"New" phishing technique, using padded urls on mobile apps

in #hacking8 years ago (edited)

Security researchers have discovered a new tactic used by phishing gangs to conceal the URLs of fake websites from even the more savvy of victims.

Dubbed URL padding, cyber-criminals rely on the smaller sized address bars on mobile devices that stop users seeing the whole address. The user interface is abused by crooks to pad fake URLs with hyphens so it become very difficult to identify a phishing site by its web address.

In a blog post, Crane Hassold, senior security threat researcher at Phish Labs, said that the highest proportion of attacks are aimed at Facebook users. For example, he said he had witnessed one such

example: “hxxp://m.facebook.com----------------validate----step1.rickytaylk[dot]com/sign_in.html”.

(http was replaced with hxxp for security reasons)
(The phishing site is now offline)

“Although it starts with m.facebook.com (the genuine path for Facebook mobile) the actual domain in this case is rickytaylk.com.”. To explain it a little further, the entire url is the registered domain. Unfortunately this technique works with free hosting as majority of free hosting has their extension at the end of the url (Although don't expect any free domains to be available as these campaigns normally aquire as many domains as possible)

Hassold said that while this doesn't look convincing on a desktop computer, when loaded into the smaller window of a mobile browser, it doesn't look as obvious.

“In fact, with the phishing site setup as an almost perfect replica of Facebook's genuine mobile login page, and the clever addition of the Facebook favicon in the address bar, this site looks remarkably genuine,” he said.

There were other examples he spotted deployed against users of Comcast, Craigslist, Offer Up and iCloud.

Hassold said that this style of phishing attack is very effective as users can't hover over links on mobile devices.

TIPS

  • When in doubt, don't check it out
  • Search for it manually on google
  • If prompted for a login, it's likely a phish
Sort:  

I think information like this is very important, especially to people who are new to technology.

Whenever you interact with ANY site that requires a password (social media, banking, steemit) make sure you type it in to your browser yourself (or use a bookmark from your own browser).

Also remember, facebook, your bank, and most other sites requiring a login will address you BY NAME they will never say "Dear user" or "Dear [email address]

Yes, you're absolutely correct! Many financial and fiat phishing attemps can be deciphered from legitimate emails from how they address the user. There is also a reason why spear phishing (targeting something or someone) is as effective as it is. By addressing the user by their name from other compromised sources, the attacker can gain a solid success rate. Always go right to the source! If for instance, paypal emails you, theres a good chance you can avoid the email all together and login directly and securely to their website.