Phishing attacks aren’t nearly
as successful as they used to be because by now people have learned to look out
for the emails that ask them to provide sensitive details. While this is true
for emails, it seems that pioneer attackers have embraced other ways of
utilizing phishing attacks, namely through messaging services such as WhatsApp,
Skype, and even plain old SMS.
Mobile Phishing
Mobile phishing is an issue that shows no signs of abating anytime soon. According to Verizon, 90% of their recorded data breaches began with a phishing attack and right now mobile is an increasingly common attack vector.
Mobile phishing is an issue that shows no signs of abating anytime soon. According to Verizon, 90% of their recorded data breaches began with a phishing attack and right now mobile is an increasingly common attack vector.
Recent
research from Wandera shows a new trend among cyber-criminals toward mobile
phishing. Every day, dozens of new attacks are detected and many of them last
less than a day before being shut down and relocated elsewhere. These phishing
attacks share many standard features, notably centering around the use of
WhatsApp.
Distribution Methods
Now that there is a widespread awareness of the dangers email-based phishing attacks bring, many savvy cyber-criminals are instead moving on to using other vectors that allow them to attack mobile devices. Many of such attacks center on WhatsApp as both the initial method of delivery and the way to reach more targets after every single success.
Now that there is a widespread awareness of the dangers email-based phishing attacks bring, many savvy cyber-criminals are instead moving on to using other vectors that allow them to attack mobile devices. Many of such attacks center on WhatsApp as both the initial method of delivery and the way to reach more targets after every single success.
It
isn’t just the awareness that has led to this shift. Email clients and
providers have many built-in tools that identify any potential phishing emails
and alert the user or automatically delete the email.
In
contrast, there are no such security measures for SMS, or for app-based
messaging services. Given the sheer number of different messaging apps out
there, it is challenging to develop a catch-all defense against mobile phishing
attacks. This results in mobile-based attacks being at least three times more
effective than the phishing that takes place through desktop. Without any
doubt, mobile providers should make further investments into raising
cybersecurity awareness and improving it on mobile.
Exploiting WhatsApp
Unlike with phishing emails, which are often flagged as potentially malicious, there is no filtering or alert system on WhatsApp either. When a user receives a link on WhatsApp, it usually generates a preview of that website’s logo and page title. These are easy for an attacker to fake but might give a phishing message enough of a veneer of legitimacy for the user to get caught off guard.
Unlike with phishing emails, which are often flagged as potentially malicious, there is no filtering or alert system on WhatsApp either. When a user receives a link on WhatsApp, it usually generates a preview of that website’s logo and page title. These are easy for an attacker to fake but might give a phishing message enough of a veneer of legitimacy for the user to get caught off guard.
Malicious Domains
The links that phishing messages contain often look legitimate. However, if the user clicks through, they will be taken to a page that also appears legitimate but, in fact, is owned by the attackers. These phishing pages often resemble the login pages of the websites and services the user visits regularly. However, this isn’t always the case. For example, some phishing pages present the user with the opportunity to claim a prize, or to make a purchase at a massively discounted price.
The links that phishing messages contain often look legitimate. However, if the user clicks through, they will be taken to a page that also appears legitimate but, in fact, is owned by the attackers. These phishing pages often resemble the login pages of the websites and services the user visits regularly. However, this isn’t always the case. For example, some phishing pages present the user with the opportunity to claim a prize, or to make a purchase at a massively discounted price.
Whatever
the specific setup of the malicious page, its goal is to encourage the user to
hand over their personal information the attacker can exploit in some way. Just
as phishing emails have become more sophisticated, so have the web pages used
to phish victims. Many of them are now incorporated into Facebook comments and
other social media features that give the impression of a dynamic webpage with
a legitimate function.
How to Stay Safe
So, how can you defend yourself against these phishing attacks? Being vigilant is the most important thing. If it seems strange that a particular service is messaging you and asking for personal information, don’t hand it over! Only ever give your login details when you have approached the service yourself, not when they come to you asking for them.
So, how can you defend yourself against these phishing attacks? Being vigilant is the most important thing. If it seems strange that a particular service is messaging you and asking for personal information, don’t hand it over! Only ever give your login details when you have approached the service yourself, not when they come to you asking for them.
It
is also a good idea to get yourself a VPN which will protect
you someway from spear phishing attacks. These are phishing messages and
websites that have been crafted for a specific individual.
Generally,
attackers that use spear phishing will know their target and what message to
use to lull them into a false sense of security.
It
perhaps isn’t surprising that enterprising cybercriminals are making in-roads
in the mobile space. However, the awareness of this particular type of attacks
remains low. Be wary of any unsolicited messages you receive from an online
service, and don’t trust a link that you didn’t ask for.
No comments:
Post a Comment