Phishing, The Overlooked Mobile Threat

February 5, 2013 - By Tim Chiu

Most people associate phishing threats with emails, but really it's a web security threat.  It may start by receiving an email, one that's made to look like it's from a company or service you normally deal with on a regular basis.  But almost every phishing attempt, then tries to get you to login or give other credentials on a fake web page setup to look like the real one. Usually the fake website uses some form of the company's name in the URL, using HTML to hide the name of the fake website, while displaying a hyperlink that "shows" the right company name to fool the end-user into clicking the bad link.

 
While phishing continues to be a problem for traditional desktops or laptops, the problem is remediated to some extent by desktop browsers, like Internet Explorer, Firefox, Safari, and Chrome, all of which try to help the end-user viewing webmail to detect phishing threats by highlighting when a hyperlink points to a site other than the one being displayed in the browser.  Below, is an example of a phishing email being viewed inside of a web-based email client.  The email contains a hyperlink displaying "chase.com", but actually points to "indirelimmi.com" as shown by the browser in the bottom left hand corner, when the end-user places their cursor and hovers over the link.  This should be an immediate red flag for the end-user to alert them to the fact they are viewing a phishing email.
 

Phishing Email

 

On a smartphone or a tablet, the same email can be viewed using either the native email client (the one built into the smartphone's operating system, or a native email application downloaded from an app store), or using the web browser (and going to the web-based email client).  Typically the web-based email client will have a special version of the web page dedicated for mobile browsers, with a mobile specific web site with a URL staring with "m" (and are referred to as the "m-dot" version of the web site).  The "www" site will typically automatically redirect to the "m" site on detecting the mobile web broswer.

But the neither the native email client (the native client or native application), or the mobile web browser email client, available on a smartphone or tablet offer the end-user any help in determining an email is fradulent in nature.  Unlike the desktop browser there's no display of where the actual URL links to, so no red flag to warn the user they aren't really going to the bank's website.  The native app view is on the left below, and mobile web browser view on the right, of the same email we viewed above in the desktop web browser.  As you can see there's no indication the URL in either view goes somewhere else other than the bank's website.

 

Mobile Phishing Email

 

If that weren't enough of a risk there's still another problem with mobile devices, and that's when the user actually touches the link on their smartphone or tablet and launch the web browser to go to the linked web site.  In this case it's likely their device will launch the web browser and display a page similar to the one below.   Unlike a desktop web browser which will usually prominently display the URL you're visiting on the top of the screen (and thereby alert you that you didn't actually go to the bank's web site), the mobile web browser has been designed to cover as much of the screen as possible for displaying the web site, and many will automatically hide the URL of the site the end-user is visiting, in order to give the end-user the best possible view of the web page.  So once again, the end-user isn't alerted to the fact they didn't actually end up at the bank's web site, making it much more likely your end-user will inadvertently give away their personal and confidential data.

 

Phishing site

 

So what's the answer to stopping phishing and preventing your end-users from losing their confidential data?  First train your end-users to look for the tell tale signs of phishing, like misspelled words, bad grammar, and on desktop browsers, links that do not actually go the website they display.  For mobile users, warn them to manually inspect the URL by dragging down the URL bar on their browser after clicking on links when their browser automatically hides URLs, especially after visiting sites asking for login credentials and other personal information.  

You should also help your end-users by putting web security on their corporate owned mobile device.  Specifically web security that will block known phishing sites, and identify new ones with real-time rating of new web sites.  For those end-users that want to use their own personal mobile devices, you may want to consider implementing a BYOD (Bring Your Own Device) policy that will require end-users to have mobile web security on their device in order to access the corporate network, and use a mobile web security solution that will protect the end-user regardless of the network they read email and browse the web from.  Blue Coat offers a Mobile Device Security Service (MDSS) that uses our Blue Coat Cloud Service to protect mobile device users from threats like phishing websites, on any network, in any location.