15 10 | 2012

Why phishers must looove smartphones

Written by Tanguy

Classified in : Homepage, Debian, Grumble

Phishing is a fraud technique that consists in reproducing the content of a targeted website, directing users to it, and recording their credentials when they log into your website. It is like fishing fish with fake food, only you phish humans with fake websites.

Well, I have a good news for the phishers: people are using more and more smartphones, and mobile browsers are making your job really easy. In fact, many regular smartphone user simply have no way to tell your fake website apart from the real one.

For instance, this is what my bank website looks like in my desktop browser, and what a corresponding phishing website would look like:

Iceweasel Web browser, with “caisse-epargne.fr” in its address bar

A bank website in Iceweasel

Iceweasel Web browser, with “evilpirate.net/caisse-epargne” in its address bar

A phishing website in Iceweasel

See the difference? It is not that obvious, but it is easy to detect when you are trained: the page address is not the same, with the fake website it refers to the phisher's server instead of the bank's one.

Now, what does it look like on a Firefox Mobile? Well, here is the answer: the same, absolutely the same:

Firefox Mobile Web browser, with “Banque et Assurances” in its address bar

A bank website in Firefox Mobile

Firefox Mobile Web browser, with “Banque et Assurances” in its address bar

A phishing website in Firefox Mobile

The page address is hidden for space reasons, and only shown when touching the address page title bar. Want to browse the Web safely? After each link you follow, click on the page title bar. Good luck if you are using such a mobile Web browser. Fortunately, I am not.

12 comments

monday 15 october 2012 à 20:14 Tanguy said : #1

You may object that one should never follow the instructions from email that appear to be from the bank. This is generally true, but it does not void this flaw, which can apply to other processes, such as a « login with Facebook » on a website, which could redirect to a fake Facebook login page on the same website.

monday 15 october 2012 à 21:56 Guillaume said : #2

May be this bank should have an SSL certificate with extended validation. This way the logo would be green like this one.
http://pix.toile-libre.org/upload/original/1350330930.png

monday 15 october 2012 à 22:34 glandium said : #3

That's a very old Firefox mobile you have here.

monday 15 october 2012 à 22:36 Tanguy said : #4

@Guillaume : Probably, although I am really not a fan of the EV system, aka “we the certification authority really did shit in the past, so buy these expensive first class certificates which guarantee we do not do the same shit with you”. However, that would not really solve the problem until all the certificates of good people in the world become EV and the regular ones can stop being supported. Also, with the opacity the the X.509 system, I do not know what would guarantee that a phisher would not get one. And finally, the possibility of cracking an EV site to host a phishing site cannot never be ruled out.

monday 15 october 2012 à 22:46 Tanguy said : #5

@glandium : No, this is the last available build for GNU/Linux i386, available at http://www.mozilla.org/fr/mobile/ . Version Fennec 4.0.1 as it appears to be.

tuesday 16 october 2012 à 08:48 glandium said : #6

@Tanguy: that's very outdated and shouldn't be there at all. There are no desktop builds of Firefox mobile anymore.

tuesday 16 october 2012 à 11:14 Andre Klärner said : #7

Well, I tried the Android Browser, and it seems like it will always show the URL for https:// sites. Also Chrome on Android always shows the address bar. So hopefully most Android users are safe by default

tuesday 16 october 2012 à 11:36 Gabriel said : #8

Not worried about the fact that this site use a 4 digit password to access your accounts?

tuesday 16 october 2012 à 11:58 Chris Cunningham said : #9

The first thing I get when accessing that URL on mobile Firefox is a full-page, extremely scary warning about an insecure connection to evilpirate.net.

I'm going to assume that the hidden moral of this story is that supposedly technical competent people running their own Linux distros on their mobile devices should not assume that random binaries they download off random FTP sites indicate the latest supported secure version of whatever they purport to be.

- Chris

tuesday 16 october 2012 à 12:00 Tanguy said : #10

@glandium : Too bad there is no longer a way to test it without having to buy an appropriate mobile phone then. I would not have been able to take those screenshots without that obsolete but presented as up-to-date GNU/Linux version. It should be removed indeed, because it is really misleading.

@Gabriel : Actually I am. I have several types of passwords, ranging from very secure to not really secure for systems that do not accept special characters, and one very unsecure password for lame systems that only accept a handful of digits, or to name them: banks. Fortunately they use a counter that burns the login after three unsuccessful login trials, which limits the brute force attack vulnerability.

tuesday 16 october 2012 à 12:07 Tanguy said : #11

@Guillaume, @Gabriel, this attack is not limited to banks, for instance replace the bank website by a blog, with a « login with facebook » button for comments, redirecting to something that looks like a Facebook login page.

@Chris Cunningham : Well, this page does not exist, so this is only a fictitious example. Simply consider that the evil pirate can wery well secure its phishing website with a perfectly valid certificate for his domain name “evilpirate.net”. Now, I am not sure of what you mean by “random binaries they download off random FTP sites”, perhaps you should be more specific.

sunday 16 december 2012 à 05:35 farvardin said : #12

firefox mobile est pas mal, mais le coup du remplacement de l'url par la balise titre est sans doute la décision la plus idiote de toute l'histoire de mozilla

Write a comment

What is the last letter of the word jcxt? : 

Archives