Mobile Users More Vulnerable To Phishing Attacks

Orome1 writes "Trusteer recently gained access to the log files of several web servers that were hosting phishing websites. Analyzing these log files provided visibility into how many users accessed the websites, when they visited them, whether they submitted their login information, and what devices they used to access the website. As soon as a phishing website is broadcast through fraudulent email messages the first systems to visit it are typically mobile devices. Most fraudulent emails call for immediate action. For example, they usually claim that suspicious activity has been detected in the user's account and that immediate action is required. Most victims who fall for this ploy will visit the phishing site quickly."

Re:iPhone phishing

[windcask]

Think about it. What percentage of iPhone users even know what an email header is, let alone how to look at it?

Re:Pwnage disparity.

[Monoman]

A fool and his password ...

Maybe mobile DEVICES are more vulnerable

[clone53421]

If mobile users can’t tell the difference between real sites and fraudulent ones, that says something about the mobile device’s web browser, IMHO.

Re:Maybe mobile DEVICES are more vulnerable

[Nadaka]

Mobile users are used to having their browser detected as mobile and being shunted off to a simplified and barely functional mobile page.

It is one of the reason that I use firefox with a user agent fuzzer on my android phone.

Re:Maybe mobile DEVICES are more vulnerable

[windcask]

My name is Michael Kristopeit. I live in Wisconsin.
Present yourself to me and I will free you of your transgressions.
For great justice.

Re:Maybe mobile DEVICES are more vulnerable

[clone53421]

If you’re not just trolling (which I very much suspect you are), care to explain what you meant by that?

Re:Maybe mobile DEVICES are more vulnerable

[cbiltcliffe]

The timeline goes something like this:

1. Phishing email is sent out.
2. Desktop users won't check their email for several hours, because they're at work/away from their desk/in a meeting, but mobile user gets email immediately, because their device is on their belt.
3. Mobile user provides username/password to fake site.
4. Site gets noticed by server admin and taken down.
5. Desktop user gets to their computer, reads email, checks site, and finds "404 - page not found".

In other words, there's no story here.

Re:iPhone phishing

[clang_jangle]

Think about it. What percentage of users even know what an email header is, let alone how to look at it?

Fixed.

Also poor email clients on mobile devices

[Culture20]

My current mobile device, an iPhone, has a terrible native email client. There is no way to use text-only, view headers, or use pgp. I won't be surprised when a new email worm turns up that takes advantage of an image library that the iPhone mail.app uses. At least if I could view in text-only mode I wouldn't have to wait to click on suspected SPAM until I get to a real computer (Hey, you never know, "1 long 4u" might be an old girlfriend, not viagra SPAM).

Re:Also poor email clients on mobile devices

[clang_jangle]

The article is wrong about the Blackberry. You can set it for text-only email, and if you highlight the "From:" field you'll see the sender's address in a tooltip. I'm quite pleased with email on the BB, and using the Bolt browser, BBSSH for ssh logins, RepliGo Reader, and just a few other carefully chosen apps the BB is pretty awesome. Of course it doesn't have the huge screen of a Droid or iPhone (they always seem to be cracked anyway within a few months, don't they?), but there's really no comparison if you're looking for security and worry-free utility.

BTW, anyone who clicks a link in email for *anything* money-related is going to be screwed sooner or later, whether they're using an x86 machine or a mobile device.

We created this problem

[Simonetta]

We created this problem when we created the web. It is our ('our' being us the people who make their living building and maintaining the web) responsibility to solve it. We can't just tell people to monitor the arcane technical details over what is basically an issue of massive amounts of unpunished fraud crime. If left unchecked, the criminals will just get better and better technology.

    We have to decide several things: one, we have to accept that law enforcement can not deal with this because they don't have the time and resources. So, it is our responsibility. Two, we have to decide what we are going to do about it. In other words, what will be effective in stopping this activity. Three: we have to do it. Which means we have to be cruel to people. Ordinary people who are just trying to make a sleazy buck. Cruel like in violence, because violence is the only way to enforce the law when the traditional law-enforcement mechanism can't respond.

    I suggest private sting operations. We set up or let it be known that we will set up phishing sites for people, and then apply violence to anyone who pays us money to do it. People will stop buying phishing site product.

    One big problem with this is the possibility that large criminal organizations will demand that we run the entrapment phishing sites for them. Being large criminal organizations, they have the resources of violence to make us do this. But then we can offer these people to traditional law enforcement. One more day in the 'system of power', as the Mafia calls it.

    But we should take care of this problem. Otherwise we can't claim that there is any real benefit to the citizens in using the internet that we have so painstakingly created.

Re:We created this problem

[DrgnDancer]

Yeah, because it's not the least bit illegal to beat the shit out of people whom you personally determine to be guilty of a crime. Not to mention that on the Internet no one know you're a dog. How do you know this guy you're going out to "sting" isn't a 6' 5", 250 pound multiple black belt and weapons expert? Nothing can possibly go wrong with your plan

Re:We created this problem

[jc42]

But we should take care of this problem. Otherwise we can't claim that there is any real benefit to the citizens in using the internet that we have so painstakingly created.

Um, we (the folks who brought you the Internet, including email) have done it. On the machine where my primary email address lives, the email software runs a program that does a pretty good job of testing each message for problems and giving a "spam" rank. I have my reader automatically file everything above a threshold in a "junk" folder, which I check occasional for false positives. I can also add things like keywords (e.g., certain commercial domains) to the list of suspicious content patterns.

This is hardly anything unusual. There are quite a lot of email packages out there that do a good job of fingering spam and malicious email. And there are a lot of people fighting the battle of keeping up with the bad guys and improving the ranking software.

But there's one thing we can't (legally;-) do: We can't force people to use such software. If people want an iPhone, they get email software that's approved by Apple, and we have no power over Apple. No matter how good our anti-malware code is, Apple can nix it, and iPhone users won't have it.

So don't say that we should take care of the problem. The people who should take care of it are the ones who decide what software will be delivered on the machines they sell to their customers. If they choose not to bother with the easily-available software that checks for spam, phishing, and other malware, there's not a thing we can do to force them to change their ways.

Well, OK, we can publicize their failures. Like we've done here. Publicity isn't always successful, especially against corporations with billion-collar marketing budgets, but it's really the only tool we have. Just providing the software doesn't work; we have copious examples to support that claim. So publicity is our only real recourse.

One of the problems with publicity is that the corporations routinely respond by saying that we should tell only them, and let them fix the problem. We also have copious evidence that this doesn't work. Even the most responsive corporations (which does include Apple and Google) will sit on unannounced exploits for months or years, until we announce the exploits to the world. So the only real solution is to not bother telling them about problems. Or rather, we should be looking for exploits, sending them the details of each exploit, and shortly thereafter, announcing each exploit in an appropriate public forum. Experience show that that's the only way we can get them to actually permit us to fix the problems.

(I wonder if /. would be such a forum. We should watch and see if this discussion gets any response from the guilty parties. ;-)

Re:We created this problem

[TaoPhoenix]

When you have his info look him up on Facebook!

Re:We created this problem

[Opportunist]

No. FUCKIN' NO!

We created the web for US. No safety bars and no handrails. Why? 'cause we don't need them. We wanted something that "just works". And it did. For US. And for nobody else it was meant to be.

If someone has to fix it, it's the people who want the tech illiterates to litter our web. I never wanted them to be here, and whether they are here or not is nothing I'd be interested in.

Bluntly, it was a mistake to make the web "user friendly". A big mistake. Every roller coaster has a sign "you must be this tall to ride". We need a "you must be this intelligent to ride" entry bar.

Re:We created this problem

[jc42]

Well, yeah, I read that. But he also suggested why a vigilante approach might not work too well. In particular, the phishing part is more and more being run by the organized crime crowd, who in many places function much like the government: If you hurt their people, they simply kill you. So we might want to be careful about which spammers and phishers we approach with our torches, pitchforks and clubs.

A much safer approach would be to spread the existing (open, free) software that helps spot email bearing malware and trashes it. That's a lot harder for the crime bosses to pin on specific anonymous victims, since the effect is to silently ignore the malware. They don't know you're in on it, so they won't send Vinnie and Joe around to take you out.

Not "Vulnerable"

[eepok]

The term is not "vulnerable". Users are only vulnerable to real world things. Users are however, *gullible* and *susceptible" to phishing ploys. Especially iPhone users, apparently. *facepalm*

Re:Not "Vulnerable"

[MichaelKrisotpeit360]

Did your mother name you "MichaelKristopeit360?" Why do you cower? You're an ignorant hypocrite. Now pay the price by submitting to my transgressions.

Re:iPhone phishing

[DrgnDancer]

No, you believe that iPhones are "fashion accessories and social opiates" in actual fact, something on the order of 75% of the people I work with use iPhones, and we're a mostly Unix systems and development shop. Of course you will now counter that they must not be very good at their jobs or make some other obvious slur, because in your mind only people who agree with you about every aspect of technology could possibly be competent. None the less, we do quite well, our customers are usually very happy, and many of us use iPhones.

Re:iPhone phishing

[formfeed]

A typical Blackberry user, while probably not a technical elite, has more years of experience using a computer than the iPhone user has been alive and has some semblance of an idea how email works, if just enough to become suspicious.

But on the other hand, an iPhone can be used as a level for hanging pictures.

iPhones are fashion accessories and social opiates.

Only if you add some cool apps. Did you know that you can use the level app to find out at what angle you fall over?

many intervening variables

There seem to be a lot of intervening variables (between "gullible" and "mobile user") which are unaccounted for in TFA.

Most of those are also likely magnified when "mobile user" is further reduced to "iphone user".

Re:iPhone phishing

[I8TheWorm]

Ought to be modded insightful.

While smartphones certainly existed before the iPhone, Apple was instrumental in putting them in the hands of non-techies. The stereotypical soccer mom isn't exactly the most tech savvy person out there.

Re:iPhone phishing

[mikael_j]

My experience is that those who use "executive smartphones" (like blackberrys) are generally quite inept when it comes to tech but "compensate" for it by yelling at those geeks in the IT department whenever something goes wrong (which also results in them getting as much preemptive CYA protection as possible from the IT geeks).

iPhone users on the other hand tend to be "regular people" without magic CxO powers which means they're left to fend for themselves.

Re:iPhone phishing

[jc42]

So the lesson is, if you use an iPhone - don't click on that link until you check it out the full email header on a PC.

And this is a good hint at a major problem with mobile email: The user isn't generally allowed to see the full headers. I have a G1 (Android) with gmail installed. I've tried to find the email headers on several occasions, and as far as I can tell, there's no way to see them. And this isn't just a problem on Android; I also read my gmail from my linux and Mac computers, and I can't see the headers there, either. This is why my preferred email address is on an academic unix (FreeBSD) machine where I can run any of several mail readers, all of which show me the headers. And I can also use the low-level text-only mail(1) command. And I can read my mail with vi.

I get the impression that most GUI email readers don't show the headers because their authors consider their users too stupid to understand email headers. For those of us that aren't that stupid, it's not hard to see the symptoms of a phishing attack -- if we are permitted access to the full email message. But I suppose we're a small minority, so the suppliers of commercial email software see no reason to cater to us.

The frustrating part of this is that you know the software has all the headers, and could show them to us as easily as it shows the contents of the From: and Subject: lines. So denying us access to the rest of the headers is done with malice aforethought, and leads to this sort of susceptibility to phishing. Either that, or users learn to not read mail from strangers when using the limited (or limiting) commercial email readers.

Re:iPhone phishing

[philj]

iPhone users are 8 times more likely to engage phishing websites than Blackberry users. iPhone users account for 26% of the mobile market, Blackberry is 36%. .

I imagine this is because most Blackberrys are corporate phones and the phishing emails will never reach their corporate mailboxes in the first place.

iPhone users on the other hand will be more likely to use hotmail/yahoo mail etc, which aren't as good at removing such mails, making the percentage of emails delivered to the device higher, hence the number of phishing website click-throughs higher.

Just my thoughts, based on no data.

Re:iPhone phishing

[Monkeedude1212]

A typical Blackberry user, while probably not a technical elite, has more years of experience using a computer

I think you are being generous to the Blackberry users.

In my work as a help desk technician, who tirelessly has to make sure everyone's email works on Blackberry, iPhone, Android, WinMobile, etc - I've learned that Unless you are competant enough with computers to know how to avoid malware you are not any safer or more capable with your phone than any other phone provider.

Simply "Using windows longer" does not constitute any more strength against malware attacks. My parents have used Windows for almost as long as I have been alive, yet they still manage to catch something new every year.

This just in!

Mobile users have crummy email browsers that don't display full headers. Film at 11.

Sheesh.

Re:This just in!

[clang_jangle]

So much talk about headers in this discussion, but spoofing email headers is really not that hard. The real answer is don't click on links in email for anything that in any way involves the use of financial services of any description. I shop amazon (on a computer) all the time, and I don't even click on links in emails they send me. Why would I need to? Only takes a moment to login manually via https. And just because your carrier provides a "mobile banking" app doesn't mean they provide a secure enough network to safely use it! For those few cases where I need to buy something via smartphone I have one paypal account (not tied to a card or bank) just for that. If it gets compromised, the most I could lose is two or three hundred dollars.Don't kid yourself -- the internet is dangerous, and cell networks are potentially much more so.

Re:iPhone phishing

[Duradin]

It would seem Apple bashing is a fashion accessory and social opiate around here.

Gotta love the /. hipsters.

Re:iPhone phishing

[zach_the_lizard]

75% of iPhone users are above 25 years old, according to an April 2009 survey. RIM itself, in a 2010 leaked powerpoint estimated their own users at 36.7 years old, with the other smartphone users being 35.8. Still other survery show that the iPhone has just about 50% of its users 35 and above.

Blackberry users, though they might be a little older, probably aren't so much older that they've been using a computer longer than the average iPhone user has been alive.

Re:iPhone phishing

[josepha48]

actually most mobile clients do not show email headers nor do they show URL's like a browsers location bar. So if the title says wells fargo and looks like wells fargo then how are they gonna know the location is actually youjustgothackedonyourmobile.com

Re:iPhone phishing

[windcask]

youjustgothackedonyourmobile.com

More like onlein-banking.co.za or welsfargo.ru.

Re:iPhone phishing

And for every guy/girl that makes a living administrating Unix and has an iPhone, there are 100,000 other people that have an iPhone that have never heard of Unix. What is your point? Of those 100,000 per unix administrator, 99,900 of them never owned a non Apple smartphone and 99,500 of them can't even name a non Apple smartphone by model number so to say they never compared and chose an iPhone because of usability or function over some other choice because they never looked or know that other choices exist. That is the reason the parent claimed an iPhones are"fashion accessories and social opiates". Statistically, I see it around me in masse regardless of the small number of "geeks" that own one as well.

Re:iPhone phishing

[mcgrew]

iPhone users on the other hand tend to be "regular people" without magic CxO powers

That's been my observation. I see suits and blackberries at work, iPhones and blue jeans at the bar (even though they are the expensive jeans; most people in that bar have normal phones).

Re:iPhone phishing

[zach_the_lizard]

And the links above seem to suggest that that stereotype (at least as far as age goes) is not so accurate. iPod touch? Yeah, the vast majority of people who own those are 13-17. iPhone? Nope; the same proportion is above 25.

Re:iPhone phishing

[hedwards]

Part of the problem is that tricks that you have available on a desktop interface to do a check of the actual URL aren't available on mobile devices. I know that the only way I can know what a link is for is by cutting and pasting it, whereas with my desktop I can hover over it. Worse due to the size constraints on my screen, I can't count on seeing the entire URL.

I'm using a Nexus One, but I suspect that to be a fairly common problem on mobile platforms.

Re: phishing

I see no reason to use mail headers. It's obscure and "nobody" (general public) will know how to read them.

If people had a semblance of intelligence, they would know that email is inherently untrusted. EVEN if you had a game account, bank account, etc. with the phished company in question, I would never click on any link inside the email. I would go directly to the site itself by typing into a browser. Any notices that go through the email can be easily navigated or noted through the site itself.

There's my defense, preventing me from ever getting phished. Simple and even a retarded phone users can do it.

But they won't, because they want their shinies immediately.

Re:iPhone phishing

[Requiem18th]

But it run Apps! I dare you run Apps in your conpooter

Re:Actual headline

[initdeep]

SERIOUSLY?

and where did those white people in New Zealand and Australia come from.......

Re:iPhone phishing

[toleraen]

Holy mother of Moses, I get to brag about Windows Mobile for a second!

Every time I click a link in an email it displays the full text of the link and asks me to confirm that I want to go to that website.

Re:iPhone phishing

[businessnerd]

I imagine it also has to do with how terrible the web browser is on most Blackberries. I haven't used the new Blackberry OS 6 browser that uses WebKit, but every BB running OS 5 and later has a slow clunky browser that often fails to render pages correctly. When I receive an e-mail on my BB that requires immediate action be taken on a website, sometimes I might try on the phone itself, but half the time I do, the page has issues loading or login doesn't work or some other javascript error keeps things from working the way they are suppose to. Knowing this, I usually don't even bother attempting this on the phone. When browsing, I generally try to stick to mobile sites for this same reason. Another point too, is that it seems there is still a slim majority of BB users that have the Curve 83XX model, which is pretty outdated by modern smartphone standards. Users of these devices rarely use the web browsers or use any of the other "smart" features of the phone other than e-mail, SMS and maybe BBM.

Re:iPhone phishing

[Opportunist]

No. But the typical Blackberry user has an admin he can call and tell "solve that problem for me" which usually results in "No worries, boss, it's a phishing site, you didn't go there? No? Ok, then I'll take care of it, shouldn't take longer than an hour or two".

Dammit, I'm outta rockets...

Re:iPhone phishing

[fizzup]

I never click any link in an email I get on my Blackberry, because Blackberry's browser sucks poop. And I mean a lot of poop. Like, through one of those big fat "bubble tea" straws. Ssssssssshhhhhhhhthug! Eww, that was a yucky experience. Like that. Poop.

It doesn't matter if they know..

[Leon+Buijs]

You can't look at the email headers on an iPhone, the mail app has no option for it.

Re:iPhone phishing

[zach_the_lizard]

It doesn't matter, because the survey was through the browser, not at the store while you purchase the device / contract. If the parents get their kid an iPhone, it will show up in the survey as the kid's (since he's the one actually using it).

That'll be me then

[naich]

If I have the time, I always visit a new phishing site and put in bank details. Not real ones, obviously. I'm hoping that maybe there is a slim chance that somewhere out there, I might have just annoyed a phisher.

Re:iPhone phishing

[assassinator42]

To see the full source (including headers) of an email in GMail, click on the arrow on the right of reply then "Show Original".
I also don't see any way to do this in GMail for Android or even the GMail mobile website.