Despite the massive coverage of phishing attacks in the business press, industry press and more general press, it’s still one of the most prevalent ways hackers steal passwords. While consumers and employees alike are getting somewhat better at identifying phishing attempts, so too are hackers getting more advanced in constructing elaborate phishing schemes. The hardest place to identify phishing emails? Your phone. The hardest place to determine if a website is what it purports to be? A mobile browser. And where do we do most of our internet browsing? Our phones… As such, hackers seem to be targeting mobile browsers in a new phishing scheme you need to be aware of.
Phishing by spoofing your mobile browser bar
When you click a link within an email, it often launches your default browser. Now, when you’re on your desktop machine, you can usually hover over the url or link to make sure the address it’s sending you to matches the company the email is supposedly coming from. You can also hover over the “from” email address to see if it’s actually from the correct “@company.com” email address, or some B.S. version of that email address (like, @compny.com, making a slight change to an official web address). When you’re on your phone, though? It’s much harder to dig into those possible discrepancies.
Tod Beardsley, research director at Rapid7, told TechCrunch that on “mobile, space is at an absolute premium, so every fraction of an inch counts. As a result, there’s not a lot of space available for security signals and sigils.”
By that he means the icons, signals, etc. that usually appear in the browser bar to let you know something is safe/legit aren’t always present on mobile because of sheer real-estate considerations. To that end, a security researcher named Rafay Baloch found critical vulnerabilities in some pretty widely used mobile browsers (namely Apple’s Safari and Opera). If these breaches were exploited, it would “allow an attacker to trick the browser into displaying a different web address than the actual website that the user is on. These address bar spoofing bugs make it far easier for attackers to make their phishing pages look like legitimate websites, creating the perfect conditions for someone trying to steal passwords,” according to TechCrunch.
“The bugs worked by exploiting a weakness in the time it takes for a vulnerable browser to load a web page. Once a victim is tricked into opening a link from a phishing email or text message, the malicious web page uses code hidden on the page to effectively replace the malicious web address in the browser’s address bar to any other web address that the attacker chooses.
In at least one case, the vulnerable browser retained the green padlock icon, indicating that the malicious web page with a spoofed web address was legitimate — when it wasn’t.”
Whether or not that makes a ton of sense to you doesn’t totally matter. What does matter, though, is higher-level awareness from you and your company that phishing is becoming ever more cunning. Safari has reportedly patched the bug, while Opera seemed somewhat noncommittal in their response to TechCrunch. Either way, be watching out for phishing attempts like this, especially when you’re on your phone.
For more comprehensive solutions, though, that’s where we come in. Having a managed service provider for all your IT needs makes fending off phishing attacks much easier, much more secure, and even in the case of a breach, restoration becomes much more seamless too.