Quantcast

New type of phishing could hit mobile phone users

http://www.scmagazine.com/uk/news/article/525582/new-type-phishing-hit-mobile-phone-users/

René Millman 1 Nov 2005 13:13

Experts have warned of a new type of phishing that could siphon bank details from mobile phone users.

Mophophishing is where hackers send out fake banking applications to unsuspecting mobile phone users. The users then type their account details into the application thinking they were accessing their accounts when they were actually sending their personal details back to the hacker.

Ken Munro, managing director of penetration testing firm SecureTest, said that mophophishing "was very difficult to detect".

Munro said spotting a phishing email was relatively straightforward, as the user need only examine the source code of an HTML email and inspect the domain name and path of any link to verify its authenticity. But with a mobile application, this information is concealed deep within the application code itself.

"Unless the user decompiles this they have no way of knowing whether they are being directed to a genuine website or not," warned Munro.

He said another way that hackers could gain information is through the use of rogue servers. A rogue server would monitor and cache data passing between a phone and an online banking website, acting much like a phone tap. Any valuable data can then be identified and used by the phisher to access the bank account. As far as the victim is concerned, the application works as intended and would remain unaware of any problem with the transaction.

Munro said developers had to act now to make mobile applications more secure and allow easier detection of mophophishing attacks.

"Unless banks and mobile application developers put in place significant security measures, mophophishing could damage user acceptance of mobile applications in the same way that online banking has suffered from phishing attacks and spoof websites," said Munro.