Phishing has been around since the earliest days of the internet. Back then, it was an email from a Nigerian prince asking you to provide your bank credentials, claiming to have a substantial inheritance waiting for you. Poorly worded and misspelt notes were also commonplace, asking you to send off your credit card information for account security purposes.

In fact, when you say the word ‘phishing’, these types of scams are what first comes to mind for most of us. An unsophisticated, poorly executed attack that would likely be filtered to your spam inbox.

It’s becoming increasingly important as a business to recognize that times have changed. Phishing attacks are not what they used to be. Not only are they no longer restricted to the vehicle of email, but they’ve become increasingly advanced. Wandera’s data suggests that a user is now 18x more likely to fall victim to a mobile phishing attack then a malware attack.

With a new mobile phishing site created every 20 seconds, it’s vital to understand the ways in which phishing has advanced and proliferated to better protect your organization.

Enhanced distribution networks

The phishing ‘industry’ as a whole has experienced something many verticals do at some point in time. While there has been and continues to be an increase in the overall volume of attacks and malicious phishing sites created, the previously fragmented nature of these schemes (one hacker to every phishing attack) has changed drastically. This has happened alongside the maturing of the industry. There has come a time of consolidation.

By that we mean individual hackers or groups of hackers are working together to create large, advanced distribution networks for their phishing schemes. How do we know this is taking place? Wandera’s Data Science team performed an intricate analysis into the phishing dataset produced by MI:RIAM.

This data, pulled from Wandera’s global network of corporate mobile devices, contains those FDQNs that have been tagged and identified as phishing. The team further investigated these domains to determine who was behind their creation.

The results of this research are staggering. The team was able to uncover the anonymized email addresses of hackers who had created and registered domains in the first place. They were also able to understand how many malicious domains those e-mail addresses had registered. The majority of these email addresses had more than 1 domain registered with some having as many as 135 under their belt.

The ease with which hackers are now able to create and take down web domains has without a doubt contributed to the creation of these far-reaching distribution networks as well as the proliferation of zero-day phishing attacks. This has allowed hackers to advance their techniques and increase their overall odds of success.

Domain sophistication

A common argument against a user’s ‘vulnerability’ to a phishing attack is that all said user needs to do to avoid them all together is carefully evaluate the URLs they are clicking on. While analyzing a website’s URL is a great way to keep an eye out for phishing attacks, the level of domain sophistication that hackers are implementing in their attacks makes this practice very difficult, especially on mobile.

We all know what to look out for in a malicious URLs, and we’re not suggesting that many would be fooled by the likes of misspelt, long-winded, seriously obvious phishing URLs. But keep in mind that on a mobile device, there is limited screen real estate. More often than not, you only see the first part of a URL in your mobile browser, before the inevitable ‘…’ that details the remainder.

Hackers are painfully aware of this fact, and they’ve started to get smart about what their domains look like. We all know for instance, a hacker can’t use www.facebook.com as a phishing attack. Facebook owns the rights to this domain and no one else will be able to acquire it anytime soon. But what about a subdomain of Facebook:  www.facebook.photos. login.com? Looks pretty legitimate right?

Cybercriminals have started sneakily registering subdomains of popular websites to orchestrate their phishing attacks. This is in hopes that a user will simply see “facebook” or “youtube” and inherently trust the rest of the URL. This is especially problematic when it comes to mobile phones, as stated above. All a user will be able to see in their mobile browser window is likely the first ‘legitimate looking’ part of the domain, before it trails off: www.facebook.com.photos…. This, of course, means the likelihood of falling victim to these attacks as a mobile user increases drastically.

A/B attacks

Perhaps the largest advancement we’ve seen in phishing as a threat vector is the emergence of what we’ve termed “A/B phishing attacks”.  If you hail from a marketing or web analytics background, you’ll likely already be familiar with what A/B testing means. Usually it involves a controlled experiment with two variants, A & B. It’s a way to compare two versions of a single variable by testing a subject’s response to variable A against B to establish which is most effective.

Similarly, an A/B phishing attack is designed to serve a user customized content based on certain stimuli. Hackers know for example, that if they serve an Android user a page not formatted for an Android device, or in a language other than the one the user speaks, the phishing attack likely will not be successful. The user will immediately recognize the page as suspicious and therefore avoid it.

Hackers have, as per usual, found a way to target their attacks. Phishing webpages now have code written into them that allows them to determine what device and OS the visitor is using the access the page. They can also determine the language settings of the user’s keyboard and determine how to present the page as a result of these factors.

These phishing attacks are so advanced, that they can actually be programmed to only show the phish if the user is accessing the site on mobile. Hackers know that individuals are more likely to fall victim to their attacks on mobile. Additionally, they don’t want their domain being flagged by a computer anti-virus scanner. They can therefore choose to show a blank page with no malicious phish if a computer accesses the webpage (let’s call this the ‘A’ scenario) and only show the actual phish if they detect a mobile device access the page (‘B’ scenario).

This advanced customization allows for hackers to deliver even more credible networks of attacks that stay active much longer before being discovered or flagged by security software.

Phishing vehicles

While email still remains the most dominant method of distribution for phishing attacks, it has certainly become the least lucrative. Advanced filtering technologies and decades of awareness training means, while a sea of attempts still flow towards users’ inboxes, the vast majority are now intercepted by various layers of security. Those that do squeeze through are in most cases wisely ignored by an increasingly shrewd user, even on mobile devices.

The current reality is that over 80% of successful phishing attempts on mobile take place elsewhere. One of these channels is through messaging apps, where user scrutiny and security measures are much more lax. Phishing attacks have now been observed in practically every single form of communication on mobile devices, including: WhatsApp, Facebook, Messenger, WeChat, Skype, Viber, Kik and QQ.

Users don’t expect phishing attacks to come through these various messaging apps. They aren’t known to be risky and most users engage with them multiple times per day. Therefore, when using them, individuals are much more likely to have their guard down and therefore can easily end up falling victim to a sophisticated phishing scheme.

For more information on where mobile phishing is now taking place, check out our post on Whishing, Smishing and other phishing vehicles.

So what’s the solution?

The phishing landscape has undoubtedly progressed and advanced hugely since inception, and will likely to continue to do so in the coming years. It’s becoming increasingly clear that businesses cannot rely on the human nature of employees to ward off these attacks, especially on mobile.

Wandera is the only mobile security solution on the market that can proactively block phishing attacks and cut them off at the source, in real-time.

Its solution has the ability to block sensitive information from being exfiltrated from the mobile device and sent to the command and control, even if an end user falls victim to social engineering. This is all because of Wandera’s unique architecture that allows it to monitor mobile traffic over the network in real-time.

For more information, get in contact with one of our mobility experts today:

More about phishing:

Top 5 phishing TLDs

Phishing, smishing and… whishing: Is WhatsApp an enterprise risk?

Mobile phishing quiz

How hackers are using phishing to bypass two-factor authentication

Mobile Phishing Report 2018

Phishing sites morph, evolve and redirect by the second – allowing hackers to alternate their techniques. Learn more about the mobile phishing threat landscape.

Download now