Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/28/2018
10:30 AM
Dan Cuddeford
Dan Cuddeford
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

WhatsApp: Mobile Phishing's Newest Attack Target

In 2018, mobile communication platforms such as WhatsApp, Skype, and SMS have far less protection against app-based phishing than email.

Mobile phishing is a topic that just won't go away. According to Verizon, 90% of all data breach incidents begin with a phish — and mobile is the fastest-growing vector of attack. Our research shows a new phishing site is created every 20 seconds. Yet, within mobile phishing there are many different techniques and campaigns being employed by attackers, making it difficult to keep up with the latest threats.

Researchers at Wandera have observed a new trend that's been growing in popularity among cybercriminals — with dozens of new attacks being detected every day, many last less than 24 hours before the campaign is shut down and recreated elsewhere. This vast family of phishing attacks can be identified by a number of common features, most notably centering on WhatsApp, the popular message application.

Distribution Methods
We've observed an increase in phishing attacks that center on WhatsApp — not just for the initial method of delivery but also to subversively reach many more targets after each success.

While traditional phishing campaigns make use of email, most attacks today are distributed via other vectors on mobile. There are multiple reasons for this. For one thing, email clients and associated security technologies are better than ever at detecting and filtering suspicious messages from inboxes, whereas less-mature communication platforms such as Skype, WhatsApp, and SMS have far less protection in place. Put simply, email is far less effective than app-based phishing in 2018.

Furthermore, the many millions of apps that people use for communication on mobile devices mean that in-app defense against phishing is next to impossible — meaning that attackers can target users in places they do not expect malicious messages. These mobile-based attacks are three times more effective than desktop phishing, according to research from IBM.

Exploiting WhatsApp
Unlike in email, where the message is flagged as risky, this new phishing attack is not filtered at all in WhatsApp. In fact, when the link is shared in WhatsApp, it is sometimes expanded to display the snippet of the website, complete with logo and page title — all signifiers to the victim that this may be a legitimate domain.

Image Source: Wandera
Image Source: Wandera

Malicious Domains
When the user clicks on one of these links within WhatsApp, he or she is taken to a page that appears to be a limited time offer for a particular brand. These pages host content offering some kind of incentive for the user to complete a short questionnaire, typically employing a fake timer or countdown to instill a sense of urgency in the target.

These pages often also make use of mock Facebook comments, creating a false sense of social proof that these promotions are legitimate. Many of these fake commenters even express apprehension about the legitimacy of the page, only to later post that they have successfully completed the offer and have now received their reward. Some even include pictures of the gift as further evidence.

Most of these campaigns will aim to extract sensitive information from the target. In the examples discovered by Wandera, this ranged from personal data such as name, address, and phone number, to even more dangerous forms of personally identifiable information, such as credit card information.

Secure Sites
These campaigns employ another hallmark of the modern mobile phishing attack. While efforts to encrypt the web by implementing HTTPS on websites are admirable, general user understanding about this technology remains low. Most mobile browsers display a "secure" marker near the address bar of sites that have successfully made use of an SSL certificate, which attackers have used to convince users that their phishing domain is secure in a more general sense. Many users mistake this information as validation by Google or Apple that the site itself is authentic.

Organizations such as Let's Encrypt have been offering these certificates to website owners for free, providing a zero-cost way for attackers to bolster the perceived legitimacy of their phishing pages, and subsequently the efficacy of their attacks. These WhatsApp campaigns make frequent use of this technique.

Redistribution techniques
The more novel part of this campaign is how victims of the attack are exploited to share the campaign with their contacts. This technique is not entirely new, but by integrating with WhatsApp, this method of campaign "virality" is much more effective than more primitive efforts, which explains why these attacks are increasing in frequency.

Either before or after completion of the form (depending on the specific campaign) on these malicious pages, the target cannot redeem their gift until they have sent a link to the page to a number of other contacts via WhatsApp. This way, with each successful phish, attackers are able to reach yet more victims — directly within the application that the campaign is designed to exploit.

A message is then auto-sent to what appears to be a random selection of WhatsApp contacts. This approach has the added benefit of coming from an individual that the target trusts, making them more likely to fall for the scam.

There has been a notable growth in this kind of WhatsApp phishing campaign in 2018, all making use of a number of familiar features to successfully extract data from WhatsApp users. Quantifying it is difficult, because each attack is slightly different and attackers are constantly tweaking different elements on the campaign as they learn more about what works and what doesn't. In an age of GDPR and increased scrutiny on data breaches and privacy concerns, it is essential that mobile users learn to identify phishing in all its forms.

Related Content:

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dan is director of sales engineering at Wandera, the leading global provider of security and management for mobile data. An experienced engineer in network and cloud security, Dan has worked with start-ups through to global enterprises. Organizations use Wandera to protect ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
StephenGiderson
50%
50%
StephenGiderson,
User Rank: Strategist
11/28/2018 | 9:17:49 PM
The hackers will target anything they think they can get their hands on
The hackers will target anything they think they can get their hands on. I'm really not surprised if they start looking at all of the messaging applications to try and hook more people into their little web and rob them of their information and private details. There's really no stopping them. We just need to hope that the companies will do their due diligence to make sure there is more security in place.
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19645
PUBLISHED: 2019-12-09
alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.
CVE-2019-19678
PUBLISHED: 2019-12-09
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the generic field entry point via the Generic Test Definition field of a new Generic Test issue.
CVE-2019-19679
PUBLISHED: 2019-12-09
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the Pre-Condition Summary entry point via the summary field of a Create Pre-Condition action for a new Test Issue.
CVE-2019-19647
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
CVE-2019-19648
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.