Security researchers from PhishLabs have come across a new phishing trend that’s targeting mobile device owners exclusively, with “the highest proportion of attacks” aimed at Facebook users.
This new tactic relies on the fact that mobile browsers have very narrow URL address bars, which prevents users from viewing the entire contents of a link. Phishers are taking advantage of this UI inconvenience to pad URLs with subdomains and hyphens, making some links look authentic on mobile devices.
For example, take the following URL, seen by PhishLabs experts in real-world attacks.
The real domain of this website is rickytaylk.com, and not “m.facebook.com”. Because a mobile browser will show only the first part of the URL, users will see only the “m.facebook.com” section, followed by an endless stream of hyphens.
Attack only works against inattentive users
Inattentive users will be fooled to think they’re on the mobile login page of the real Facebook and give away their credentials to these crooks.
PhishLabs experts say that in most cases, attackers use these credentials to spam a user’s friends, and also send their phishing pages to other users, spreading the infection to others.
Most phishing attacks using this technique have targeted Facebook users. Experts say they’ve seen this same tactic also deployed against services such as Apple iCloud, Comcast, Craigslist, and OfferUp.
The mobile ecosystem is very phisher-friendly
Crane Hassold, the expert who detailed this tactic this week, says that one of the reasons that makes this phishing attack very effective is that users can’t hover links on mobile devices, so they are not capable of determining if a link is safe or not before tapping on it.
“Until you visit the site, you have no way of knowing whether it’s legitimate,” Hassold says. “And, as we’ve already seen, once you’re there [on the site] the URL padding approach is highly effective at obscuring the site’s real domain.”
Hassold says that many of these phishing links using URL padding have been sent via SMS. While some mobile browsers and IM applications allow you to tap and hold your finger over a link to reveal its full URL, most SMS applications do not come with this feature.
Also this week, researchers from PhishMe have come across another novel phishing technique. This one targets PayPal users and involves the phisher asking the user to upload a selfie of himself holding his ID card.