Slashdot Mirror
Mobile Users More Vulnerable To Phishing Attacks
Orome1 writes "Trusteer recently gained access to the log files of several web servers that were hosting phishing websites. Analyzing these log files provided visibility into how many users accessed the websites, when they visited them, whether they submitted their login information, and what devices they used to access the website. As soon as a phishing website is broadcast through fraudulent email messages the first systems to visit it are typically mobile devices. Most fraudulent emails call for immediate action. For example, they usually claim that suspicious activity has been detected in the user's account and that immediate action is required. Most victims who fall for this ploy will visit the phishing site quickly."
So, after reading the summary, we can conclude that the actual headline should be:
Mobile users more up to date with email than desktop users!
*facepalm*
which is totally what she said
Think about it. What percentage of iPhone users even know what an email header is, let alone how to look at it?
A fool and his password ...
Keep the Classic Slashdot.
sure, and the typical blackberry user knows the difference between http 1.0 and http 1.1 ?
If mobile users can’t tell the difference between real sites and fraudulent ones, that says something about the mobile device’s web browser, IMHO.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Fixed.
Caveat Utilitor
My current mobile device, an iPhone, has a terrible native email client. There is no way to use text-only, view headers, or use pgp. I won't be surprised when a new email worm turns up that takes advantage of an image library that the iPhone mail.app uses. At least if I could view in text-only mode I wouldn't have to wait to click on suspected SPAM until I get to a real computer (Hey, you never know, "1 long 4u" might be an old girlfriend, not viagra SPAM).
We created this problem when we created the web. It is our ('our' being us the people who make their living building and maintaining the web) responsibility to solve it. We can't just tell people to monitor the arcane technical details over what is basically an issue of massive amounts of unpunished fraud crime. If left unchecked, the criminals will just get better and better technology.
We have to decide several things: one, we have to accept that law enforcement can not deal with this because they don't have the time and resources. So, it is our responsibility. Two, we have to decide what we are going to do about it. In other words, what will be effective in stopping this activity. Three: we have to do it. Which means we have to be cruel to people. Ordinary people who are just trying to make a sleazy buck. Cruel like in violence, because violence is the only way to enforce the law when the traditional law-enforcement mechanism can't respond.
I suggest private sting operations. We set up or let it be known that we will set up phishing sites for people, and then apply violence to anyone who pays us money to do it. People will stop buying phishing site product.
One big problem with this is the possibility that large criminal organizations will demand that we run the entrapment phishing sites for them. Being large criminal organizations, they have the resources of violence to make us do this. But then we can offer these people to traditional law enforcement. One more day in the 'system of power', as the Mafia calls it.
But we should take care of this problem. Otherwise we can't claim that there is any real benefit to the citizens in using the internet that we have so painstakingly created.
The term is not "vulnerable". Users are only vulnerable to real world things. Users are however, *gullible* and *susceptible" to phishing ploys. Especially iPhone users, apparently. *facepalm*
No, you believe that iPhones are "fashion accessories and social opiates" in actual fact, something on the order of 75% of the people I work with use iPhones, and we're a mostly Unix systems and development shop. Of course you will now counter that they must not be very good at their jobs or make some other obvious slur, because in your mind only people who agree with you about every aspect of technology could possibly be competent. None the less, we do quite well, our customers are usually very happy, and many of us use iPhones.
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
lul whut?
The lesson is actually don't click on the damn links for any reason. If they're legitimate a Google search will get you to their homepage from which you can address the issue.
analyzing the header is just unesesary geek-wankery.
If someone can be suckered into paying the $$$ for a mobile internet device and suckered into the horrid price for the data plan and a locked in contract to subsidize the POS... that someone is a good candidate for being suckered on anything else.
A typical Blackberry user, while probably not a technical elite, has more years of experience using a computer than the iPhone user has been alive and has some semblance of an idea how email works, if just enough to become suspicious.
But on the other hand, an iPhone can be used as a level for hanging pictures.
iPhones are fashion accessories and social opiates.
Only if you add some cool apps. Did you know that you can use the level app to find out at what angle you fall over?
There seem to be a lot of intervening variables (between "gullible" and "mobile user") which are unaccounted for in TFA.
Most of those are also likely magnified when "mobile user" is further reduced to "iphone user".
Ought to be modded insightful.
While smartphones certainly existed before the iPhone, Apple was instrumental in putting them in the hands of non-techies. The stereotypical soccer mom isn't exactly the most tech savvy person out there.
Saying Android is a family of phones is akin to saying Linux is a family of PCs.
Wow. You is right! I wish I was an e-mail badass like you!
My experience is that those who use "executive smartphones" (like blackberrys) are generally quite inept when it comes to tech but "compensate" for it by yelling at those geeks in the IT department whenever something goes wrong (which also results in them getting as much preemptive CYA protection as possible from the IT geeks).
iPhone users on the other hand tend to be "regular people" without magic CxO powers which means they're left to fend for themselves.
Greylisting is to SMTP as NAT is to IPv4
So the lesson is, if you use an iPhone - don't click on that link until you check it out the full email header on a PC.
And this is a good hint at a major problem with mobile email: The user isn't generally allowed to see the full headers. I have a G1 (Android) with gmail installed. I've tried to find the email headers on several occasions, and as far as I can tell, there's no way to see them. And this isn't just a problem on Android; I also read my gmail from my linux and Mac computers, and I can't see the headers there, either. This is why my preferred email address is on an academic unix (FreeBSD) machine where I can run any of several mail readers, all of which show me the headers. And I can also use the low-level text-only mail(1) command. And I can read my mail with vi.
I get the impression that most GUI email readers don't show the headers because their authors consider their users too stupid to understand email headers. For those of us that aren't that stupid, it's not hard to see the symptoms of a phishing attack -- if we are permitted access to the full email message. But I suppose we're a small minority, so the suppliers of commercial email software see no reason to cater to us.
The frustrating part of this is that you know the software has all the headers, and could show them to us as easily as it shows the contents of the From: and Subject: lines. So denying us access to the rest of the headers is done with malice aforethought, and leads to this sort of susceptibility to phishing. Either that, or users learn to not read mail from strangers when using the limited (or limiting) commercial email readers.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
iPhone users are 8 times more likely to engage phishing websites than Blackberry users. iPhone users account for 26% of the mobile market, Blackberry is 36%. .
I imagine this is because most Blackberrys are corporate phones and the phishing emails will never reach their corporate mailboxes in the first place.
iPhone users on the other hand will be more likely to use hotmail/yahoo mail etc, which aren't as good at removing such mails, making the percentage of emails delivered to the device higher, hence the number of phishing website click-throughs higher.
Just my thoughts, based on no data.
No, we just say that they the statistics show that they are likely to visit phishing sites.
A typical Blackberry user, while probably not a technical elite, has more years of experience using a computer
I think you are being generous to the Blackberry users.
In my work as a help desk technician, who tirelessly has to make sure everyone's email works on Blackberry, iPhone, Android, WinMobile, etc - I've learned that Unless you are competant enough with computers to know how to avoid malware you are not any safer or more capable with your phone than any other phone provider.
Simply "Using windows longer" does not constitute any more strength against malware attacks. My parents have used Windows for almost as long as I have been alive, yet they still manage to catch something new every year.
Mobile users have crummy email browsers that don't display full headers. Film at 11.
Sheesh.
It would seem Apple bashing is a fashion accessory and social opiate around here.
Gotta love the /. hipsters.
75% of iPhone users are above 25 years old, according to an April 2009 survey. RIM itself, in a 2010 leaked powerpoint estimated their own users at 36.7 years old, with the other smartphone users being 35.8. Still other survery show that the iPhone has just about 50% of its users 35 and above.
Blackberry users, though they might be a little older, probably aren't so much older that they've been using a computer longer than the average iPhone user has been alive.
SSC
actually most mobile clients do not show email headers nor do they show URL's like a browsers location bar. So if the title says wells fargo and looks like wells fargo then how are they gonna know the location is actually youjustgothackedonyourmobile.com
Only 'flamers' flame!
All I was trying to say was when I think of a RIM user, I think small business owner, 40-50 years old. When I think iPhone, I think a Facebook-obsessed teenager.
youjustgothackedonyourmobile.com
More like onlein-banking.co.za or welsfargo.ru.
And for every guy/girl that makes a living administrating Unix and has an iPhone, there are 100,000 other people that have an iPhone that have never heard of Unix. What is your point? Of those 100,000 per unix administrator, 99,900 of them never owned a non Apple smartphone and 99,500 of them can't even name a non Apple smartphone by model number so to say they never compared and chose an iPhone because of usability or function over some other choice because they never looked or know that other choices exist. That is the reason the parent claimed an iPhones are"fashion accessories and social opiates". Statistically, I see it around me in masse regardless of the small number of "geeks" that own one as well.
iPhone users on the other hand tend to be "regular people" without magic CxO powers
That's been my observation. I see suits and blackberries at work, iPhones and blue jeans at the bar (even though they are the expensive jeans; most people in that bar have normal phones).
Free Martian Whores!
Think about it. What percentage of EMAIL users even know what an email header is, let alone how to look at it?
And the links above seem to suggest that that stereotype (at least as far as age goes) is not so accurate. iPod touch? Yeah, the vast majority of people who own those are 13-17. iPhone? Nope; the same proportion is above 25.
SSC
Part of the problem is that tricks that you have available on a desktop interface to do a check of the actual URL aren't available on mobile devices. I know that the only way I can know what a link is for is by cutting and pasting it, whereas with my desktop I can hover over it. Worse due to the size constraints on my screen, I can't count on seeing the entire URL.
I'm using a Nexus One, but I suspect that to be a fairly common problem on mobile platforms.
I see no reason to use mail headers. It's obscure and "nobody" (general public) will know how to read them.
If people had a semblance of intelligence, they would know that email is inherently untrusted. EVEN if you had a game account, bank account, etc. with the phished company in question, I would never click on any link inside the email. I would go directly to the site itself by typing into a browser. Any notices that go through the email can be easily navigated or noted through the site itself.
There's my defense, preventing me from ever getting phished. Simple and even a retarded phone users can do it.
But they won't, because they want their shinies immediately.
But it run Apps! I dare you run Apps in your conpooter
But... the future refused to change.
Holy mother of Moses, I get to brag about Windows Mobile for a second!
Every time I click a link in an email it displays the full text of the link and asks me to confirm that I want to go to that website.
and how many of those iPhones are "sold" to the parents in a household, yet used by the teenage children/under 25 college student in the household and on the parents phone plan.......
I can think of about 50 in my somewhat small circle of friends alone.....
How does one view email headers on the iPhone? Also, on the desktop, one can hover the mouse over any links to see the target. On the iPhone, onecan click, but not hover. For those reasons I don't click on links in email on my iPhone.
I imagine it also has to do with how terrible the web browser is on most Blackberries. I haven't used the new Blackberry OS 6 browser that uses WebKit, but every BB running OS 5 and later has a slow clunky browser that often fails to render pages correctly. When I receive an e-mail on my BB that requires immediate action be taken on a website, sometimes I might try on the phone itself, but half the time I do, the page has issues loading or login doesn't work or some other javascript error keeps things from working the way they are suppose to. Knowing this, I usually don't even bother attempting this on the phone. When browsing, I generally try to stick to mobile sites for this same reason. Another point too, is that it seems there is still a slim majority of BB users that have the Curve 83XX model, which is pretty outdated by modern smartphone standards. Users of these devices rarely use the web browsers or use any of the other "smart" features of the phone other than e-mail, SMS and maybe BBM.
"It's not whether you win or lose, it's how drunk you get." -- H. J. Simpson
No. But the typical Blackberry user has an admin he can call and tell "solve that problem for me" which usually results in "No worries, boss, it's a phishing site, you didn't go there? No? Ok, then I'll take care of it, shouldn't take longer than an hour or two".
Dammit, I'm outta rockets...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I never click any link in an email I get on my Blackberry, because Blackberry's browser sucks poop. And I mean a lot of poop. Like, through one of those big fat "bubble tea" straws. Ssssssssshhhhhhhhthug! Eww, that was a yucky experience. Like that. Poop.
my phone will not allow me to see email headers or source and either filters out or breaks PGP and SSL signatures so how can I judge the authenticity of any piece of email? Also, the mobile browsers OpenWave and Opera make it tedious, if not difficult or impossible to view page source.
[Y]et they still manage to catch something new every year.
Maybe they shouldn't sleep around so much.
You can't look at the email headers on an iPhone, the mail app has no option for it.
It doesn't matter, because the survey was through the browser, not at the store while you purchase the device / contract. If the parents get their kid an iPhone, it will show up in the survey as the kid's (since he's the one actually using it).
SSC
If I have the time, I always visit a new phishing site and put in bank details. Not real ones, obviously. I'm hoping that maybe there is a slim chance that somewhere out there, I might have just annoyed a phisher.
To see the full source (including headers) of an email in GMail, click on the arrow on the right of reply then "Show Original".
I also don't see any way to do this in GMail for Android or even the GMail mobile website.