Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/28/2018
10:30 AM
Dan Cuddeford
Dan Cuddeford
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

WhatsApp: Mobile Phishing's Newest Attack Target

In 2018, mobile communication platforms such as WhatsApp, Skype, and SMS have far less protection against app-based phishing than email.

Mobile phishing is a topic that just won't go away. According to Verizon, 90% of all data breach incidents begin with a phish — and mobile is the fastest-growing vector of attack. Our research shows a new phishing site is created every 20 seconds. Yet, within mobile phishing there are many different techniques and campaigns being employed by attackers, making it difficult to keep up with the latest threats.

Researchers at Wandera have observed a new trend that's been growing in popularity among cybercriminals — with dozens of new attacks being detected every day, many last less than 24 hours before the campaign is shut down and recreated elsewhere. This vast family of phishing attacks can be identified by a number of common features, most notably centering on WhatsApp, the popular message application.

Distribution Methods
We've observed an increase in phishing attacks that center on WhatsApp — not just for the initial method of delivery but also to subversively reach many more targets after each success.

While traditional phishing campaigns make use of email, most attacks today are distributed via other vectors on mobile. There are multiple reasons for this. For one thing, email clients and associated security technologies are better than ever at detecting and filtering suspicious messages from inboxes, whereas less-mature communication platforms such as Skype, WhatsApp, and SMS have far less protection in place. Put simply, email is far less effective than app-based phishing in 2018.

Furthermore, the many millions of apps that people use for communication on mobile devices mean that in-app defense against phishing is next to impossible — meaning that attackers can target users in places they do not expect malicious messages. These mobile-based attacks are three times more effective than desktop phishing, according to research from IBM.

Exploiting WhatsApp
Unlike in email, where the message is flagged as risky, this new phishing attack is not filtered at all in WhatsApp. In fact, when the link is shared in WhatsApp, it is sometimes expanded to display the snippet of the website, complete with logo and page title — all signifiers to the victim that this may be a legitimate domain.

Image Source: Wandera
Image Source: Wandera

Malicious Domains
When the user clicks on one of these links within WhatsApp, he or she is taken to a page that appears to be a limited time offer for a particular brand. These pages host content offering some kind of incentive for the user to complete a short questionnaire, typically employing a fake timer or countdown to instill a sense of urgency in the target.

These pages often also make use of mock Facebook comments, creating a false sense of social proof that these promotions are legitimate. Many of these fake commenters even express apprehension about the legitimacy of the page, only to later post that they have successfully completed the offer and have now received their reward. Some even include pictures of the gift as further evidence.

Most of these campaigns will aim to extract sensitive information from the target. In the examples discovered by Wandera, this ranged from personal data such as name, address, and phone number, to even more dangerous forms of personally identifiable information, such as credit card information.

Secure Sites
These campaigns employ another hallmark of the modern mobile phishing attack. While efforts to encrypt the web by implementing HTTPS on websites are admirable, general user understanding about this technology remains low. Most mobile browsers display a "secure" marker near the address bar of sites that have successfully made use of an SSL certificate, which attackers have used to convince users that their phishing domain is secure in a more general sense. Many users mistake this information as validation by Google or Apple that the site itself is authentic.

Organizations such as Let's Encrypt have been offering these certificates to website owners for free, providing a zero-cost way for attackers to bolster the perceived legitimacy of their phishing pages, and subsequently the efficacy of their attacks. These WhatsApp campaigns make frequent use of this technique.

Redistribution techniques
The more novel part of this campaign is how victims of the attack are exploited to share the campaign with their contacts. This technique is not entirely new, but by integrating with WhatsApp, this method of campaign "virality" is much more effective than more primitive efforts, which explains why these attacks are increasing in frequency.

Either before or after completion of the form (depending on the specific campaign) on these malicious pages, the target cannot redeem their gift until they have sent a link to the page to a number of other contacts via WhatsApp. This way, with each successful phish, attackers are able to reach yet more victims — directly within the application that the campaign is designed to exploit.

A message is then auto-sent to what appears to be a random selection of WhatsApp contacts. This approach has the added benefit of coming from an individual that the target trusts, making them more likely to fall for the scam.

There has been a notable growth in this kind of WhatsApp phishing campaign in 2018, all making use of a number of familiar features to successfully extract data from WhatsApp users. Quantifying it is difficult, because each attack is slightly different and attackers are constantly tweaking different elements on the campaign as they learn more about what works and what doesn't. In an age of GDPR and increased scrutiny on data breaches and privacy concerns, it is essential that mobile users learn to identify phishing in all its forms.

Related Content:

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dan is director of sales engineering at Wandera, the leading global provider of security and management for mobile data. An experienced engineer in network and cloud security, Dan has worked with start-ups through to global enterprises. Organizations use Wandera to protect ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
StephenGiderson
50%
50%
StephenGiderson,
User Rank: Strategist
11/28/2018 | 9:17:49 PM
The hackers will target anything they think they can get their hands on
The hackers will target anything they think they can get their hands on. I'm really not surprised if they start looking at all of the messaging applications to try and hook more people into their little web and rob them of their information and private details. There's really no stopping them. We just need to hope that the companies will do their due diligence to make sure there is more security in place.
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17513
PUBLISHED: 2019-10-18
An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.
CVE-2019-8216
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8217
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-8218
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8219
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .