By The PhishLabs Team | May 29, 2019
Each year new phishing techniques result in more attacks successfully landing in user inboxes. In most cases, threat actors are no different than anyone else, and follow the hottest trends in an effort to be more relevant. During tax season they may push out tax scams, during elections they may push bogus political-inspired healthcare emails, and there are even Game of Thrones inspired attacks, too.
Regardless of the latest fads, the one major shift in social engineering-based attacks is the technology in play. Fortunately, we don’t yet have virtual reality-based attacks plaguing the planet, but with mobile, in particular Android devices, accounting for a majority of online traffic, it’s becoming the primary target for threat actors.
The following are the primary findings that our team has observed and analyzed as part of the annual Phishing Trends and Intelligence report:
- In 2018, we observed a significant rise in SMS phishing, particularly targeting the financial industry.
- Most people open and read SMS messages reflexively, and don’t expect to receive malicious messages.
- SMS phish are much more difficult for the security community to track and respond to than traditional phishing attacks.
- Mobile-specific phish kits accurately mimic login screens of legitimate mobile apps. In many cases, these kits contain files for both mobile and desktop phishing sites.
Tracking SMS Threats and Visibility
Let’s break these down a bit further, starting with how the security community is able to track SMS attacks. Unlike a typical phishing email where it’s easy to collect the header and report or forward it to a researcher, SMS attacks are more complicated.
Phone numbers can easily be spoofed, and the routing that leads to a text message landing in your message queue is not accessible. This means that the most common way to report an SMS-based phishing attack is through screenshots, which poses numerous issues, with the largest being that URLs may be truncated.
On top of this, SMS or text message filtering of spam is practically non-existent, which means any kind of malicious or spam will be front and center on a person’s phone. This brings us to our next point regarding how users typically interact with text messages.
Mobile Makes a Fool Out of Us
Between a lack of filtering technology and our expectations that mobile devices are relatively secure, most users don’t take the extra time to ensure content is safe. You would certainly never click on a malicious email, so how could you get fooled on mobile? Using simple tricks like URL padding, or taking advantage of small screen sizes and how much of a URL you can see, easily trick users into thinking a website is legitimate.
As a result, in the past year we’ve seen more SMS phishing, particularly for the financial industry. SMS phish are using the same fear tactics as the traditional email-based phishing lures, such as saying there’s been fraud on the account and as a result has been deactivated. This, of course, encourages the user to try and reset the password, which then sends off the credentials to a threat actor.
We’ve also seen more phish kits specifically crafted for mobile-based phish. These phish kits present login screens similar to the bank’s legit mobile login. A lot of kits also contain files for both mobile and desktop phishing sites. These kits check for a user-agent in order to determine if the user is on a mobile device, and if so, it will show the mobile version of the site.
Mobile Malware Trends
As Android OS continues to be the primary entry point for mobile traffic, the most prevalent mobile malware specifically targets the operating system. In total, Android makes up 74.85% of all mobile OSs, with iOS significantly behind at 22.94%, and those that follow make up less than a single percent each.
The most active and prevalent mobile trojans in the past year are: BankBot, RedAlert2, and Marcher.
As other mobile banking trojans fall by the wayside, these prevalent ones have seen other incarnations and shifts, too. In the past year, March 2018, we detected a new BankBot variant. BankBot Anubis incorporates ransomware, keylogging, remote access, SMS interception, call forwarding, and lock screen functionality.
The creators also develop more sophisticated methods to obscure command and control (C2) infrastructure, which makes it more difficult to shut down. Criminals behind BankBot Anubis used public Twitter accounts to post tweets containing encoded C2 URLs in an attempt to hide their C2 infrastructure. C2 information could be encoded in images or foreign language characters to avoid suspicion. You can read more about it in our report from late last year.