For better or for worse, most of us are familiar with bank-related phishing attacks. Where a crook tricks you into clicking a link that appears to belong to your bank, and then presents you with a mock-up of their site hoping you’ll login and divulge your account details. The idea is that by making the experience seem familiar enough, you will simply run through the motions, fill in the requested fields and click Next.
It’s easy to get suckered in when you aren’t paying attention, as the crooks clone the look and feel of the bank’s real site by simply copying and modifying the bank’s own web pages.
The good news is that even though phishing is still lucrative for the bad guys, we are getting a lot better at not falling for it, at least for old-school phishes that are delivered in emails and require you to click through into a browser window.
But what about mobile devices? The Australian Communications and Media Authority (ACMA) has been warning for some time about the increased efforts of cybercriminals are making to target Australian financial institutions.
Instead of getting an email that takes you to a site in your desktop browser, the phish starts with a simple SMS that links to a believable-looking server name.
You ought to be suspicious already, not only because most banks simply tell you that your statement is ready, and leave you to use a bookmark of your own to get there, but also because all the sites use HTTP, rather than its secure cousin, HTTPS. But all the usual phishing signals you might normally look for in an email are missing. Many users are now checking the headers of emails when suspicious as this can reveal the real origin and watching out for spelling mistakes and grammatical issues. But in the cramped confines of an SMS, there’s less chance for the crooks to make spelling mistakes or grammatical blunders.
Any message that said nothing more than “Account notification” would seem unusually abrupt and suspiciously unprofessional in an email, yet it reads perfectly naturally in an SMS. If you were to click through to one of the many phishy domains the crooks have registered for these attacks (ACMA has an extensive list on its site), you’d put yourself in harm’s way. Here’s ACMA’s example screenshot for the fake login page for the ANZ bank, next to the real thing:
What to do?
1. Don’t throw caution out of the window when you switch from your desktop or laptop to your mobile device.
2. Avoid clicking on links in SMSes, especially if they are unsolicited.
3. Learn how to tell when a page is using HTTPS in your mobile browser of choice.
Your mobile device isn’t more secure simply because it’s not the same as, or newer than, or runs a different operating system to, your desktop or laptop. Whether you are on your phone or your laptop, your tablet or your desktop, if you put your personal information or password into the wrong site, it will end up in the wrong people’s hands.
Justin Peters is Technology Solutions Director APAC at Sophos
Reader comments on this site are moderated before publication to promote lively and civil debate. We encourage your comments but submitting one does not guarantee publication. We publish hundreds of comments daily, and if a comment is rejected it is likely because it does not meet with our comment guidelines, which you can read here. No correspondence will be entered into if a comment is declined.