That push notification on your phone might be a phishing attempt
14 Jun 2019
Scammers are trying to dupe smartphone owners into turning over their personal information by clicking on push notifications that look like legitimate messages from well-known companies. The messages actually direct recipients to phishing pages, where they’ll be asked to enter their credentials, according to a new scam technique the mobile security company Lookout has detected in recent months.
Researchers are still examining the phishing technique, says David Richardson, senior director of product management at Lookout, but he says it’s clear hackers are taking advantage of people’s willingness to trust their mobile devices. Lookout detected one phishing campaign in which attackers created what appeared to be a Chrome notification alerting them to a missed call. They also pointed to an example of how hackers could illicitly use logos from trustworthy companies like Slack to make a push notification look legitimate
“We saw on mobile devices some clever ways of getting a
better user experience” for the bogus messages, Richardson said. “If you click
yes to push notifications, the attackers can spoof the notification of known
apps, like Yelp or something.”
Fifty-six percent of Lookout users received and clicked on a
phishing URL from a mobile device, according to Lookout research from 2018.
Mobile users can’t hover over a URL and typically can’t read the full website
address, as they can on a personal computer, meaning attackers can more easily
replace a legitimate website with a malicious destination. Social media apps
like Facebook also make it difficult to understand which site users are
destined for, so a realistic request for a person’s credentials is more likely
to be effective.
“We’ve seen campaigns that detect the width of a screen, and
if it’s more than 1,000 pixels, they will direct you to the real landing page
instead of their phishing page,” Richardson said. “If you’re on mobile, they’ll
take you to a phishing page.”
Mobile scammers only are likely to continue to experiment
with phishing techniques as smartphone usage numbers explode in the coming
years. Some 3.7 billion people will access the web almost entirely via mobile
devices by 2025, according to a January projection published
by the World Advertising Research Center, a market research firm. Roughly
$101 billion was spent on mobile apps in 2018 alone, according to App
Annie, another market research firm.
Share this link: