There are by some estimates more smartphones on this planet than humans to use them. People who have never used a desktop computer use smartphones and other mobile devices every day and have much of their lives tied to them – perhaps more than they should.
As a result, cyber-griffers have shifted their focus from sending emails to gullible personal computer users (pretending to be Nigerian princes in need of banking assistance) and have instead turned their attention to the easier target for mobile phone users. Criminals use smartphone apps and text messages to lure vulnerable people into traps – some with purely financial consequences, and some that put the victims in actual physical danger.
I recently outlined some ways to apply a bit of armor to our digital lives, but recent trends in online scams have underscored how easily smartphones and their apps can be turned against their users. It’s worth reviewing these worst-case scenarios to help others find and avoid them – and we’re not just talking about helping older users with this. This affects everyone.
I have been personally contacted by a number of people who have been victims of mobile-focused scams and by people who have found themselves exposed and targeted via unexpected vulnerabilities created by interactions with mobile apps. For some, these experiences have shattered their sense of privacy and security, and for others, these scams have cost them thousands (or tens of thousands) of dollars. In light of this, it is worth arming yourself and your family with information and a whole lot of skepticism.
Targeted SMS phishing
In the last two years, there has been a huge increase in sms phishing scams targeting personal data – especially site credentials and credit card data. Sometimes called “smishing”, SMS phishing messages usually contain a call to action that motivates the recipient to click on a link – a link that often leads to a web page designed to steal usernames and passwords (or make something worse). These spam text messages are nothing new, but they are becoming more and more targeted.
In 2020, the FTC reported that U.S. consumers lost $ 86 million as a result of fraudulent texts, and the FCC went so far as to issue a COVID-19 fraud warning. Of course you are smart and you would never give up your personal data for a concise text message. But what if the text mentioned your name along with enough correct information to make you the least bit worried? Like a text message allegedly from your bank stating your name asking you to sign in to confirm or deny a $ 500 debit to your Walmart credit card?
That’s the kind of message I received recently. If I had not read the message carefully or noticed that it had come from a forged telephone number that was not connected to my bank, or had failed to remember that I had never given consent to communicate with my bank via text messages, I could have clicked.
Instead, I went into my bank’s mobile app and found a message on the login page stating that customers were experiencing fraud attempts via text messages. I took the link to my computer and pulled the page down using wget. The link pointed to a Google App Engine page that contained a link in an IFRAME element to a Russian website – one that attempted to mimic the bank’s website login.
SMS scams like these are made easier by the many public data exposure and aggregation of personal information from marketers. This type of data is all too often collected in databases that are being leaked or hacked. Scammers can target a large number of customers of a specific brand simply by connecting their relationship with a company to their phone numbers. I do not have good scientific data on the prevalence of targeted “smishing”, but a random sample of family and friends indicates that it is not just a temporary problem: in some cases it makes up half of the daily text messages, they receive.
Most of it is similar to pop up web ads. Some of the targeted text messages I’ve seen are pretending to be from regular services – like Netflix, for example:
Netflix: [Name], please update your membership with us to continue watching. [very sketchy URL]
The sketchy link led to a site claiming that my last payment had been declined and I had 48 hours to reactivate my account.
Clicking on that link takes you to a series of forward-looking pages powered by a “tracker” site that is configured to filter out suspicious clicks (like those from PC browsers) and sends only mobile browsers to the intended destination – in this case, a Netflix look-up service that tries to get you to sign up as a member. Your IP address is one of the arguments passed to the final URL to keep unwanted rows of “customers” out.
This is easy scam, to be sure. But the same tracking sites are used by a large number of scams, including SMS and mobile browser pop-up “false alarms” scams. These types of scams often have an urgent call for action. Another common angle is to claim that the recipient’s IP address is “tracked due to a virus,” with a link leading to an app store page – usually a kind of questionable virtual private networking app that actually does nothing but collect “in-app payments” through Apple or Google app stores for a service that does not work. Or the service do work – but not in ways that the unit owner would like.
Fleece apps and fake apps
Despite large companies’ efforts to control the security of applications before they are offered for download in app stores, scam developers regularly manage to throw ugly things into the iOS and Android marketplaces – ugly cheap or “free” apps with limited (or non-existent) usability that tricks users into paying large sums.
Often these applications are presented as free, but have payments in the app – including subscription fees that automatically take effect after a very short “trial period”, which may not be completely transparent to the user. Often referred to as “fleeceware”, apps like this can charge whatever the developer wants on a recurring basis. And they can even continue to generate fees after a user has uninstalled the application.
To make sure you are not charged for apps you have removed, check your list of subscriptions (this works differently on iOS and Google Play) – and remove any that you do not use.
Occasionally, malicious applications manage to slip past the app store screen. Once caught, the developer accounts associated with apps are usually suspended – and apps are removed from the stores and (usually) from devices on which they have been installed. But the developers of these apps often just roll over to another developer account or use other ways to get their apps in front of the users.
I tracked a pop-up ad campaign that drove smartphone users to “secure” applications in both app stores, using fake warning pages that resembled mobile operating system alerts warning of virus infections on devices. When the ads discovered an iOS device, they ended up opening the page to a VPN application from a developer in Belarus who charged $ 10 a week for service. The App Store listing was filled with (probably fake) 4-star reviews along with a few from actual customers who discovered they had been cheated.
The app itself worked as it were – it routed all users’ internet traffic through a server in Belarus, enabling man-in-the-middle attacks and collecting huge amounts of user data.
Sure, a sophisticated device user would know that these apps are fraudulent and detect them right away, right? Possibly – but how many iOS and Android users have the sophisticated level?