5 most common mobile phishing tactics

April 17, 2020 | Aaron Cockerill

Phishing is one of the things that keeps CISOs up at night. Phishing attacks are effective and simple to launch, and used by financially motivated attackers as well as more targeted attacks. In the case of a targeted attack, it may harvest login credentials to gain access to corporate or personal resources.  In fact, sometimes corporate access can be used to steal personal data, and vice versa. Once inside the corporate network, attackers can launch full-scale cyber-espionage campaigns - silently stealing sensitive data and selling it on the dark web or obtaining admin server credentials to launch a full-scale network attack - which could cripple a company’s supply chain.

Yet as concerning as phishing may be, an emerging risk is not even realized by CISOs or their end users: phishing is increasingly targeting users on their mobile devices. Attackers are getting a higher return on investment by phishing mobile users.

Everyone has a mobile device these days and employees are using them far more for both work and personal life. Smaller screens display both work and personal messaging making it even more difficult to spot malicious phishing attacks. In fact, Lookout data shows that 1 in 50 enterprise users are phished on mobile devices daily. Mobile phishing rates have doubled for Lookout users of Office 365 and G Suite. This is a serious problem. 

Lookout data suggests that enterprise users are three times more likely to fall for a phishing link when presented on the small screens of mobile devices rather than when presented on the screens of desktop OS, like Windows or macOS.

Phishing has moved to mobile

Most think “email” when they hear the word “phishing” but it is different on mobile. Mobile phishing extends beyond email to SMS, MMS, messaging platforms, and social media apps. Attacks are technically simple but novel in their approach. They seek to exploit human trust along social networks using personal context. For example, a parent would click without hesitation on a message saying their daughter has been in an accident at school.

Employees also find it easier to perform tasks on a mobile device than on a desktop. Depositing checks via mobile banking app, for example, is simple, fast, and convenient, and there are many other examples like this.

So, organizations must remain vigilant to keep pace with phishing threats that are increasingly targeting mobile users. An Akamai study highlights the dynamic nature of phishing sites - of over 2 billion domains analyzed; nearly 89% of the domains commonly associated with malicious sites had a life span of less than 24 hours.This emphasizes the need for advanced detection capabilities.

Historically, organizations have invested heavily in security solutions such as secure email gateways, inbox scans, and end user training. Yet, these techniques remain too narrowly focused on email and do not protect modern messaging, such as SMS, Slack, and Microsoft Instant Messaging. Combating sophisticated phishing attacks on mobile is the new battleground as attackers continue to employ sophisticated mobile phishing strategies.

Most common mobile phishing tactics

There are several techniques that cybercriminals use to make their phishing attacks more effective on mobile. Below are some of the more commonly used tactics that Lookout has observed in the wild:

  • URL padding is a technique that includes a real, legitimate domain within a larger URL but pads it with hyphens to obscure the real destination. For example, hxxp://m.facebook.com----------------validate----step1.rickytaylk[dot]com/sign_in.html conceals the actual domain of the malicious site, rickytaylk, leaving only m.facebook.com as visible in the address bar on the device. Note, that the ‘rickytaylk’ phishing site is a few years old, no longer active, and only used here for example.
  • Tiny URLs are shortened URLs that can be used by attackers to direct a user to malicious content. Due to their abbreviated nature, they are well suited for SMS phishing attacks and are often used in large scale ‘smishing’ attacks.
  • Screen overlays enable an app to replicate the login page of a legitimate mobile app in order to capture a user's authentication credentials. This type of attack is often deployed by phishing scams and has shown to be highly effective and lucrative for hackers who are targeting mobile banking and payment apps.
  • Mobile verification refers to code that is embedded in phishing sites and is designed to verify that the device accessing the link is a mobile device. This implies that the attacker confirms that the target is mobile in order to deploy a mobile-specific attack.
  • SMS spoofing using over-the-air (OTA) provisioning is a mobile phishing attack where a bogus text message tricks a user into clicking a link. These messages often come in the form of a system configuration update notification. If clicked, the link can trigger interception of email or web traffic to and from Android phones.

Applying artificial intelligence to combat phishing

To match the speed, scale, and dynamic nature of phishing attacks, organizations must employ purpose-built artificial intelligence to analyze threat telemetry in real-time. For example, the Lookout Phishing AI service constantly scans the web for suspicious websites, synthesizes mass quantities of information, and applies complex algorithms to convict phishing sites often before they go live.

The steps below provide a high-level summary of the Phishing AI monitoring and analysis sequence:

  1. Web scan returns thousands of suspicious sites
  2. These sites are monitored in real-time to spot malicious characteristics as they develop
  3. Sites are classified and filtered out or advanced for more detailed analysis
  4. Further analysis reduces the sites to a smaller subset for advanced monitoring
  5. Advanced monitoring continues and triggers auto-convictions as soon as a certain confidence threshold is achieved.
  6. In more complicated cases, an event may be highlighted for analysis by a Lookout security intelligence researcher.
  7. In this case, a manual conviction is required.
  8. Following conviction, Lookout discretely notifies the targeted organization and shares select findings on Twitter @PhishingAI.

About Lookout Phishing AI

Lookout Phishing AI processes millions of events daily and applies intelligent machine learning analysis to identify malicious phishing sites as soon as, or even before, they go live. Having classified hundreds of millions of domains and URLs, Lookout Phishing AI feeds the Lookout Mobile Phishing Protection solution, which is available to customers running Lookout Mobile Endpoint Security on their iOS and Android devices. Additionally, Lookout proactively notifies organizations of phishing sites in order to enable rapid response to an attack that is underway, or in many cases to pre-empt an attack and execute a phishing site take-down.

Aaron Cockerill

About the Author: Aaron Cockerill

Aaron joined Lookout with nearly 20 years of software product management experience. As the Chief Strategy Officer, Aaron is responsible for developing, validating and implementing cross-functional strategic product initiatives that align with the Lookout vision of a secure connected world. Most recently, he served as VP of Mobile Technologies at Citrix, where he and his team were responsible for the development of Citrix’s mobile apps and container technology, while driving the acquisition of Zenprise. Prior to working on mobile technologies, Aaron drove the creation of Citrix’s desktop virtualization product, XenDesktop, which grew into more than $1 billion yearly revenue for Citrix during his five years of leadership. Before joining Citrix, Aaron worked for Akamai leading product management on their enterprise content delivery solution as well as working on the development and deployment of many of Akamai’s advanced content delivery networking technologies. Prior to that, Aaron led product management for OneSoft’s e-commerce system, and he held multiple positions at BHP Billiton in Australia. He holds a BE Materials (Honors) from Wollongong University, Australia.

Read more posts from Aaron Cockerill ›

‹ BACK TO ALL BLOGS