversation<\/a> between a NatWest bank client and NatWest\u2019s official Twitter channel in an attempt to present a bogus quick fix to the current concern the real bank was attempting to address.<\/span><\/p>\n<div id=\"attachment_26541\" style=\"width: 591px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"26541\" data-permalink=\"https:\/\/blog.malwarebytes.com\/101\/2018\/12\/something-else-phishy-detect-phishing-attempts-mobile\/attachment\/fake-natwest-twitter\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/fake-natwest-twitter.jpg\" data-orig-size=\"581,543\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"fake-natwest-twitter\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/fake-natwest-twitter-300x280.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/fake-natwest-twitter.jpg\" class=\"wp-image-26541 size-full\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/fake-natwest-twitter.jpg\" alt=\"\" width=\"581\" height=\"543\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/fake-natwest-twitter.jpg 581w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/fake-natwest-twitter-300x280.jpg 300w\" sizes=\"auto, (max-width: 581px) 100vw, 581px\" \/><\/p>\n<p class=\"wp-caption-text\">Malwarebytes has caught a fake NatWest Twitter account red-handed.<\/p>\n<\/div>\n<p>Finally, <strong>ad-network phishing<\/strong>. On mobile, ads can come in many forms: They can be in free apps, on web pages the user visits, and as a pop-up notification or banner. Because apps communicate with other services (like an ad network) at the background, they can potentially expose mobile users to risks like a phishing campaign (at best) or malware (at worst).<\/p>\n<p>We\u2019d be remiss if we don\u2019t mention <strong>phishing apps<\/strong>. These are fake apps that bank on the names of popular online brands, usually promising one or more perks if downloaded and installed. Such is the case of <a href=\"https:\/\/www.theregister.co.uk\/2017\/03\/09\/instagram_phishing_apps\/\" target=\"_blank\" rel=\"noopener\">multiple fake Instagram apps<\/a>\u00a0that were pulled from the Google Play store after being found to collect credentials. These apps have been downloaded 1.5 million times, and they promise to boost follower count, post likes, and comments.<\/p>\n<h2>Mobile phish spotting<\/h2>\n<p>Mobile phishing attempts are quite a challenge to detect, more so for the uninitiated and the unacquainted. Regardless of your level of know-how or your computing platform of choice, as a rule of thumb, it is always best to familiarize yourself with common phishing tactics and trends. We already have <a href=\"https:\/\/blog.malwarebytes.com\/101\/2017\/06\/somethings-phishy-how-to-detect-phishing-attempts\/\" target=\"_blank\" rel=\"noopener\">a great and very comprehensive list of red flags<\/a>\u00a0that can guide you in determining phishing attempts in general. However, mobile users can significantly benefit from our listing of tell-tale signs of potential mobile phishing attempts (below) just as well:<\/p>\n<ul>\n<li>The message comes out of the blue, claiming that you either (1) won a prize, (2) have an account or subscribed service suddenly deactivated (often without disclosing a reason), or (3) there is a very urgent need for you to do something to address a problem. Such claims are tried-and-tested social engineering ploys that more often than not give the game away.\n<p>When it comes to being truly notified for actual breaches and that steps must be taken to mitigate its effects, however, it is best for users to avoid clicking links in these notifications (which we agree is faster and more convenient) in favor of going directly to the legitimate domain (either by loading it from bookmark or manually typing in the address in the address bar) and logging in from there.<\/li>\n<li>The message comes from an unknown number or sender. And if it claims to be from a service you actually use, be doubly cautious. As it\u2019s near impossible to determine on mobile if the service provider is who they say they really are, you might be better off verifying any claims for yourself, just like in the above point, and checking for logged suspicious activities. If you\u2019re still a bit bothered, contact your service provider\u2019s customer support department.<\/li>\n<li>The message comes with a bogus hyperlink, which may be obvious to some but not to others. It pays to be very familiar with URLs of official web addresses of services you use online. If you feel or think that something is off, even if you\u2019re unsure what is triggering this, err on the side of caution and avoid clicking that link.<\/li>\n<li>The message comes with a shortened URL. Shortening URLs is an excellent method to make effective use of space that has a limited character count. Unfortunately, this can be abused to mask potentially malicious URLs from being detected at first glance.<\/li>\n<li>If the message or caller asks for personal information, if not <em>more\u00a0<\/em>information, from you. A majority of legitimate and reputable businesses don\u2019t call or send messages asking for sensitive information. In some cases, banks do call if they suspect potential fraud activity with your account. They do this to check that you are who you say you are. However, there are\u00a0certain information they will never ask you to divulge, such as your account PIN or Social Security Number (SSN).<\/li>\n<li>If the message or caller doesn\u2019t address you by your name. Again, a majority of businesses know who their clients are and will always address you by your name.<\/li>\n<li>If the URL you get directed to doesn\u2019t have a green padlock. Yes, having HTTPS on a website is no longer a solid proof that one is not on a malicious page, but there are still a lot of phishing campaigns out there that forgo using HTTPS.<\/li>\n<li>If the URL you get redirected to appears to be right, but also has unexplained dashes after it. Phishers are already using a technique called <a href=\"https:\/\/info.phishlabs.com\/blog\/the-mobile-phishing-threat-youll-see-very-soon-url-padding\" target=\"_blank\" rel=\"noopener\">URL padding<\/a>, wherein they pad the subdomain, which consists of a legitimate website address, with hyphens to hide the real domain and create believability.\n<div id=\"attachment_26542\" style=\"width: 387px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"26542\" data-permalink=\"https:\/\/blog.malwarebytes.com\/101\/2018\/12\/something-else-phishy-detect-phishing-attempts-mobile\/attachment\/phishlabs-padded-url\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/phishlabs-padded-url.png\" data-orig-size=\"512,815\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"phishlabs-padded-url\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/phishlabs-padded-url-188x300.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/phishlabs-padded-url-377x600.png\" class=\"wp-image-26542 size-large\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/phishlabs-padded-url-377x600.png\" alt=\"\" width=\"377\" height=\"600\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/phishlabs-padded-url-377x600.png 377w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/phishlabs-padded-url-188x300.png 188w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/12\/phishlabs-padded-url.png 512w\" sizes=\"auto, (max-width: 377px) 100vw, 377px\" \/><\/p>\n<p class=\"wp-caption-text\">Screenshot of a fake Facebook login screen where phishers used URL padding. Courtesy of PhishLabs.<\/p>\n<\/div>\n<p>In this example, the complete URL is <code>hxxp:\/\/m.facebook.com----------------validate----step1.rickytaylk[dot]com\/sign_in.html<\/code>, where <code>rickytaylk[dot]com<\/code> is the domain and <code>m.facebook.com----------------validate----step1<\/code> is the long subdomain. Users would likely find it difficult to view the complete URL given the mobile\u2019s small screen size, but what they can do is copy the URL and paste it on a notepad app. From there, users can scrutinize the URL more effectively.<\/li>\n<\/ul>\n<p>A word on <a href=\"https:\/\/blog.malwarebytes.com\/glossary\/homograph-attacks\/\" target=\"_blank\" rel=\"noopener\">homograph attacks<\/a>: Yes, they work on mobile devices, too. Fortunately, many of modern internet browsers are already programmed to display the <a href=\"https:\/\/blog.malwarebytes.com\/glossary\/punycode\/\" target=\"_blank\" rel=\"noopener\">Punycode<\/a>\u00a0version of domains that contain confusables (or non-English characters that visually appear similar to one or more English alphabets).<\/p>\n<p>Users seeing a Punycode URL on their mobile browser could be alerted that they\u2019re on a page they\u2019re not supposed to be on. And this is a good thing. However, not all apps that accept and display text have considered the possibility of homograph attacks. <a href=\"https:\/\/www.wandera.com\/punycode-attacks\/\" target=\"_blank\" rel=\"noopener\">According to Wandera\u2019s research<\/a>, many communications and collaboration tools used by employees on both Android and iOS don\u2019t flag Punycode URLs as suspicious.<\/p>\n<p>\u201cOnly Facebook Messenger, Instagram and Skype provided an opportunity for the user to identify the punycode URL by either showing a preview of the webpage with the xn prefix, or, in the case of skype, by not providing a hyperlink for domains using unicode, meaning users can\u2019t click through from the message.\u201d <a href=\"https:\/\/www.wandera.com\/punycode-attacks\/\" target=\"_blank\" rel=\"noopener\">writes<\/a> Liarna La Porta, Content Marketing Manager for Wandera, in a blog post. \u201cWhile these apps are not providing the best methods of defense, they at least provide an opportunity to asses suspicious links more closely.\u201d<\/p>\n<h2>Phish-proof no more?<\/h2>\n<p>In April of 2017, a Lithuanian man who posed as Quanta Computer, a Taiwanese electronics manufacturing company, <a href=\"https:\/\/www.theguardian.com\/technology\/2017\/apr\/28\/facebook-google-conned-100m-phishing-scheme\" target=\"_blank\" rel=\"noopener\">successfully conned<\/a>\u00a0two big names in the tech industry, each paying him over $100M. These companies eventually got the bulk of their money back, but not after making headlines that made readers gasp. Who were these phishing victims? They&#8217;re Google and Facebook.<\/p>\n<p>When it comes to a target\u2019s low potentiality to fall for a phishing lure, it appears that tech savviness is slowly becoming a non-factor. It is challenging enough for desktop users to successfully determine a believable phish. With mobile devices, which already have a size limitation and more potential attack points, users are doubly challenged, especially if the adversary is motivated enough to steal the sensitive corporate data stored in them.<\/p>\n<p>Indeed, phishing has branched beyond email. And using commodity-level phishing protection on mobile is inadequate in defending users from attacks. Being truly phish-proof (or akin to it) may require necessary adjustments on the side of both man and machine: improved security features on mobile devices and their apps, and knowing the red flags and what steps to take to adequately respond to a phishing attempt are key.<\/p>\n<p>Recommended reading:<\/p>\n<ul>\n<li>&#8220;Phishing attacks on modern Android&#8221; (direct PDF link <a href=\"http:\/\/www.s3.eurecom.fr\/~yanick\/publications\/2018_ccs_phishing.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a>)<\/li>\n<li>&#8220;Social Phishing&#8221; (direct PDF link <a href=\"http:\/\/markus-jakobsson.com\/papers\/jakobsson-commacm07.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a>)<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/101\/2018\/12\/something-else-phishy-detect-phishing-attempts-mobile\/\">Something else is phishy: How to detect phishing attempts on mobile<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/101\/2018\/12\/something-else-phishy-detect-phishing-attempts-mobile\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Jovi Umawing| Date: Mon, 10 Dec 2018 15:00:56 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/101\/2018\/12\/something-else-phishy-detect-phishing-attempts-mobile\/' title='Something else is phishy: How to detect phishing attempts on mobile'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/11\/shutterstock_759609499.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>Phishing is more problematic on smartphones than on desktops. Not only that, approaches to handling phishing attacks on mobile are quite different because their techniques are also different. So, how can users sniff out a mobile phish? Let us count the ways.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/101\/\" rel=\"category tag\">101<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/101\/how-tos\/\" rel=\"category tag\">How-tos<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/ad-networking-phishing\/\" rel=\"tag\">ad-networking phishing<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/homograph-attacks\/\" rel=\"tag\">homograph attacks<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/https\/\" rel=\"tag\">HTTPS<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ios\/\" rel=\"tag\">iOS<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/mobile\/\" rel=\"tag\">Mobile<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/phishing\/\" rel=\"tag\">phishing<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/phishing-apps\/\" rel=\"tag\">phishing apps<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/punycode\/\" rel=\"tag\">Punycode<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/smishing\/\" rel=\"tag\">smishing<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/social-phishing\/\" rel=\"tag\">Social Phishing<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/unicode\/\" rel=\"tag\">unicode<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/url-padding\/\" rel=\"tag\">url padding<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/vishing\/\" rel=\"tag\">vishing<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/101\/2018\/12\/something-else-phishy-detect-phishing-attempts-mobile\/' title='Something else is phishy: How to detect phishing attempts on mobile'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/101\/2018\/12\/something-else-phishy-detect-phishing-attempts-mobile\/\">Something else is phishy: How to detect phishing attempts on mobile<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[10519,20381,15548,11171,11124,10480,10554,3924,20382,16824,12795,20383,16485,20384,14136],"class_list":["post-14036","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-10519","tag-ad-networking-phishing","tag-homograph-attacks","tag-how-tos","tag-https","tag-ios","tag-mobile","tag-phishing","tag-phishing-apps","tag-punycode","tag-smishing","tag-social-phishing","tag-unicode","tag-url-padding","tag-vishing"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/14036","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=14036"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/14036\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=14036"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=14036"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=14036"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}