Mobile Users More Vulnerable To Phishing Attacks

Orome1 writes "Trusteer recently gained access to the log files of several web servers that were hosting phishing websites. Analyzing these log files provided visibility into how many users accessed the websites, when they visited them, whether they submitted their login information, and what devices they used to access the website. As soon as a phishing website is broadcast through fraudulent email messages the first systems to visit it are typically mobile devices. Most fraudulent emails call for immediate action. For example, they usually claim that suspicious activity has been detected in the user's account and that immediate action is required. Most victims who fall for this ploy will visit the phishing site quickly."

Actual headline

[somersault]

So, after reading the summary, we can conclude that the actual headline should be:

Mobile users more up to date with email than desktop users!

*facepalm*

Re:

[initdeep]

SERIOUSLY?

and where did those white people in New Zealand and Australia come from.......

Re:

[cbiltcliffe]

No shit.

Big surprise, people who get their email immediately are more likely to be first to visit a phishing site before it's taken down.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[DrgnDancer]

No, you believe that iPhones are "fashion accessories and social opiates" in actual fact, something on the order of 75% of the people I work with use iPhones, and we're a mostly Unix systems and development shop. Of course you will now counter that they must not be very good at their jobs or make some other obvious slur, because in your mind only people who agree with you about every aspect of technology could possibly be competent. None the less, we do quite well, our customers are usually very happy, an

Re:

[Anonymous Coward]

And for every guy/girl that makes a living administrating Unix and has an iPhone, there are 100,000 other people that have an iPhone that have never heard of Unix. What is your point? Of those 100,000 per unix administrator, 99,900 of them never owned a non Apple smartphone and 99,500 of them can't even name a non Apple smartphone by model number so to say they never compared and chose an iPhone because of usability or function over some other choice because they never looked or know that other choices ex

Re:

[formfeed]

A typical Blackberry user, while probably not a technical elite, has more years of experience using a computer than the iPhone user has been alive and has some semblance of an idea how email works, if just enough to become suspicious.

But on the other hand, an iPhone can be used as a level for hanging pictures.

iPhones are fashion accessories and social opiates.

Only if you add some cool apps. Did you know that you can use the level app to find out at what angle you fall over?

Re:

[mikael_j]

My experience is that those who use "executive smartphones" (like blackberrys) are generally quite inept when it comes to tech but "compensate" for it by yelling at those geeks in the IT department whenever something goes wrong (which also results in them getting as much preemptive CYA protection as possible from the IT geeks).

iPhone users on the other hand tend to be "regular people" without magic CxO powers which means they're left to fend for themselves.

Re:

[mcgrew]

iPhone users on the other hand tend to be "regular people" without magic CxO powers

That's been my observation. I see suits and blackberries at work, iPhones and blue jeans at the bar (even though they are the expensive jeans; most people in that bar have normal phones).

Re:

[Monkeedude1212]

A typical Blackberry user, while probably not a technical elite, has more years of experience using a computer

I think you are being generous to the Blackberry users.

In my work as a help desk technician, who tirelessly has to make sure everyone's email works on Blackberry, iPhone, Android, WinMobile, etc - I've learned that Unless you are competant enough with computers to know how to avoid malware you are not any safer or more capable with your phone than any other phone provider.

Simply "Using windows longer" does not constitute any more strength against malware attacks. My parents have used Windows for almost as l

Re:

[Duradin]

It would seem Apple bashing is a fashion accessory and social opiate around here.

Gotta love the /. hipsters.

Re:

[zach_the_lizard]

75% of iPhone users are above 25 years old, according to an April 2009 survey [cnn.com]. RIM itself, in a 2010 leaked powerpoint [blackberrycool.com] estimated their own users at 36.7 years old, with the other smartphone users being 35.8. Still other survery show that the iPhone has just about 50% of its users 35 and above.

Blackberry users, though they might be a little older, probably aren't so much older that they've been using a computer longer than the average iPhone user has been alive.

Re:

[zach_the_lizard]

And the links above seem to suggest that that stereotype (at least as far as age goes) is not so accurate. iPod touch? Yeah, the vast majority of people who own those are 13-17. iPhone? Nope; the same proportion is above 25.

Re:

[initdeep]

and how many of those iPhones are "sold" to the parents in a household, yet used by the teenage children/under 25 college student in the household and on the parents phone plan.......

I can think of about 50 in my somewhat small circle of friends alone.....

Re:

[zach_the_lizard]

It doesn't matter, because the survey was through the browser, not at the store while you purchase the device / contract. If the parents get their kid an iPhone, it will show up in the survey as the kid's (since he's the one actually using it).

Re:

[Requiem18th]

But it run Apps! I dare you run Apps in your conpooter

Re:

[Opportunist]

No. But the typical Blackberry user has an admin he can call and tell "solve that problem for me" which usually results in "No worries, boss, it's a phishing site, you didn't go there? No? Ok, then I'll take care of it, shouldn't take longer than an hour or two".

Dammit, I'm outta rockets...

Re:

[clang_jangle]

Think about it. What percentage of users even know what an email header is, let alone how to look at it?

Fixed.

Re:

[I8TheWorm]

Ought to be modded insightful.

While smartphones certainly existed before the iPhone, Apple was instrumental in putting them in the hands of non-techies. The stereotypical soccer mom isn't exactly the most tech savvy person out there.

Re:

[josepha48]

actually most mobile clients do not show email headers nor do they show URL's like a browsers location bar. So if the title says wells fargo and looks like wells fargo then how are they gonna know the location is actually youjustgothackedonyourmobile.com

Re:

[account_deleted]

Comment removed based on user account deletion

It doesn't matter if they know..

[Leon Buijs]

You can't look at the email headers on an iPhone, the mail app has no option for it.

We created this problem

[Simonetta]

We created this problem when we created the web. It is our ('our' being us the people who make their living building and maintaining the web) responsibility to solve it. We can't just tell people to monitor the arcane technical details over what is basically an issue of massive amounts of unpunished fraud crime. If left unchecked, the criminals will just get better and better technology.

We have to decide several things: one, we have to accept that law enforcement can not deal with this bec

Re:

[DrgnDancer]

Yeah, because it's not the least bit illegal to beat the shit out of people whom you personally determine to be guilty of a crime. Not to mention that on the Internet no one know you're a dog. How do you know this guy you're going out to "sting" isn't a 6' 5", 250 pound multiple black belt and weapons expert? Nothing can possibly go wrong with your plan

Re:

[TaoPhoenix]

When you have his info look him up on Facebook!

Re:

[jc42]

But we should take care of this problem. Otherwise we can't claim that there is any real benefit to the citizens in using the internet that we have so painstakingly created.

Um, we (the folks who brought you the Internet, including email) have done it. On the machine where my primary email address lives, the email software runs a program that does a pretty good job of testing each message for problems and giving a "spam" rank. I have my reader automatically file everything above a threshold in a "junk" folder, which I check occasional for false positives. I can also add things like keywords (e.g., certain commercial domains) to the list of suspicious content patterns.

This is

Re:

[jc42]

Well, yeah, I read that. But he also suggested why a vigilante approach might not work too well. In particular, the phishing part is more and more being run by the organized crime crowd, who in many places function much like the government: If you hurt their people, they simply kill you. So we might want to be careful about which spammers and phishers we approach with our torches, pitchforks and clubs.

A much safer approach would be to spread the existing (open, free) software that helps spot email beari

Re:

[Opportunist]

No. FUCKIN' NO!

We created the web for US. No safety bars and no handrails. Why? 'cause we don't need them. We wanted something that "just works". And it did. For US. And for nobody else it was meant to be.

If someone has to fix it, it's the people who want the tech illiterates to litter our web. I never wanted them to be here, and whether they are here or not is nothing I'd be interested in.

Bluntly, it was a mistake to make the web "user friendly". A big mistake. Every roller coaster has a sign "you must be

Re:

[hedwards]

Part of the problem is that tricks that you have available on a desktop interface to do a check of the actual URL aren't available on mobile devices. I know that the only way I can know what a link is for is by cutting and pasting it, whereas with my desktop I can hover over it. Worse due to the size constraints on my screen, I can't count on seeing the entire URL.

I'm using a Nexus One, but I suspect that to be a fairly common problem on mobile platforms.

Re:

[toleraen]

Holy mother of Moses, I get to brag about Windows Mobile for a second!

Every time I click a link in an email it displays the full text of the link and asks me to confirm that I want to go to that website.

Re:

[jc42]

So the lesson is, if you use an iPhone - don't click on that link until you check it out the full email header on a PC.

And this is a good hint at a major problem with mobile email: The user isn't generally allowed to see the full headers. I have a G1 (Android) with gmail installed. I've tried to find the email headers on several occasions, and as far as I can tell, there's no way to see them. And this isn't just a problem on Android; I also read my gmail from my linux and Mac computers, and I can't see the headers there, either. This is why my preferred email address is on an academic unix (FreeBSD) machine where I can

Re: phishing

[Anonymous Coward]

I see no reason to use mail headers. It's obscure and "nobody" (general public) will know how to read them.

If people had a semblance of intelligence, they would know that email is inherently untrusted. EVEN if you had a game account, bank account, etc. with the phished company in question, I would never click on any link inside the email. I would go directly to the site itself by typing into a browser. Any notices that go through the email can be easily navigated or noted through the site itself.

There's

Re:

[assassinator42]

To see the full source (including headers) of an email in GMail, click on the arrow on the right of reply then "Show Original".
I also don't see any way to do this in GMail for Android or even the GMail mobile website.

Re:iPhone phishing

[philj]

iPhone users are 8 times more likely to engage phishing websites than Blackberry users. iPhone users account for 26% of the mobile market, Blackberry is 36%. .

I imagine this is because most Blackberrys are corporate phones and the phishing emails will never reach their corporate mailboxes in the first place.

iPhone users on the other hand will be more likely to use hotmail/yahoo mail etc, which aren't as good at removing such mails, making the percentage of emails delivered to the device higher, hence the number of phishing website click-throughs higher.

Just my thoughts, based on no data.

Re:

[businessnerd]

I imagine it also has to do with how terrible the web browser is on most Blackberries. I haven't used the new Blackberry OS 6 browser that uses WebKit, but every BB running OS 5 and later has a slow clunky browser that often fails to render pages correctly. When I receive an e-mail on my BB that requires immediate action be taken on a website, sometimes I might try on the phone itself, but half the time I do, the page has issues loading or login doesn't work or some other javascript error keeps things fro

Re:

[fizzup]

I never click any link in an email I get on my Blackberry, because Blackberry's browser sucks poop. And I mean a lot of poop. Like, through one of those big fat "bubble tea" straws. Ssssssssshhhhhhhhthug! Eww, that was a yucky experience. Like that. Poop.

Re:

[Monoman]

A fool and his password ...

Maybe mobile DEVICES are more vulnerable

[clone53421]

If mobile users can’t tell the difference between real sites and fraudulent ones, that says something about the mobile device’s web browser, IMHO.

Re:Maybe mobile DEVICES are more vulnerable

[Nadaka]

Mobile users are used to having their browser detected as mobile and being shunted off to a simplified and barely functional mobile page.

It is one of the reason that I use firefox with a user agent fuzzer on my android phone.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[clone53421]

If you’re not just trolling (which I very much suspect you are), care to explain what you meant by that?

Re:

[cbiltcliffe]

The timeline goes something like this:

1. Phishing email is sent out.
2. Desktop users won't check their email for several hours, because they're at work/away from their desk/in a meeting, but mobile user gets email immediately, because their device is on their belt.
3. Mobile user provides username/password to fake site.
4. Site gets noticed by server admin and taken down.
5. Desktop user gets to their computer, reads email, checks site, and finds "404 - page not found".

In other words, there's no story here.

Also poor email clients on mobile devices

[Culture20]

My current mobile device, an iPhone, has a terrible native email client. There is no way to use text-only, view headers, or use pgp. I won't be surprised when a new email worm turns up that takes advantage of an image library that the iPhone mail.app uses. At least if I could view in text-only mode I wouldn't have to wait to click on suspected SPAM until I get to a real computer (Hey, you never know, "1 long 4u" might be an old girlfriend, not viagra SPAM).

Re:

[clang_jangle]

The article is wrong about the Blackberry. You can set it for text-only email, and if you highlight the "From:" field you'll see the sender's address in a tooltip. I'm quite pleased with email on the BB, and using the Bolt browser, BBSSH for ssh logins, RepliGo Reader, and just a few other carefully chosen apps the BB is pretty awesome. Of course it doesn't have the huge screen of a Droid or iPhone (they always seem to be cracked anyway within a few months, don't they?), but there's really no comparison if

Not "Vulnerable"

[eepok]

The term is not "vulnerable". Users are only vulnerable to real world things. Users are however, *gullible* and *susceptible" to phishing ploys. Especially iPhone users, apparently. *facepalm*

Re:

[MichaelKrisotpeit360]

Did your mother name you "MichaelKristopeit360?" Why do you cower? You're an ignorant hypocrite. Now pay the price by submitting to my transgressions.

many intervening variables

[Anonymous Coward]

There seem to be a lot of intervening variables (between "gullible" and "mobile user") which are unaccounted for in TFA.

Most of those are also likely magnified when "mobile user" is further reduced to "iphone user".

This just in!

[Anonymous Coward]

Mobile users have crummy email browsers that don't display full headers. Film at 11.

Sheesh.

Re:

[clang_jangle]

So much talk about headers in this discussion, but spoofing email headers is really not that hard. The real answer is don't click on links in email for anything that in any way involves the use of financial services of any description. I shop amazon (on a computer) all the time, and I don't even click on links in emails they send me. Why would I need to? Only takes a moment to login manually via https. And just because your carrier provides a "mobile banking" app doesn't mean they provide a secure enough n

That'll be me then

[naich]

If I have the time, I always visit a new phishing site and put in bank details. Not real ones, obviously. I'm hoping that maybe there is a slim chance that somewhere out there, I might have just annoyed a phisher.