Most of us are no stranger to receiving Short Message Services (SMSs) containing links to phishing sites or invitations to participate in online betting sites. These are usually ignored since they are easily identified as dubious entities. Having said that, a friend of mine recently received a SMS from supposedly one of our local banks informing him of a newly added payee. Despite being able to identify the SMS as a clear tell-tale sign of a phishing message, he clicked on the provided link out of curiosity.
An extremely similar-looking banking site that could rival with the genuine banking site appeared on his phone and he decided to type the same Uniform Resource Locator (URL) into his laptop to see if he could spot any difference. However, he was greeted by a “404 Not Found” message, which is a standard server response for an error message in a Hypertext Transfer Protocol (HTTP), indicating that the server is unable to provide the requested webpage.
Days later, someone reported in the independent.sg to warn others that there is an authentic-looking phishing website of another local bank. This user too, received the link from a SMS to his mobile phone. I did not have the opportunity to check if the URL provided by this user would lead to a “404 Not Found” page via a computer as the webpage had been taken down. Judging on the modus operandi of this adversary, it would probably lead to the same “404 Not Found” page as the URL provided was identical to the URL my friend received, except for the part where the bank initials are written.
Mobile phishing is not new. What makes this attack unique is that it has been a while since the attacker took such pains to be so specific in their targets. In this example, users (victims) will only be able to access the phishing site and input their bank credentials through their mobile phone.
How is this done?
Attackers can usually achieve this by adding instructions to their servers to only allow access to specific user-agents, which are strings in the HTTP headers that identifies devices requesting for the contents of a webpage. They can also achieve this through the use of the Inception Bar.
Why is this effective?
The message was sent through SMS, which would have prompted the user to click on the link on their mobile phone instead of typing the link provided to their personal computer. With the attacker restricting the use of specific user-agents, the user will only be able to display the contents of the webpage on their mobile phones.
Furthermore, websites often display different mobile content to different mobile devices. Hence, users normally may not realise that they are being brought to a malicious website if the webpage has been very carefully crafted to make it look like the genuine webpage.
Mobile phones preferred over desktop/laptop? Will this be a threat to the organisations?
When a user receives a phishing email on their desktop/laptop, he/she may be able to identify the potentially malicious URL by hovering over the link to see where the link redirects. It will not be as easy for a user to spot the potentially malicious URL if the user were to receive the phishing link on his/her mobile phone instead.
The attacker could also be trying to avoid detection by the antivirus software installed on the victim’s desktop/laptop, or the security information and event management (SIEM) or intrusion prevention system (IPS)/intrusion detection system (IDS) solutions that the organisations have in place for the victim’s desktop/laptop in an organisation setup.
Furthermore, the ongoing COVID-19 pandemic has brought about an immense reliance on mobile devices. The increase usage of e-services and applications on mobile phones in the professional and personal front makes mobile phone users an easy target.
Sending the malicious link to a mobile phone user via SMS will increase their success in phishing a user’s credentials as the user may be accessing the link through the 4G/5G mobile network, bypassing normal enterprise defences in an organisation setup. With the personal or corporate credentials harvested, attackers can use it to access any resources of their preference.
Once the attackers are in the corporate network, they can bring down an organisation’s operation, steal sensitive data, such as financial records or intellectual property resulting in a data breach, causing undesirable reputational damage, loss of revenue and/or business.
What are the prevention steps that an organisation can take?
Organisations can use the Guidelines for Managing the Security of Mobile Devices in the Enterprise by NIST as a reference to improve their security stance and try to improve user-awareness by reminding their employees on the details below:
- Be wary of URL links provided in unsolicited advertisements and text messages, especially if they sound too good to be true.
- Verify the authenticity of the information through official sources, for example, company websites.
- Never disclose any banking details to anyone.
Organisations can also encourage their employees to use a password manager for their mobile phones. A password manager not only helps them to fill in their passwords in the password field. It can also help to prevent the user from being phished by not filling in the passwords in the password field when it recognises the domain of the phishing website does not match the genuine website.
The Cyber Security Agency (CSA) has also made a video on How to Spot Signs of Phishing, which they can share with their employees.
The use of mobile phones has not only brought convenience to our daily lives; it has also provided convenience to attackers with multiple attack vectors that mobile phones can bring along. As attackers improvise their social engineering techniques to avoid their efforts being thwarted by anti-virus software and monitoring systems that could have been put in place, a focus on attacking mobile phone users directly seems to be an easier and profitable approach.
Instructing all mobile phone users to avoid accessing links sent to them via text messages is not feasible and improving user awareness appears to be the only way to combat phishing attacks. However, this is not foolproof. Organisations will need to think of a way to secure the new entry points where these mobile phones/devices will bring. While directing the network traffic of mobile users through an organisation is a good way to reduce the possibility of a network attack or data breach, it raises privacy issues. It is therefore important for organisations to draw a line between its needs and controls for its employees to adhere to when using mobile devices for work.
ABOUT THE AUTHOR
Tok Huey Cheit