WhatsApp: Newest Attack Target for Mobile Phishing

Phishing attacks aren’t nearly as successful as they used to be because by now people have learned to look out for the emails that ask them to provide sensitive details. While this is true for emails, it seems that pioneer attackers have embraced other ways of utilizing phishing attacks, namely through messaging services such as WhatsApp, Skype, and even plain old SMS.

Mobile Phishing
Mobile phishing is an issue that shows no signs of abating anytime soon. According to Verizon, 90% of their recorded data breaches began with a phishing attack and right now mobile is an increasingly common attack vector. 

Recent research from Wandera shows a new trend among cyber-criminals toward mobile phishing. Every day, dozens of new attacks are detected and many of them last less than a day before being shut down and relocated elsewhere. These phishing attacks share many standard features, notably centering around the use of WhatsApp.

Distribution Methods
Now that there is a widespread awareness of the dangers email-based phishing attacks bring, many savvy cyber-criminals are instead moving on to using other vectors that allow them to attack mobile devices. Many of such attacks center on WhatsApp as both the initial method of delivery and the way to reach more targets after every single success. 

It isn’t just the awareness that has led to this shift. Email clients and providers have many built-in tools that identify any potential phishing emails and alert the user or automatically delete the email.

In contrast, there are no such security measures for SMS, or for app-based messaging services. Given the sheer number of different messaging apps out there, it is challenging to develop a catch-all defense against mobile phishing attacks. This results in mobile-based attacks being at least three times more effective than the phishing that takes place through desktop. Without any doubt, mobile providers should make further investments into raising cybersecurity awareness and improving it on mobile.

Exploiting WhatsApp
Unlike with phishing emails, which are often flagged as potentially malicious, there is no filtering or alert system on WhatsApp either. When a user receives a link on WhatsApp, it usually generates a preview of that website’s logo and page title. These are easy for an attacker to fake but might give a phishing message enough of a veneer of legitimacy for the user to get caught off guard.

Malicious Domains
The links that phishing messages contain often look legitimate. However, if the user clicks through, they will be taken to a page that also appears legitimate but, in fact, is owned by the attackers. These phishing pages often resemble the login pages of the websites and services the user visits regularly. However, this isn’t always the case. For example, some phishing pages present the user with the opportunity to claim a prize, or to make a purchase at a massively discounted price.

Whatever the specific setup of the malicious page, its goal is to encourage the user to hand over their personal information the attacker can exploit in some way. Just as phishing emails have become more sophisticated, so have the web pages used to phish victims. Many of them are now incorporated into Facebook comments and other social media features that give the impression of a dynamic webpage with a legitimate function.

How to Stay Safe
So, how can you defend yourself against these phishing attacks? Being vigilant is the most important thing. If it seems strange that a particular service is messaging you and asking for personal information, don’t hand it over! Only ever give your login details when you have approached the service yourself, not when they come to you asking for them.

It is also a good idea to get yourself a VPN which will protect you someway from spear phishing attacks. These are phishing messages and websites that have been crafted for a specific individual.

Generally, attackers that use spear phishing will know their target and what message to use to lull them into a false sense of security. 

It perhaps isn’t surprising that enterprising cybercriminals are making in-roads in the mobile space. However, the awareness of this particular type of attacks remains low. Be wary of any unsolicited messages you receive from an online service, and don’t trust a link that you didn’t ask for.

Uladzislau Murashka is a Certified Ethical Hacker at ScienceSoft with 5 years of experience in penetration testing. Uladzislau’s spheres of competence include reverse engineering, black box, white box and gray box penetration testing of web and mobile applications, bug hunting and research work in the area of information security.

What’s Hot on Infosecurity Magazine?