Mobile Phones Are Great for Phishers, Researchers Find

Computer users seem to be getting better at spotting fake websites that are trying to steal their passwords, but when it comes to mobile phones, the deck is most definitely stacked against them.

Researchers at the University of California, Berkeley, recently took a look at 100 mobile applications, written for Android and the iPhone, and then thought up 15 techniques that scammers could use to write malicious programs that steal the victim’s user name and password on websites such as Facebook or Twitter.

Their research underscores a thorny issue that promises to demand more attention as users increasingly reach to their mobile phones when they want to go online.

The problem is that mobile users are being trained to enter their passwords and user names into mobile apps.

The first time one mobile program wants access to another — for example, if Groupon for iPhone wants to share something on Twitter — the program typically pops up a window that invites the user to sign into that website. But there’s usually no way to be sure that the login site is legitimate and that the phone’s owner is really sending his user name and password to Twitter.

PC browsers have Web address bars, green warning lights and other features to help Internet users know if they’re being tricked by phishers, but that’s not the case in the mobile world. Phones are so small there often just isn’t space for these protections.

In tests, researchers have shown that it’s almost impossible for mobile-phone users to distinguish real websites from fakes, thanks to the small screens on mobile phones.

The Berkeley researchers said it would be easy for a criminal to develop a malicious program that could either spy on users as they typed in their passwords, or direct them to a phishing site that looked exactly like the real thing.

David Wagner, a Berkeley computer science professor, believes that until there are better ways for mobile applications to talk with each other, this could be a very hard problem to solve. “The reason we wrote this paper was because we saw the potential risk and we did not have a good solution,” he said.

In their paper, Wagner and co-author Adrienne Felt conclude, “mobile users’ passwords for several major sites (notably including Facebook and Twitter) might be at risk.”

One person who’s working on a fix is Markus Jakobsson, principal scientist of consumer security at PayPal. He’s developing software that would work with smartphone operating systems, called Spoof Killer. It would keep track of which applications and websites are legitimately supposed to ask for login credentials and simply block the fake ones from working.

Jakobsson thinks there could be a surge of spoofing in the next year or so as the mobile phone becomes the most popular way to surf the Web. “It just makes sense to me, to attack the predominant platform,” he said.

Right now, there are not a lot of phishing attacks that specifically go after mobile users, according to Dave Jevans, chairman of the Anti-Phishing Working Group. But he agreed that phishing e-mails are more effective when they end up in mobile-phone mailboxes. “The antiphishing technologies on the mobile phone are inferior compared to what is available on the Windows platform,” he said.

However, when it comes to mobile devices, Jevans said he’s more worried about malicious apps than about phishing e-mail messages.

Phone makers have security checks to prevent malicious programs from getting included in their app stores. But a criminal could distribute a program that seemed legitimate at first and then flip a switch on a server somewhere and suddenly turn it into a password-stealing phishing program, said Kevin Mahaffey, chief technology officer and founder of mobile security software vendor Lookout. “It’s this whole new world of mobile malware that gets around the security controls,” he said.

Luckily, the malicious programs that Mahaffey has seen so far haven’t been like this. They’ve been obvious, engaging in bad behavior from the start. “Right now, the bad guys haven’t figured out that you can make something good and then turn it bad after a period of time,” he said.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert’s e-mail address is robert_mcmillan@idg.com