Phishing target mobile devices

Phishing attacks are becoming easier to create with new tools and easy-to-use developer kits. Even inexperienced users can serve deceptive websites with just a few clicks.

In recent months, attackers have increasingly targeted mobile devices in particular. As remote work structures and distributed workforces have become the norm in many organizations, mobile workers are the weakest link in the chain of defense. Many IT security systems find it difficult to detect mobile attacks, so the number of successful attacks continues to increase.

Cybercrime is easier than ever. Only a few mouse clicks are required to prepare and carry out phishing attacks. Current attack tools and phishing kits allow even simple users to lure unwary victims to fraudulent websites. Using fake websites, emails or text messages from supposedly well-established brands, they trick unwary users into divulging their credentials. This allows the cyber thieves to take control of the victim’s account and use reused passwords to compromise multiple targets.

These attacks are difficult to detect and stop, so the number of security breaches has increased significantly. The corona crisis in particular has triggered a surge in IT attacks. Zimperium’s zLabs team of experts saw a sixfold increase in phishing attacks in the first year of the pandemic alone. These numbers are worrying enough, but a recent trend is further exacerbating the security situation. In the past, phishing attempts were largely device-independent, i.e. they were not geared towards a specific operating system or device type. Now, security officials are seeing an increase in phishing websites specifically targeting mobile endpoints.

Remote work and distributed work structures are now the norm in most organizations. However, many security precautions in this IT infrastructure have not yet caught up with the new normal. Security requirements that were taken for granted in the classic office environment of a company are often not enforced in the home office environment. Corporate data is therefore at much higher risk, which also applies unreservedly to mobile devices as critical components of modern and location-independent work processes.

The evolution of mobile phishing attacks

The timely detection of current phishing threats on mobile devices often fails due to the use of legacy security tools. Many sandbox toolsets are not mobile-focused and therefore do not provide the data needed for comprehensive mobile threat detection. Inferior mobile processors further limit the ability to analyze malicious domains. On top of that, many browser extensions haven’t made the leap to mobile devices yet. In most cases, it is not possible to install extensions on mobile browsers.

For example, the add-ons for desktop versions of Firefox are not available for iOS. Also for Safari on iOS or Chrome on Android there are not the same (security) extensions that are available for desktop users. There are exceptions — a limited number of tools and functions are compatible with Android devices. However, installation is not as easy as on desktop browsers, or the extension catalog is reduced for mobile devices. However, phishing analysis tools need full functionality to ensure the necessary visibility of website content such as HTML, links to external resources or full URLs. Phishing analysis tools optimized for desktops have a broader database and more features in classic computer environments than when used on mobile devices.

Almost finished!

Please confirm your email address!

Click on the link in the email we just sent you. Also check your spam folder and whitelist us.

More information about the newsletter.

Adaptive and responsive websites

Of course, the attackers know this too and carry out mobile-specific phishing attacks via adaptive and responsive websites. Websites with an adaptive layout download different content depending on the screen size. Adaptive layouts have a rigid design grid. Therefore, the user agent of the mobile endpoint is checked and the transmitted data packet is adapted depending on the device. However, this also makes it easier to hide malicious websites.

In the desktop view, for example, an unsuspecting camouflage page or the standardized error message “404 (page) not found” is displayed, while in the mobile view a phishing page pops up that asks for sensitive user data to be entered. In this way, outdated desktop solutions are prevented from screening data traffic and supposedly effective protective measures against phishing attacks are elegantly undermined.

The actual phishing trap is only set in place when the website is accessed via certain smartphones or tablets — for example, as soon as an Android mobile device is accessed. Traffic from any other device, including iOS, ends up on a different website. This approach using various mobile operating system redirects is a well-known method to exploit very specific browser vulnerabilities. In the case of the “Pegasus” spy software, communication with the validation servers took place on iOS devices in order to hide the infrastructure of the manufacturer NSO from security researchers.

Pages with responsive web design flexibly adapt the distribution and size of objects to the screen size of the connecting endpoint device. Content is displayed in such a way that the available space on the end device is always optimally used. Modern web design frameworks generate responsive information across all endpoints for a consistent web experience. This can also be exploited for phishing attacks.

On mobile devices, users often cannot see important information about a link or a website. In order to maximize the success of their fraud attempts, cyber criminals therefore limit the viewer’s field of vision to the desired web content. Users are therefore missing important information that would help to determine whether it was a phishing attempt. And so the smaller screens of mobile endpoints increase the chances of success for phishing attacks.

Flood of mobile phishing attempts

As a security company for real-time protection on mobile devices, Zimperium has analyzed the current development in spying on personal data in more detail. Over a period of two and a half years, publicly accessible and private data sources were evaluated and checked for responsive and adaptive websites. A total of 500,000 phishing sites were identified.

Result: Statistics show a significant increase of more than 50 percent in phishing attacks specifically targeting mobile devices. It is also striking that 75 percent of the analyzed phishing sites were adapted to mobile devices using one of the above techniques. Malicious actors thus specifically target mobile devices and take advantage of the fact that more and more websites are accessed via mobile devices. And unfortunately with growing success – because the defense mechanisms often come from the classic desktop world.