The fact that hackers are increasingly targeting mobile devices isn’t exactly a secret. And really, it’s not surprising either. After all, most of us are practically glued to our smartphones throughout the day.-URL Padding
An SMS arrived? Better read it straight away.
New email? Let me at it.
Somebody, I don’t care about updating their Facebook status? Great, let’s see what they’re up to.
The increased attack volume we’re seeing directed at mobile devices is really nothing more than recognition on the part of threat actors that mobile devices account for an increasingly large proportion of web traffic… but aren’t nearly as well protected as PCs and laptops.
So with all that in mind, it shouldn’t be terribly surprising that we have a new mobile phishing threat to tell you about.
If you’re a regular reader of our blog, you may remember that back in March we published a post on the use of top level domains (TLDs) for phishing sites. In that post, we highlighted the use of generic (i.e., non-geographic) TLDs such as .support and .cloud to create URLs that appear to be authentic. For example:
Now, instead of using these gTLDs so simulate authenticity, threat actors have identified a new way to create believable URLs, and it’s focussed exclusively on the mobile market. Instead of trying to create legitimate-looking URLs, threat actors have started including real, legitimate domains within a larger URL, and padding it with hyphens to obscure the real destination.
For instance, check out this phishing site URL:
Although it starts with m.facebook.com (the genuine path for Facebook mobile) the actual domain, in this case, is rickytaylk.com.
Now, you might be thinking that this doesn’t look particularly convincing. And you’re right… until we see what happens when it’s loaded in a mobile browser.
Not so obvious, now, is it? In fact, with the phishing site set up as an almost perfect replica of Facebook’s genuine mobile login page, and the clever addition of the Facebook favicon in the address bar, this site looks remarkably genuine.
Here are a few more examples, with the real domain highlighted in bold:
In each case, these tactics of padding the URL with hyphens makes it possible to obscure the real domain and make it appear as though the victim has been directed to a legitimate website. To take things a stage further, in most cases another legitimate-seeming word (e.g., login, secure, account) has been inserted immediately following the string of hyphens, further adding to the illusion of authenticity.
The trouble with mobile devices is that even people who are normally security conscious treat them differently. As a population, we’ve been conditioned to check our phones constantly and to browse or follow links in a far more lackadaisical manner than we would on a desktop or laptop.
As a result, we’re generally paying far less attention to any warning signs that might crop up.
In this case, although we haven’t yet managed to get our hands on any lures, it’s highly likely that this tactic is being distributed via SMS phishing or through a social messenger, rather than email. As a result, the sensible parts of our brain, that have learned over the years that email contains a lot of spam, just aren’t turned on.
And it goes a stage deeper.
One of the most effective tactics for identifying malicious websites before visiting them is to hover over links in an email and check the destination URL. If you were to take this approach, the example URLs we’ve given above almost certainly wouldn’t fool you.
But in an SMS message, this approach just isn’t possible. Until you visit the site, you have no way of knowing whether it’s legitimate. And, as we’ve already seen, once you’re there the URL padding approach is highly effective at obscuring the site’s real domain.
Since the end of January, we’ve observed more than 50 attacks of this type, and numbers have really started to pick up since March. But why go to all this trouble just to steal login details?
After all, while Apple, Comcast, Craigslist, and OfferUp have all been targeted, it’s Facebook that accounts for easily the highest proportion of attacks.
Well, the first (and easiest) answer is password reuse. As we pointed out a while back, most people use the same email and password combination for almost all of their accounts, so stealing a single set of credentials can actually be highly profitable.
But this tactic isn’t just about password reuse. In reality, the fact that Facebook is the most heavily targeted organization indicates an entirely different motive.
Instead of trying to profit directly, we believe threat actors are looking to use individuals’ Facebook accounts to send out even more phishing lures via status updates or private messages. And as we’ve already noted, most people have been conditioned to check mobile notifications immediately, making this a highly effective tactic.
If you’re going to avoid falling for the ever-evolving tactics of phishers, you must accept the fact that not all digital communications are legitimate.
And that doesn’t just mean email anymore. Most people have finally accepted that spam is an inevitable side effect of email, but they still assume SMS messages and social media posts are inherently risk-free.
We know logically that Facebook doesn’t send out login links via SMS. Why would they? But as long as we’re trapped in the semi-conscious world of mobile browsing, we click on them anyway.
This cannot continue.
If we just stop to think for a moment before clicking on a link, or following instructions, things become clearer. And, once we’re paying attention, it won’t matter how legitimate a URL appears in our mobile browser… because we’ll never get there in the first place.
An article by Crane Hassold, Senior Security Threat Researcher