A DIGITAL LIFE E-GUIDE

Protecting Yourself Against Mobile Phishing

More and more people are enjoying online activities via mobile devices. A comScore research1 says that 4 of 5 US users shop online via smartphone. They also found out that 52% of users browse websites2 on their gadgets, while 39% visit social networking sites or blogs. You should be able to enjoy these activities safely, without worrying about threats like mobile phishing. This is easy to do, as long as you understand what it is and how you can protect yourself from it.

Mobile phishing is simply phishing done via a mobile device, like your smartphone or tablet. Phishing is when cybercriminals solicit your personal information—like usernames and passwords—by spoofing the email or websites of legitimate entities. If you use your gadget for activities that require you to log in to a page, such as online banking, shopping, and social networking, then you’re at risk to this threat. What makes mobile phishing different from its desktop version is that it takes advantage of the limitations of the mobile platform in order to steal your information.

Some of these limitations include:

• Smallscreensize – This limits your device’s ability to display everything3 on a mobile browser. Cybercriminals can use this to conceal telltale elements on their phishing pages.

• Defaultbrowsers – Certain devices prevent you from using more secure browsers. They have pre-installed default browsers that automatically open any clicked link.

• SimpleUI(UserInterface)design – Mobile device UIs are designed for a quick and streamlined user experience, so some security measures are skipped. This puts you at risk. A Georgia Tech University study4 shows that most mobile browsers forgo displaying graphical icons that indicate a website’s legitimacy and connection security.

These limitations aren’t necessarily harmful. But they are also not very helpful in securing you against mobile phishing.

1 http://www.comscore.com/Insights/Press_Releases/2012/9/Retailers_Carving_Out_Space_in_the_M-Commerce_Market

2 http://www.comscore.com/Insights/Press_Releases/2013/1/comScore_Reports_November_2012_U.S._Mobile_Sub-scriber_Market_Share

3 http://blog.trendmicro.com/trendlabs-security-intelligence/mobile-browser-security-problem-exists-between-device-and-chair/

4 http://www.gatech.edu/research/news/mobile-browsers-fail-georgia-tech-safety-test

What They Don’t Want You to See

Mobile phishing pages hide malicious routines that enable cybercriminals to steal your personal information. Cybercriminals see your data as assets they can either sell or use to carry out other schemes. Here’s what cybercriminals are after:

• Yourfinancialaccounts – Cybercriminals are known to break into bank accounts and siphon money off of them.

• Yoursocialnetworkingaccounts – Cybercriminals can hijack your social networking accounts in order to spread scams and malware to others in your contact list. They can also mine your contacts’ accounts for more personal information.

• Youronlineshoppingaccounts – Cybercriminals can use your own online shopping account to buy themselves very expensive gifts, especially if your card is already tied to the account.

• Youridentityandreputation – Cybercriminals can use your profile, name, or image to pose as you to your coworkers, family, or friends in order to scam them. They may also use your personal information in an attempt to damage your or someone else’s reputation.

Proceed with CautionEvery time you browse the Internet, be aware of the signs of mobile phishing.

1. AlteredURLs: Cybercriminals take advantage of a mobile device’s small screen. The address bar’s size can hide the difference between a phishing page URL from a legitimate one. Below is a side-by-side comparison showing the difference in the URLs.

Notice that the legitimate URL uses HTTPS, a secure protocol, while the phishing URL does not. The fake PayPal URL also has additional text in the address.

2. Fishygraphicsandtypographicalerrors: Looking at the example above, the phishing site also sports an unfamiliar new logo and altered text. If you’re not keen enough to know what the legitimate page looks like, chances are, you might get tricked.

Figure 1. Fake Paypal URL and page (left) vs. legitimate URL and site (right)

Considering the shift towards using mobile devices in this “post-PC” era, mobile phishing isn’t only real, it’s also inevitable. Here are ways to protect yourself against it.

• Useofficialapps. If your online banking or shopping website has an app, use that instead of your mobile browser. But make sure to download these apps only from their official sources. This cuts out the middleman and makes the transaction strictly between you and your website. This denies cybercriminals the opportunity to phish for your information.

• Avoidclickinglinksoropeningattachmentsinemailsfromsuspicioussenders. Always verify the emails you receive before taking any action. The links and files within them can be malicious.

• DoublecheckthewebpageanditsURL. If you’ve already landed on a phishing page, be vigilant. Consider how you got there and inspect the details. Did you click on a link you got from an email? There are legitimate emails that ask you to do this—email verification for example—but this is how phishing mails usually operate.

Tap your online browser’s address bar to fully display its contents. Scan for typographical errors or additional characters. Cybercriminals take over domains, banking on users making errors while typing or not noticing changes in the URL.

• Bookmarkwebsitesyoufrequent. If you must use your smartphone’s mobile browser, bookmark the sites you use frequently. This lessens your chances of landing on a phishing website due to spelling mistakes.

• Getamobilesecuritysolution.Trend Micro™ Mobile Security keeps your mobile device and mobile data safe by identifying and blocking not only phishing threats, but also other web threats like malicious or high-risk URL and apps.

What You Can Do

©2013 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.

TRENDLABS

TrendLabs is a multinational research, development, and support center with an extensive regional presence committed to 24 x 7 threat surveillance, attack prevention, and timely and seamless solutions delivery. With more than 1,000 threat experts and support engineers deployed round-the-clock in labs located around the globe, TrendLabs enables Trend Micro to continuously monitor the threat landscape across the globe; deliver real-time data to detect, to preempt, and to eliminate threats; research on and analyze technologies to combat new threats; respond in real time to targeted threats; and help customers worldwide minimize damage, reduce costs, and ensure business continuity.

TREND MICRO

Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cloud security leader, creates a world safe for exchanging digital information with its Internet content security and threat management solutions for businesses and consumers. A pioneer in server security with over 20 years’ experience, we deliver top-ranked client, server and cloud-based security that fits our customers’ and partners’ needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the industry-leading Trend Micro™ Smart Protection Network™ cloud computing security infrastructure, our products and services stop threats where they emerge—from the Internet. They are supported by 1,000+ threat intelligence experts around the globe.