When Phishing Goes Mobile
Based on the number of phishing sites we observed in 2012, it appears that cybercriminals have discovered a new target in mobile devices.
For 2012, we found 4,000 phishing URLs designed for mobile Web. Though this number represents less than 1% of all the phishing URLs gathered that year, this highlights that mobile devices (smartphones, tablets and the likes) are valid platforms to launch phishing attacks.
Cybercriminals use phishing sites, which are spoofed versions of legitimate sites, to trick users into disclosing sensitive information like usernames, passwords, and even account details.
What’s more worrisome is the kind of websites these phishing attacks spoof. In 2012, 75% of mobile phishing URLs were rogue versions of well-known banking or financial sites. Once users are tricked into divulging their login credentials to these sites, cybercriminals can use these stolen data to initiate unauthorized transactions and purchases via the victim’s account.
A portion of these phishing sites were designed to spoof social networking sites (2%) and online shopping sites (4%). This small number for phishing sites for social media may be attributed due to users preference for social media apps. Because users are unlikely to visit social networking sites by Web mobile, launching phishing equivalent of these pages may not be an effective way to target users.
These numbers are consistent with our top 10 most phished entities, in which majority are banking or credit card websites.
Figure 1. Mobile phishing URLs by industry
| Company Name | Nature |
| PayPal | e-Commerce |
| Absa Internet Banking | Banking/Finance |
| Popular en linea | Banking/Finance |
| Mijn ICS (International Card Services) | Banking/Finance |
| Barclays | Banking/Finance |
| Wells Fargo | Banking/Finance |
| eBay | e-Commerce |
| Bank of America | Banking/Finance |
| SFR (Societe Francaise du Radiotelephonie) | Telecommunications |
| KBC Bank NV and Match.Com (tie) | Banking/Finance, Online dating |
Table.1 Top 10 entities targeted by mobile phishing
This trend in launching phishing attacks on mobile devices can be attributed to certain limitations of the platform itself. This includes the small screen size in most mobile devices, which prevents users from fully inspecting websites for any anti-phishing security element. With majority of mobile devices using default browsers, it is also easier for cybercriminals to create schemes as they need only focus on one browser instead of many.
Then there’s the issue of users’ attitude towards mobile devices. It’s easy for users to dismiss these devices as simple devices that has no major security implications. However, what most users fail to understand is that these devices are as capable as any desktop. They are also open to the same threats that haunt PCs, thus these devices should be used more consciously and safely.
To avoid these attacks, users must always be cautious with clicking links from emails. If possible, users should manually type the websites they want to visit and bookmark these sites. Users can also benefit from installing security apps like Trend Micro Mobile Security Personal Edition. Our Monthly Mobile Report for February Mobile Phishing:A Problem on the Horizon provides more details regarding mobile phishing, data-stealing apps, and other mobile security tips.
With additional data from Fraud analyst Paul Pajares
Post from: Trendlabs Security Intelligence Blog – by Trend Micro
Read more: When Phishing Goes Mobile