This mobile phishing scam targeted bank app users; thousands clicked through

Researchers at Lookout detail an SMS phishing campaign which has tricked smartphone users into clicking on links to phoney websites.
Written by Danny Palmer, Senior Writer

Mobile banking app users have been targeted by phishing scam messages which aim to trick them into giving up their login details.

Almost 4,000 smartphone users have been fooled into clicking through to the links that are part of a mobile phishing campaign, with most in the US and Canada.

Uncovered by researchers at mobile cybersecurity company Lookout, the campaign is based around an SMS message which attempt to lure the victim into visiting fake websites purporting to be those of major US and Canadian banks.

The group behind this phishing attack left part of its infrastructure exposed, which is how Lookout was able to identify the nearly 4,000 unique IP addresses that visited the phishing websites. The company said there was no way of knowing if any had suffered financial losses.

The phishing messages claim that the bank's security system has detected unusual activity on the user's account and urges them to follow a URL to check: but it's a trick to lure them into giving up their details.

The criminals behind the attacks don't know which bank their potential victim is a customer of, but by spamming out enough messages with the names of different banks to enough users, some of the attacks will match the right bank with the right customer – and some of those will follow the malicious link to one of over 200 phoney websites.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

Those malicious links lead to fake versions of banking websites, but ones which are designed to look like the mobile version of their authentic equivalent, featuring the correct fonts, layouts and sizing, as well as authentic links to related pages users would expect on a banking website – including notices about security and privacy.

Not only will the phishing page take the victim's username and password, but it'll also ask a series of additional 'security' questions, asking them to confirm their identity by entering a card's expiration date or double-checking the account number.

For the cyber criminals, this is to ensure they have all the information required to steal the victim's account details – either to make fraudulent transactions with the victim's money themselves, or potentially to sell the information on to others on underground forums.

It's unknown where exactly this phishing campaign originated from, but researchers note that despite the success, the attacks are far from sophisticated.

"This particular campaign shows us how easy it is for a less computer-savvy person to get into the phishing business by buying an "off-the-shelf" phishing kit. The attacker can then target potential victims en masse via SMS messages and track the kit's success with the simple user interface," Apurva Kumar, staff security intelligence engineer at Lookout told ZDNet.

Lookout has notified all of the banks targeted by the campaign and as of today, the phishing sites are all down.

However, while this phishing campaign isn't active for now, others will emerge in an effort to steal bank details and personal information – but by using some simple security knowledge, users can avoid falling victim to attacks.

"When it comes to phishing, conventional wisdom is user awareness. Be wary of links on a mobile device that have been sent to you, whether by email or text message. Instead, develop the habit of proceeding to a login screen using a bookmarked link or the official website of a service they want to use," said Kumar.


'Apple support' phishing scams are getting really good

These hackers are using Android surveillance malware to target opponents of the Syrian government

New phishing email campaign impersonates US postal service to deliver malware

This latest phishing scam is spreading fake invoices loaded with malware

Editorial standards