Mobile phishing is a topic that just won’t go away. Attacks are on the rise, and it’s become clear that phishing is now unmistakably the number one mobile threat. According to Verizon, 90% of all data breach incidents begin with a phish – and mobile is the fastest growing vector of attack.

Yet, within mobile phishing there are all kinds of different techniques and campaigns being employed by attackers, making it difficult to keep up with the latest threats.

Researchers at Wandera have noticed a new trend that’s been growing in popularity among cyber criminals. Dozens of new attacks are being detected every day, and things are moving fast; many last less than 24 hours before the campaign is shut down and recreated elsewhere. This vast family of phishing attacks can be identified by a number of common features.

Attack summary

  • Initial distribution via WhatsApp, typically via a known contact
  • Exploitation of reputable brand to host web content offering high value incentive, such as free tickets, low cost products or discounted gift cards
  • Pages optimized for mobile. In many cases the pages redirect or fail to load on desktop.
  • Use of free SSL certificates to add authenticity on the landing page
  • Limited time element to invoke a sense of urgency in the target
  • Social proof integrated onto landing pages in the form of comments to increase perceived legitimacy
  • Survey or form embedded on the page, designed to extract sensitive user information
  • The inclusion of a ‘viral’ resharing of the malicious link with the user’s WhatsApp contacts
  • Distribution methods

Using data on new attacks surfaced by MI:RIAM, Wandera’s security intelligence engine, researchers have observed an increase in phishing attacks that center on WhatsApp – not just for the initial method of delivery, but also to subversively reach many more targets after each success.

First, some context on distribution. While traditional phishing campaigns make use of email, most attacks today are distributed via other vectors on mobile. There are multiple reasons for this. Firstly, email clients and associated security technologies are better than ever at detecting and filtering suspicious messages from inboxes, whereas less mature communication platforms such as Skype, WhatsApp and SMS have far less protection in place. Put simply, email is far less effective than app-based phishing in 2018.

Secondly, the many millions of apps that people use for communication on mobile means that in-app defense against phishing is next to impossible – meaning attackers can target users in places they do no expect malicious messages. These mobile-based attacks are three times more effective than desktop phishing, according to research from IBM.

Exploiting WhatsApp

Unlike in email, where the message is flagged as risky, this new kind of phishing attack is not filtered at all in WhatsApp. In fact, when the link is shared in WhatsApp, it is sometimes expanded to display the snippet of the website, complete with logo and page title – all signifiers to the victim that this may be a legitimate domain.

Malicious domains

When the user clicks on one of these links within WhatsApp, they are taken to a page that appears to be a limited time offer for a particular brand. These pages host content offering some kind of incentive for the user to complete a short questionnaire, typically employing a fake timer or countdown of available units to instil a sense of urgency in the target.

These pages often also make use of mock Facebook comments, creating a false sense of social proof that these promotions are legitimate. Many of these fake commenters even express apprehension about the legitimacy of the page, only to later post that they have successfully completed the offer and have now received their reward. Some even include pictures of the gift as further evidence.

Most of these campaigns will aim to extract sensitive information from the target. In the examples discovered by Wandera, this ranged from personal data such as name, address and phone number to even more dangerous forms of PII, such as credit card information.

Secure sites

These campaigns employ another hallmark of the modern mobile phishing attack. While efforts to encrypt the web by implementing HTTPS on websites are admirable, general user understanding about this technology remains low. Most mobile browsers display a ‘secure’ marker near the address bar of sites that have successfully made use of an SSL certificate, which attackers have used to convince users that their phishing domain is secure in a more general sense. Many users mistake this information as validation by Google or Apple that the site itself is authentic.

Organizations such as Let’s Encrypt have been offering these certificates to website owners for free, providing a zero-cost way for attackers to bolster the perceived legitimacy of their phishing pages, and subsequently the efficacy of their attacks.
These WhatsApp campaigns make frequent use of this technique.

Redistribution techniques

The more novel part of this campaign is how victims of the attack are exploited to reshare the campaign with their contacts. This technique is not entirely new, but by integrating with WhatsApp, this method of campaign ‘virality’ is much more effective than more primitive efforts, which explains why an explosion in the volume of these attacks appears to be taking place.

Either before or after completion of the form (depending on the specific campaign) on these malicious pages, the target cannot redeem their gift until they have sent a link to the page to a number of other contacts via WhatsApp. This way, with each successful phish, attackers are able to reach yet more victims – directly within the application that the campaign is designed to exploit.

A message is then auto-sent to what appears to be a random selection of WhatsApp contacts. This approach has the added benefit of coming from an individual that the target trusts, making them more likely fall for the scam.

Advice for organizations

There has been a notable growth in this kind of WhatsApp phishing campaign in 2018, all making use of a number of familiar features to successfully extract data from WhatsApp users. Quantifying it is difficult, because each attack is slightly different and attackers are constantly tweaking different elements on the campaign as they learn more about what works and what doesn’t.

Businesses should be particularly wary of these attacks for three key reasons.

Corporate data might be exposed by an employee that completes the form using business credentials.

Corporate credentials can often be accessed through the extraction of personal data.

Personal employee data that is lost in a cyber attack is now the responsibility of the employer if such an event occurs on a corporate-owned device.

There may be direct financial implications in the event that credit card or bank information is lost.
In an age of GDPR and increased scrutiny on data breaches and privacy concerns, it is essential that organizations implement mobile-centric training into their anti-phishing initiatives.

Security teams are also encouraged to assess the mobile security landscape and implement a technology that can not only detect phishing attacks in the moment they occur on mobile, but also keep users safe from accessing malicious domains such as those described in this article.