In this article, we continue our series on the top threats to smartphones, with network spoofing and phishing attacks.
This security vulnerability posed to smartphones goes back to the previous example of the public Wi-Fi hotspots that are found in the public places (once again like Starbuck’s or Panera Bread). Before you can actually gain access to the free data connection, you have to login with the username and password that is given (which is also publicly available) and agree to their terms of usage.
Usually this is an entire webpage, and there is no way to prove its authenticity. For the most part, these websites are actually legitimate, but given the level of the sophistication of the cyber attacker these days, a spoofed-up web page can be designed and replaced quite easily.
Typically, the cyber attacker names these spoofed public Wi-Fi hotspots such as “Airport Wi-Fi” or even “Coffeehouse Wi-Fi”. Unlike the legitimate login pages, the customer actually has to create an account in order to gain access the supposedly free data connection.
But, given how much people hate remembering hundreds of passwords, we tend to use the same username/password combination for just about everything we login into. The cyber attacker is also fully aware of this, and after you have created this account and logged in, and also in a manner very similar to that of a man in the middle attack, the cyber attacker will see the websites you are accessing.
If anything looks private and confidential, they will then later on use that same username/password combination that you have created, login, and covertly hijack everything and anything that they can.
This is a type of social engineering attack, and although it is has been around for a long time, it is still widely used by the cyber attacker of today, especially those on smartphones. Phishing can be defined as follows:
“It is a cybercrime in which a target or targets are contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as… banking and credit card details and passwords”. (SOURCE: 1).
The tell-tale signs of a phishing attack include the following:
- The content of the e-mail message has poor spelling or grammar:
Phishing e-mails often contain misspelled words, or even extra digits in the telephone number in the signatory component of the message. At first glance, these can be exceedingly difficult to find, but after a second or third look, they can be spotted. For instance, a phony message would contain the salutary line of “Dear eBay Costumer” instead of “Dear eBay Customer”. Also, look in the subject line as well for any misspellings. Most e-mail applications are good in catching this, but some still fall through the cracks and make their way into your inbox.
- The hyperlinked URL is different than the one that is presented:
Most phishing e-mail messages contain the name of a legitimate organisation, but with a phony URL that is hyperlinked to it. For example, you could get what looks like a legitimate e-mail message from PayPal, and towards the end of the message, it will say something like:
“Check your PayPal account here.”
Obviously, the name looks authentic enough, but instead of taking you to www.paypal.com, the hyperlink displays a different URL.
- The e-mail message has a sense of urgency to it:
The content of a phishing e-mail will often have a strong sense of action to take. For example, it may say that your PayPal account has been closed, put on hold, or that there is even some sort of fraudulent activity that has occurred on it. In these instances, there will also be a link to take you to your account, but once again, it will be a phony one.
- It will contain a suspicious attachment:
Most legitimate business entities or even individuals will not send you an attachment unless you have specifically requested one. Sometimes, phishing e-mails will contain an attachment, which will very often be in a .DOC or .XLS file extension. It will look like that these attachments are coming from somebody you know. These attachments contain a malware or a spyware executable program which will launch onto your computer or wireless device once they are downloaded and opened.
Our next article will continue to examine the top threats to smartphones, focusing upon the latest threat out there, and perhaps the most dangerous: ransomware.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.