Mobile phones are great for phishers, researchers find

Facebook and Twitter passwords could be at risk

Computer users seem to be getting better at spotting fake websites that are trying to steal their passwords, but when it comes to mobile phones, the deck is most definitely stacked against them.

Researchers at the University of California, Berkeley, recently took a look at 100 mobile applications, written for Android and the iPhone, and then thought up 15 techniques that scammers could use to write malicious programs that steal the victim's user name and password on websites such as Facebook or Twitter.

Their research underscores a thorny issue that promises to demand more attention as users increasingly reach to their mobile phones when they want to go online.

The problem is that mobile users are being trained to enter their passwords and user names into mobile apps.

The first time one mobile program wants access to another -- for example, if Groupon for iPhone wants to share something on Twitter -- the program typically pops up a window that invites the user to sign into that website. But there's usually no way to be sure that the login site is legitimate and that the phone's owner is really sending his user name and password to Twitter.

PC browsers have Web address bars, green warning lights and other features to help Internet users know if they're being tricked by phishers, but that's not the case in the mobile world. Phones are so small there often just isn't space for these protections.

In tests, researchers have shown that it's almost impossible for mobile-phone users to distinguish real websites from fakes, thanks to the small screens on mobile phones.

The Berkeley researchers said it would be easy for a criminal to develop a malicious program that could either spy on users as they typed in their passwords, or direct them to a phishing site that looked exactly like the real thing.

David Wagner, a Berkeley computer science professor, believes that until there are better ways for mobile applications to talk with each other, this could be a very hard problem to solve. "The reason we wrote this paper was because we saw the potential risk and we did not have a good solution," he said.

In their paper, Wagner and co-author Adrienne Felt conclude, "mobile users' passwords for several major sites (notably including Facebook and Twitter) might be at risk."

One person who's working on a fix is Markus Jakobsson, principal scientist of consumer security at PayPal. He's developing software that would work with smartphone operating systems, called Spoof Killer. It would keep track of which applications and websites are legitimately supposed to ask for login credentials and simply block the fake ones from working.

Jakobsson thinks there could be a surge of spoofing in the next year or so as the mobile phone becomes the most popular way to surf the Web. "It just makes sense to me, to attack the predominant platform," he said.

Right now, there are not a lot of phishing attacks that specifically go after mobile users, according to Dave Jevans, chairman of the Anti-Phishing Working Group. But he agreed that phishing e-mails are more effective when they end up in mobile-phone mailboxes. "The antiphishing technologies on the mobile phone are inferior compared to what is available on the Windows platform," he said.

However, when it comes to mobile devices, Jevans said he's more worried about malicious apps than about phishing e-mail messages.

Phone makers have security checks to prevent malicious programs from getting included in their app stores. But a criminal could distribute a program that seemed legitimate at first and then flip a switch on a server somewhere and suddenly turn it into a password-stealing phishing program, said Kevin Mahaffey, chief technology officer and founder of mobile security software vendor Lookout. "It's this whole new world of mobile malware that gets around the security controls," he said.

Luckily, the malicious programs that Mahaffey has seen so far haven't been like this. They've been obvious, engaging in bad behavior from the start. "Right now, the bad guys haven't figured out that you can make something good and then turn it bad after a period of time," he said.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is

Join the Good Gear Guide newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags BerkeleyInternet-based applications and servicestelecommunicationsecurityPhonesUniversity of CaliforniaPhone applicationsmobileinternetMobile handsetsconsumer electronics

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?