Are mobile users suckers for phishing attacks?
Study considers why they're more likely to take the bait
- By William Jackson
- Jan 18, 2011
When phishers cast their nets, it is becoming more likely that mobile-device users will be reeled in.
An examination of the logs of a handful of phishing sites by Trusteer showed that users of mobile devices were the first to arrive at the sites, they were three times more likely to submit log-in information to the phony sites than desktop users were, and that despite the market lead of BlackBerry, eight times more iPhone users than BlackBerry users accessed phishing sites.
Trusteer, a provider of secure Web-browsing services, based the conclusions on a study of data from two servers that host about 20 different phishing websites, said CEO Mickey Boodaei.
“It’s a limited snapshot, but we believe it is representative of what is going on with other websites as well,” Boodaei said.
Why cybersecurity experts can never rest
Phishing is the practice of duping victims into providing log-in or identity credentials, often by luring them, with an urgent e-mail, to a phony look-alike website. The credentials can then be harvested and used for identity theft or other fraud and might be sold to third-party criminals.
The Trusteer findings do not mean that BlackBerry and iPhone users are necessarily suckers, though. Technology, form factor and social habits probably combine to produce those results, Boodaei concluded.
“It is not something we expected to see, but it makes sense after you see the data,” he said. He added that there are no hard facts to back up the conclusions but said they are logical extrapolations based on the available information.
Mobile users are more likely to see the urgent e-mails quickly because they are always on and tend to check their e-mail more frequently than their desk-bound brethren. That is important because of the limited lifespan of most phishing websites.
Another Trusteer study found that 50 percent of stolen credentials typically are gathered in the first hour that a site is online, and 80 percent within the first five hours. Many sites are taken off-line in a matter of hours, and blacklisting services often block the sites quickly, so users who are constantly checking and responding to e-mail are more likely to get to a live site.
“But it’s not just the timing,” Boodaei said. “It is more difficult for mobile users to identify phishing sites than for the desktop user.”
The size of screens and functionality of mobile browsers limit the information provided about the link. If a URL is displayed, it often is truncated, so that a well-constructed phony URL starting with “www.acmebank.com ” could appear legitimate by obscuring the true destination of the link.
Trusteer concluded that it is equally difficult to spot phishing sites on a BlackBerry or iPhone. So why the 8-to-1 ratio of iPhones to BlackBerry users? Maybe it is that BlackBerry has been around for quite a while and has become the de facto standard for mobile access in many enterprises, including government. BlackBerry users often have more experience, and the device is more likely to come with an enterprise security policy. The iPhone is a relatively recent phenomenon and is more likely to be in the hands of casual users.
The bottom line: Don’t abandon your caution when mobile. Remember that banks do not e-mail customers about compromised accounts, and skepticism about links in e-mails is always a good idea.
William Jackson is freelance writer and the author of the CyberEye blog.