Endpoint

8/28/2018
10:30 AM
Dan Cuddeford
Dan Cuddeford
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

WhatsApp: Mobile Phishing's Newest Attack Target

In 2018, mobile communication platforms such as WhatsApp, Skype, and SMS have far less protection against app-based phishing than email.

Mobile phishing is a topic that just won't go away. According to Verizon, 90% of all data breach incidents begin with a phish — and mobile is the fastest-growing vector of attack. Our research shows a new phishing site is created every 20 seconds. Yet, within mobile phishing there are many different techniques and campaigns being employed by attackers, making it difficult to keep up with the latest threats.

Researchers at Wandera have observed a new trend that's been growing in popularity among cybercriminals — with dozens of new attacks being detected every day, many last less than 24 hours before the campaign is shut down and recreated elsewhere. This vast family of phishing attacks can be identified by a number of common features, most notably centering on WhatsApp, the popular message application.

Distribution Methods
We've observed an increase in phishing attacks that center on WhatsApp — not just for the initial method of delivery but also to subversively reach many more targets after each success.

While traditional phishing campaigns make use of email, most attacks today are distributed via other vectors on mobile. There are multiple reasons for this. For one thing, email clients and associated security technologies are better than ever at detecting and filtering suspicious messages from inboxes, whereas less-mature communication platforms such as Skype, WhatsApp, and SMS have far less protection in place. Put simply, email is far less effective than app-based phishing in 2018.

Furthermore, the many millions of apps that people use for communication on mobile devices mean that in-app defense against phishing is next to impossible — meaning that attackers can target users in places they do not expect malicious messages. These mobile-based attacks are three times more effective than desktop phishing, according to research from IBM.

Exploiting WhatsApp
Unlike in email, where the message is flagged as risky, this new phishing attack is not filtered at all in WhatsApp. In fact, when the link is shared in WhatsApp, it is sometimes expanded to display the snippet of the website, complete with logo and page title — all signifiers to the victim that this may be a legitimate domain.

Image Source: Wandera
Image Source: Wandera

Malicious Domains
When the user clicks on one of these links within WhatsApp, he or she is taken to a page that appears to be a limited time offer for a particular brand. These pages host content offering some kind of incentive for the user to complete a short questionnaire, typically employing a fake timer or countdown to instill a sense of urgency in the target.

These pages often also make use of mock Facebook comments, creating a false sense of social proof that these promotions are legitimate. Many of these fake commenters even express apprehension about the legitimacy of the page, only to later post that they have successfully completed the offer and have now received their reward. Some even include pictures of the gift as further evidence.

Most of these campaigns will aim to extract sensitive information from the target. In the examples discovered by Wandera, this ranged from personal data such as name, address, and phone number, to even more dangerous forms of personally identifiable information, such as credit card information.

Secure Sites
These campaigns employ another hallmark of the modern mobile phishing attack. While efforts to encrypt the web by implementing HTTPS on websites are admirable, general user understanding about this technology remains low. Most mobile browsers display a "secure" marker near the address bar of sites that have successfully made use of an SSL certificate, which attackers have used to convince users that their phishing domain is secure in a more general sense. Many users mistake this information as validation by Google or Apple that the site itself is authentic.

Organizations such as Let's Encrypt have been offering these certificates to website owners for free, providing a zero-cost way for attackers to bolster the perceived legitimacy of their phishing pages, and subsequently the efficacy of their attacks. These WhatsApp campaigns make frequent use of this technique.

Redistribution techniques
The more novel part of this campaign is how victims of the attack are exploited to share the campaign with their contacts. This technique is not entirely new, but by integrating with WhatsApp, this method of campaign "virality" is much more effective than more primitive efforts, which explains why these attacks are increasing in frequency.

Either before or after completion of the form (depending on the specific campaign) on these malicious pages, the target cannot redeem their gift until they have sent a link to the page to a number of other contacts via WhatsApp. This way, with each successful phish, attackers are able to reach yet more victims — directly within the application that the campaign is designed to exploit.

A message is then auto-sent to what appears to be a random selection of WhatsApp contacts. This approach has the added benefit of coming from an individual that the target trusts, making them more likely to fall for the scam.

There has been a notable growth in this kind of WhatsApp phishing campaign in 2018, all making use of a number of familiar features to successfully extract data from WhatsApp users. Quantifying it is difficult, because each attack is slightly different and attackers are constantly tweaking different elements on the campaign as they learn more about what works and what doesn't. In an age of GDPR and increased scrutiny on data breaches and privacy concerns, it is essential that mobile users learn to identify phishing in all its forms.

Related Content:

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dan is director of sales engineering at Wandera, the leading global provider of security and management for mobile data. An experienced engineer in network and cloud security, Dan has worked with start-ups through to global enterprises. Organizations use Wandera to protect ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
StephenGiderson
50%
50%
StephenGiderson,
User Rank: Apprentice
11/28/2018 | 9:17:49 PM
The hackers will target anything they think they can get their hands on
The hackers will target anything they think they can get their hands on. I'm really not surprised if they start looking at all of the messaging applications to try and hook more people into their little web and rob them of their information and private details. There's really no stopping them. We just need to hope that the companies will do their due diligence to make sure there is more security in place.
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.