Your Android device may put you at significantly more risk
to a phishing attack than your computer does. Yesterday I blogged about a
phishing attack that appeared as a comment in my nephew’s Facebook status
update. There was an interesting difference between clicking on the link in the
comment on my android phone and clicking on the link on my computer.
I have disable apps on Facebook. I do this because apps are
one of the ways in which I believe Facebook has historically shared my
information without my prior knowledge or approval. I also don’t believe apps
on Facebook are well enough vetted to warrant trust in many cases, but mostly I
disable apps because if you don’t disable apps then creepy advertisers stalk
you mercilessly.
The phishing attack I reported in the blog started at
apps.facebook.com/xxxxxx and on my computer when I clicked the link Facebook
recognized that I don’t use apps and would not take me to the page unless I
enabled apps, which I did not do.
No compare the PC experience to the Android experience. I
clicked on the link in the Android Facebook app and Facebook took me to their apps
page which in turn took me to a Google page which in turn to me to the Russian
page that was hosting the phishing attack. Naturally this all occurred so
quickly it simply looked like I went from clicking on a comment to a Facebook
login page.
There is another even more significant difference. On my
computer when I went to access the phishing page my browser warned me that it
was an attack page. On my Android phone there were no warnings. I did some
testing with samples from www.phishtank.com
and it appears that the stock Android browser has no anti-phishing technology
built in at all.
The tiny web pages that are often displayed differently on a
small portable computing device, such as a cell phone, already take away some
potential visual clues, but the lack of anti-phishing technology on the
platform make users of Android (and possibly Windows, Apple, and Nokia) devices
put users at a higher degree of risk, unless… you come back for my next blog
about the two simple rules of avoiding phishing attacks. The two rules even
help Windows, Linux, and Mac users. Yes, Mac users are at as much risk to
phishing attacks as Windows users are, even if Apple pretends that Macs are
invincible. Phishing for login credentials isn’t an operating system dependent
attack, it’s a user attack.
Randy Abrams
Independent Security Analyst
No comments:
Post a Comment