The rapid evolution in mobile devices and communication technology has increased the number of mobile device users dramatically. The mobile device has replaced many other devices and is used to perform many tasks ranging from establishing a phone call to performing critical and sensitive tasks like money payments. Since the mobile device is accompanying a person most of his time, it is highly probably that it includes personal and sensitive data for that person. The increased use of mobile devices in daily life made mobile systems an excellent target for attacks. One of the most important attacks is phishing attack in which an attacker tries to get the credential of the victim and impersonate him. In this paper, analysis of different types of phishing attacks on mobile devices is provided. Mitigation techniques - anti-phishing techniques - are also analyzed. Assessment of each technique and a summary of its advantages and disadvantages is provided. At the end, important steps to guard against phishing attacks are provided. The aim of the work is to put phishing attacks on mobile systems in light, and to make people aware of these attacks and how to avoid them
During the last 10 years, mobile devices technologies have grown rapidly due to the daily increase in the number of users and facilities. According to [1], the number of mobile users has become 4.92 billion global users in 2017. Current mobile devices can be used for many private and financial applications as Facebook, mobile bank, etc. Android and iOS are the two dominant operating systems with 99.6% market share distributed as 81.7% for Android and 17.9% for iOS [2].
According to Symantec, phishing is defined as “an attempt to illegally gather personal and financial information by sending a message that appears to be from a well-known and trusted company”. The phishing message has a fake link to a crafted webpage similar to the legitimate page, the user is asked to provide his credentials to log into the page which causes his credentials to be transferred to the phisher. To stay hidden and un-noticed, the fake webpage then redirects the user to the legitimate page.
According to [3], at least 255,065 unique phishing attacks occurred worldwide. The increase is over 10% from the attacks identified during 2015. The distribution of these attacks on industry is shown in Figure 1.
Due to the sensitivity of the data stored on mobile devices, these devices have become an excellent target for phisher to launch their attacks. The aim of the attacks is to gain access to credential that might benefit of using services a user is registered to. These services include dialing, SMS, payments, sensitive data leakage and connectivity. A phisher might impersonate the mobile user and use his mobile to perform these tasks without authorization from the user.
According to [4], more than 4000 ransomware attacks occurred daily during the year of 2016. PhishMeInc reported that ransomware and phishing attacks work together and that 97.2 of phishing emails in 2016 contain a form of ransomware [5]. Figure 2
Before talking about mobile phishing attacks, we have first to introduce the attractive properties of mobile devices that made malware creators target these devices, then we will talk about types of phishing attacks. Finally we will talk about distribution methods used in mobile applications with some statistics.
Mobile devices facilitate phishing attacks due to their following properties:
The rapid increase of the number of mobile users worldwide as describes in [1]. This user shift to mobile devices has attracted phisher to shift their technique to mobile devices.
The limited screen size makes it difficult for mobile users to pinpoint legitimate webpage from phishing one. Besides, the small screen size also makes browsers to hide the complete URL of the requested page, and hence help the phisher deceiving the mobile user.
Due to the mobility nature of the mobile usage, users tend to respond to interactions with less concentration which might yield to approving a phishing process.
Because the mobile device is mostly near the mobile users, users tend to trust these devices. This in turn will leverage the possibility of being hacked and phished due to this trust.
Unfortunately, malware creators and phishers are aware of these attractive
The aim of phishing is to acquire credential that might be used to impersonate the person using his credentials. The basic idea to have a successful phishing attack is to deceive the user to provide his credentials. In mobile technology, there are different ways fishers used to launch their fishing attacks and deceive victims, these methods are listed below:
As the name implies, financial fraud aims to gather financial credentials of a victim, these credentials might then be used to impersonate the person and perform financial transactions on behalf of him. The report of MicroSave [7], provides details about financial mobile frauds. The report states that mobile financial fraud is becoming increasingly important with the extended use of financial mobile applications to perform electronic financial transactions. CGAP [8] has conducted a research about financial fraud in different countries. The key idea was that it is not possible to completely defend against this fraud. However, following some steps by providers with hints we will provide might help mitigating this fraud.
One example of financial fraud might be a false update for the internet banking account. The user follows the link in the message which looks like legitimate and he will be directed to a page similar to the login page of his bank. To avoid such a scenario, service providers like banks usually perform two factor authentication techniques typically send a pin code as an SMS to the mobile of the user. If the entered PIN is not identical to the one sent, then login is prohibited.
In this method of attacks, fishers use registered services for users to collect their credentials and hence impersonate legitimate users and use the services instead. Different services are available over internet including Drop Box, Google Driv
This content is AI-processed based on open access ArXiv data.
