Mobile & Gadgets

Mobile Phishing: Do you know where that Link leads to?



Computer users have been struggling with phishing attacks for quite a while now. In fact, phishing has become so popular during the past 5 years that it called for some serious measures to keep the users safe. If the most popular desktop browsers and security suites have pretty effective phishing filters, not the same thing applies to smartphones, a category of devices that is constantly gaining popularity with the average mobile “e-banker”.

The phishing scheme I will discuss in today’s material is no average threat as it takes by assault our little and easy to use smartphone. By no means should safety be taken for granted just because you’re using a different machine that a PC, which you already know it might be vulnerable to attacks.

In this particular situation, the cyber-crook(s) behind the phishing campaign is trying to fool smartphone users into thinking they have reached the mobile version of the Scotiabank® login page. These innovative cyber criminals took their malicious work extremely serious, as – at first glance – the copy strikingly resembles the original.

Scotiabank spoofed webpage on a desktop browser

Fig 1. Scotiabank spoofed webpage on a desktop browser

However, at a second and more in depth glance, one can see a crucial difference that is the dubious domain name, which alone should hint to something “phishy”.  But there is one more peculiarity: the spoofed page also asking for a Security Code (three digit number printed on the back of your ScotiaCard).

Once the user fills in the fake form with the card number and the corresponding password, there’s no coming back. The ill-intended person has at that point access to the tricked user’s bank account that translates into money.

When it comes to phishing, attention is key. A lot of cyber crooks base their wrong doing on us being busy, thus always in a hurry, absent-minded, distracted or too gullible. Adding to that the small display of our smartphone (that hinders the user from seeing the entire if at all the URL of the requested webpage) and the lack of an AV solution or browser check (as most mobile browsers aren’t equipped with antiphishing technologies), we already have a deadly cocktail.

One page, different views - ScotiaBank Scam

Fig 2. One page, different views

Before visiting any links using your mobile browser, ensure that you actually know where it leads you to. If it is partially obscured or it looks suspicious, stop right there! Even links that look apparently legit may take you on a wrong way; many times, mobile phishers use a free web hosting company and host the phishing page in a folder named after the mobile website of the bank. You should also constantly remember that e-banking is a serious business, especially when performed on a mobile device and it would be wiser (and safer) to manually type the URL into the mobile browser than accessing it from a bookmark or (worse) from an e-mail message coming from an unknown sender.

Keep you OS and AV for mobile always updated because cyber-crooks don’t sleep and use any means possible to make their “business” thrive. Using e-banking, paying bills and managing money on the smartphone may save you a lot of precious time, but it can take you to bankruptcy as well.

Information in this article is available courtesy of Alin Damian, BitDefender Antiphishing Analyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author


A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.