Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt &...
Transcript of Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt &...
![Page 1: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/1.jpg)
Phishing on Mobile Devices
Adrienne Porter Felt & David WagnerUniversity of California, Berkeley
![Page 2: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/2.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
,!"#!"$%
Ingredients for phishing
1. Users conditioned to enter passwords
2. A convincing spoof of the user interface
![Page 3: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/3.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
-!"#!"$% ."#/
1. When are users conditioned to enter their passwords or payment information?
2. Can those scenarios be convincingly spoofed?
![Page 4: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/4.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
0!.)10 2&3)(
• Sender ⇒ Target
• Direct a!ack: false control transfer
• Man-in-the-middle a!ack: subverted control transfer
![Page 5: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/5.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
2&'"() -!"#!"$%
• Phones lack trustworthy security indicators
• Interaction between web & mobile apps
• Mobile login screens are simple
![Page 6: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/6.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
&4. 1--.&1+!
1. Survey how applications condition users
• 50 most popular Android & iOS apps
• 85 popular web sites on Android, iOS
2. Evaluate avenues for spoo!ng
• Direct
• Man-in-the-middle
![Page 7: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/7.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
+&$0.&( 0.1$#5).#
• Mobile sender ⇒ Mobile target
• Mobile sender ⇒ Web target
• Web sender ⇒ Mobile target
• Web sender ⇒ Web target
![Page 8: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/8.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
6&'"() ⇒ 6&'"()
• Social sharing
• Upgrades via store
• Music purchases
• Game credits (iOS)
![Page 9: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/9.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
6&'"() ⇒ 6&'"()
Target Android iOS
Mobile app 56% 72%
Password-protected
36% 60%
Payment 10% 34%
![Page 10: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/10.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
6 ⇒ 6: 7".)+0 891+/A!ack App Spoof Page Real Page
![Page 11: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/11.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
6 ⇒ 6: 6:;6 191+/
• Scheme squa!ing
• Register for another app’s URI scheme
• Weak: detectable by user, reviewers
• Task interception
• Poll task list, pop up when target opens
• Unnoticeable by users
![Page 12: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/12.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
+&$0.&( 0.1$#5).#
• Mobile sender ⇒ Mobile target
• Mobile sender ⇒ Web target
• Web sender ⇒ Mobile target
• Web sender ⇒ Web target
![Page 13: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/13.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
6&'"() ⇒ <)'
• Mechanisms
• Links to the browser
• Embedded web content
• Reasons
• Social sharing
• Not much payment
![Page 14: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/14.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
6&'"() ⇒ <)'
Target Android iOS
Web site 30% 18%
Password-protected
3% 4%
Payment 2% -
Browser target
Target Android iOS
Web site 16% 42%
Password-protected
8% 38%
Payment 2% -
Embedded target
![Page 15: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/15.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
6 ⇒ =: 7".)+0 891+/
• Link to web browser
• Send the user to a fake browser
• Open in real browser, hide/fake URL bar
• Embedded content
• Eavesdrop on credentials given to embedded content
![Page 16: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/16.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
6 ⇒ <: 7".)+0 891+/Spoof BrowserReal Browser
![Page 17: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/17.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
6 ⇒ =: 2"02 891+/
• A"ack: alter target of form on H#P page
• Defense: forms only on H#PS pages
• A"ack: alter links to H#PS pages
![Page 18: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/18.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
+&$0.&( 0.1$#5).#
• Mobile sender ⇒ Mobile target
• Mobile sender ⇒ Web target
• Web sender ⇒ Mobile target
• Web sender ⇒ Web target
![Page 19: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/19.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
<)' ⇒ 2&'"()
• Mechanisms
• tel://18005555555
• market://details?id=123
• Reasons
• mailto, Twi"er
• Install the app version
![Page 20: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/20.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
=)' ⇒ 2&'"()
Target Android iOS
Core mobile application
38% 47%
Password-protected
22% 41%
Payment 6% 25%
Core mobile apps
Target Android iOS
Any mobile application
49% 48%
Password-protected
38% 42%
Payment 6% 25%
Any mobile apps
![Page 21: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/21.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
< ⇒ 6: 7".)+0 891+/
• Hide the browser chrome and mimic app
• In Android, only detectable if user hits the “Menu” bu"on
• Not possible in iOS unless user has “installed” the page
![Page 22: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/22.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
< ⇒ 6: 7".)+0 891+/Spoof App (In Browser)Real App
![Page 23: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/23.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
< ⇒ 6: 6:;6 191+/
• Scheme squa"ing
• Task interception
![Page 24: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/24.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
+&$0.&( 0.1$#5).#
• Mobile sender ⇒ Mobile target
• Mobile sender ⇒ Web target
• Web sender ⇒ Mobile target
• Web sender ⇒ Web target
![Page 25: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/25.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
<)' ⇒ =)': 3".)+0
• Spoof or hide the URL bar [Niu et al.]
• Eased how it scrolls
• Reduced URL loading/rendering time
![Page 26: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/26.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
<)' ⇒ =)': 2"02
• Subvert all H#P pages so that links to H#PS are never trustworthy
• User won’t be warned by the URL bar
![Page 27: Phishing on Mobile Devices - ieee-security.org · Phishing on Mobile Devices Adrienne Porter Felt & David Wagner University of California, Berkeley](https://reader035.fdocuments.in/reader035/viewer/2022070717/5edd9177ad6a402d6668b2c0/html5/thumbnails/27.jpg)
W2SP 2011 - P!"#!"$% &$ M&'"() D)*"+)#
,.)*)$0"&$
• Permanently application identity indicator
• Embedded web content still a problem
• Trusted password entry mechanism
• Usability?
• Adoption?