A financial aspect to it pulls the attack more in line with other high-profile mobile phishing attempts, which typically look to steal banking or credit card credentials.
“Should users actually try to log in, the page then prompts users to choose a security question”, explained Gelo Abendan, a researcher at Trend Micro’s TrendLabs, in a blog on the subject. “This may sound harmless, but these same security questions might be used across several different sites, and can compromise your security as well.”
Once users are done with the security page, they are led to yet another page, this time asking for their credit card details—an issue that obviously paves the way to the much more critical issues of financial fraud and identity theft.
As smartphones and tablets proliferate, mobile devices have increasingly become platforms for phishing attacks. A recent Trend Micro report noted that in 2012 there were no fewer than 4,000 phishing URLs designed for mobile web. Though this number represents less than 1% of all the PC-based phishing URLs gathered that year, the results are large for the exponentially smaller universe of mobile-only pages.
That said, only a portion of mobile phishing sites are typically designed to spoof social networking sites (2%). Trend Micro postulates that this small number for phishing sites for social media may be due to users’ preference for using social media apps and widgets. Because users are unlikely to visit social networking sites by mobile web, launching phishing equivalent of these pages may not be an effective way to target users.
In contrast, the report noted that 75% of mobile phishing URLs were rogue versions of well-known banking or financial sites. Once users are tricked into divulging their login credentials to these sites, cybercriminals can use these stolen data to initiate unauthorized transactions and purchases via the victim’s account. In the Facebook phish, the attackers are clearly looking to bump up the value of their efforts by adding a financial aspect to the mix.
Taken together, it’s clear that consumers need to be more vigilant when surfing by mobile, regardless of which sites. “With high-profile incidents like the mobile phishing page targeting Chase customers, the fake WhatsApp notification serving a multiplatform threat, the master key vulnerability, and not to mention the growing number of online banking transactions via mobile devices – threats for mobile devices are catching up with its PC counterparts in terms of severity,” said Abendan.