Technologies in cell phones are advancing day after day, and so phishers are also seeking various means to exploit vulnerable cell phone users. The two key areas in which we can see this trend are, firstly, the increase in phishing against wireless application protocol (WAP) pages, and secondly, the use of compromised domain names that have been registered for mobile devices.
Many legitimate brands have designed their websites for cell phones or WAP pages. The difference between a WAP page and a regular Web page is that the WAP page uses reduced file sizes and minimal graphics. This is done for cell phone compatibility and also to achieve higher browsing speeds while the user is on the move. Symantec has recorded phishing sites spoofing such Web pages and has monitored the trend. In June, social networking and information services brands were observed in these phishing sites. In the example shown below, the phishing page consists of nothing more than a form asking for users’ credentials. (This is a typical design created for cell phones.) When a victim enters the required information, the phishing page is redirected to the WAP page of the legitimate brand. The phishing site in this case was hosted on a free Web hosting site.
The domain names used for websites accessed by mobiles devices commonly have a “.mobi” top level domain (TLD). These domain names are compromised and utilized by phishers to host several phishing sites. Over the past six months, about 65 percent of these phishing sites spoofed brands from the banking sector, whereas 19 percent were from the e-commerce sector and the remaining were from the ISP, social networking, and information services sectors.
The primary motive of phishers in these attacks continues to be identity theft. Targeting cell phone users is just part of a new strategy for achieving the same result.
Internet users are advised to follow best practices to avoid phishing attacks:
• Do not click on suspicious links in email messages.
• Avoid providing any personal information when answering an email.
• Never enter personal information in a pop-up page or screen.
• Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.
by Mathew Maniyara
Note: My thanks to the co-author of this blog, Wahengbam RobinSingh.