Skip to content
1-888-762-8736(M-F 8:00am-5:00pm CST)
1-877-218-7353(M-F 8:00am-5:00pm CST)
href="http://www.trendmicro.com/us/enterprise/index.html" id="ENT-overview-test2" title="SEE ALL ENTERPRISE SOLUTIONS">Enterprise Overview
Mobile phishing is an emerging threat targeting the customers of popular financial entities. By the end of 2012, we already saw 4,000 mobile phishing URLs, representing less than 1% of all our phishing URL detections. Of the total combined URLs used in phishing attacks against the top targeted entities, 7% were mobile URLs.
Cybercriminals launch mobile phishing attacks because they can take advantage of certain limitations of the mobile platform. A mobile device's small screen size, for example, inhibits the mobile browser's ability to fully display any anti-phishing security elements a website has. This leaves users no way to verify if the website they're logging in to is legitimate or not. A study from the staff of Georgia Tech University in Atlanta cited this inability to display security elements as a critical security flaw in most of today's popular mobile browsers that made them unsafe. As seen in Figure 1, a legitimate PayPal mobile site URL (right) looks similar to a phishing page discovered by TrendLabs researchers (left) on a small screen.
Another limitation is the permanent default browsers preinstalled on certain phones. Their ability to automatically start up and display links the user opens makes it easier for cybercriminals, who now only have one browser to exploit instead of many.
Despite these limitations, the mobile platform has some advantages that lessen the concern of mobile phishing at this time. For one thing, the platform allows phishing targets like online shopping and banking sites to develop their own apps for customer use. Provided there's an absence of spoofed apps and a mechanism for continuous updates, these legitimate apps facilitate more secure exchanges of information between organizations and their customers. Mobile browsers are also becoming more powerful, able to process and run complex scripts. Websites that require login details may soon take advantage of this fact to implement better security measures.
The enduring popularity of desktops also takes away from the risk of mobile phishing. Users still prefer desktops and laptops over mobile devices to do complex tasks. Current browser usage stats trace 87% of global browser usage to desktops and the remaining 13% to mobile devices in November 2012.
While these advantages stun the emergence of mobile phishing as a formidable threat, it must be reiterated that this is only temporary. A recent Juniper Research study indicates that over 1 billion users will use their mobile devices for banking purposes by 2017. As we've previously noted, the direction of cybercrime is heading toward the "post-PC" era. Cybercriminals follow where the users and their money go. Soon, cybercriminals will catch up with the organizations and users' shift to mobile computing.
Keep these in mind to protect against mobile phishing:
One of the more prolific mobile malware we encountered in 2012 was the data stealer, which does what its name states, steal information. It made up nearly a quarter of all the malicious samples we collected last year.
Once data stealers are introduced to a user's mobile device—either mistaken for legitimate apps, or downloaded by existing malware on the device—they run quietly in the background, collecting specific data. Some of the most common data stolen are:
The information stolen by this type of malware may be used for malicious purposes depending on the data's form and content:
Such stolen information also benefit cybercriminals by being tradable commodities. For instance, stolen U.S. credit card numbers can sell for US$1–3 each, while those from other developed countries (Europe, Australia) are charged US$3–8. Bank account credentials can fetch around US$25–35.
The extent of user information a cybercriminal can purchase goes beyond that. Underground forums sell complete records of victims, known as "fullz," for as little as US$5 each. A typical "fullz" contains not only the credit card numbers and names of victims, but also more personal information like their birthdays, driver’s license information, social security numbers, and even the answers to their security questions.
A point to consider here is while the consequences of being affected by a data stealer are considerable, infection requires the download of a malicious app to set off the chain of events. As such, exercise extreme caution when choosing which apps to download onto your mobile device to stay safe.
Connect with us on
| | | |