Mobile Phishing – Why are users still getting hooked? (Social Engineering Ep. 5)

Mobile phishing attacks are one of the best examples of the ongoing migration of attackers and cyber-criminals from the PC to the mobile world.

Phishing attacks have been around for years and include several of the most famous attacks in Internet history. Whether posing as a fake Nigerian diplomat, an American bank or a vast range of too-good-to-be-true opportunities – phishing attacks go where the users are – and nowadays, that means mobile.

This is our fifth entry on Mobile Social Engineering.
Read our first entry on Malvertising
Read our second entry on Fake Apps.
Read our third entry on Scareware
Read our fourth entry on Rogue Wifi Hotspots.

How is a phishing attack against a mobile device carried out?
In a phishing campaign, the attacker makes some form of direct communication (i.e an email or an instant message) with the victim.

The communications tend to originate from an attacker either posing as popular social media sites, well known banks and online payment services or as a trusted individual, whether a friend in need or an IT administrator.

Phishing emails or instant messages may contain links to websites that can either be part of a drive-by attack which means that malware will automatically be downloaded once the browser reaches the url, or require the user to initiate the download of a malicious file. Much like fake apps or scareware, the victim will often be directed and/or convinced to submit details to a fake website that looks and feels almost identical to the legitimate one.

What are the consequences of a successful phishing attack?
As in the case of other mobile attacks that rely on social engineering, the results of a phishing attack can range from fraud (using sensitive data – internet credentials, credit card and/or bank details or merely convincing the victim to pay for something worthless) to more advanced espionage (infecting a victim’s device with an mRAT for instance).

Let’s look at a recent example – a phishing attack against customers of JPMorgan Chase Bank:

Step 1: Although JP Morgan didn’t release details on how the users were targeted, the most logical way is through emails claiming to originate from the bank, asking victims to “verify” their account or threatening its closure.

Step 2: After pressing a link in the email, users are directed to a series of fake pages. The first asks for users’ ID and password, the second for their e-mail address and password and the last for a scanned image file of their government-issued ID

JP Morgan Chase

Step 3: After entering all of their details, the victims are directed to a final, dead website. By now, most users will have picked up on the fact they’ve just been scammed. In this case, malware didn’t play a part but it could just as easily have done.

How can enterprises begin to protect themselves?
With regard to phishing, it mostly comes down to prevention. Awareness is key, so while the following advice won’t prevent all phishing attacks and of course, won’t solve the problem of a device that has been infected by an attack, it’s definitely a start.

Accordingly CISOs should instruct employees to thoroughly inspect emails before interacting with them. Things like sender address, requests to enter confidential information, unnecessary attachments, generic greetings and even an urgent tone should act as a warning that a message may be part of a phishing campaign.

Next week’s penultimate edition is on the dangers of connecting a mobile device to a PC. The danger goes both ways – either the PC or the mobile device could be the target (and thus the attacker)