Firms target mobile security hole with new anti-phishing browser, other tools
Lookout joins other security firms, releasing a browser for smartphones that can blacklist known phishing sites.
By Robert Lemos
June 16, 2011 — CSO —
With data showing the effectiveness of phishing campaigns against mobile browsers, security firms have aimed to fill that particular security hole: Symantec, McAfee, Trend Micro, F-Secure and Webroot are among the companies that have released secure browser add-ons for Android phones.
Wednesday, mobile security firm Lookout joined the group by releasing its own secure browser, Safe Browsing, to its security product, Lookout Mobile Security. The update gives mobile users a browser that prevents drive-by downloads and checks Web sites against a list of phishing sites.
While attacks on mobile Web browsers are not yet a big threat, the dangers will increase, says Kevin Mahaffey, chief technology officer for Lookout.
"We thought it very important that we secure this vector, particularly exploits, before widespread outbreaks, so we can avoid some of the pain we see in the PC industry," Mahaffey says. "Effectively, we want to solve problems before they become problems."
One problem is that phishing attacks tend to work better on smartphones for a number of reasons. In an analysis of a server used to host phishing attacks, security firm Trusteer found that the first victims were always mobile users. The company theorized that because users carrying the devices around with them, they are more likely to visit a phishing site before it gets added to a blacklist.
In addition, a key indicator of fraud is the Web address in the browser's URL bar, but on a mobile phone, the address is typically truncated, says security firm F-Secure.
"The small screen estate on smartphones makes phishing easier," Mikko Hypponen, chief research officer for F-Secure, wrote last month in a blog post. "When you add this with the fact that most smartphones have no phishing e-mail filters and no web blocking of scam sites, we can only come up with one result: phishing works much better on phones than on PCs."
Every mobile user should be using a browser with antiphishing features, says Charlie Miller, principal research consultant for consultancy Accuvant.
[Also read Mobile phone security do's and don'ts]
"If you are ever going to do anything sensitive on your phone, such as banking, then you definitely need it, for the same reason that you need it on desktops," Miller says. "You don't want to end up at a site that you think is one thing, but it is not."
The Mobile Safari browser on iPhones has anti-phishing built in. However, Trusteer found that eight times as many iPhone user visited phishing sites as other mobile users. Only a few security companies, such as Trend Micro, offer secure browsing on the iPhone platform as well.
Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.