Mobile Users Falling Victims To URL Spoofing

Yikes, aren’t there enough mobile vulnerabilities already? Now we have to tend to URL Spoofing and determining if the website is real or not?

A Rapid7 researcher named Tod Beardsley, which disclosed the vulnerability, said this flaw, is an instance of CWE-451 from the Common Weakness Enumeration. It is cause for concern because these victims on mobile devices can’t tell the difference between a real site and the fake site victims land on.

In its most common cases a user would get lured to click on a link from a social media site, or receive a text on their mobile device with a link that would take them to the fraudulent site. In just about every instance, once the user clicks, he’s asked to give up something, whether it’s credentials or credit card information.

“I can’t really tell the difference,” Beardsley said. “The mobile address bar is so small that it’s literally impossible to distinguish between the real site the fraudulent site.”

“Mobile phishing attacks can be delivered through countless methods, such as text messages, emails, social media platforms, and third-party messengers,” Schless said. “We’re all used to tapping on links that are sent to our mobile devices. Think of the countless delivery notifications you get when you buy something online and how quickly you tap the link to check the tracking info. And because the screen is smaller, it’s really hard to identify a spoofed URL with discrete changes. For example, an attacker may add an accent or special character to one letter in the address that a user wouldn’t even notice.”

It is quite a scary place out there and if your quite active with your phone make sure to always be vigilant and never let your guard down. Shady links are around any corner.  

Leave a Reply