WhatsApp: The New Victim of Modern Mobile Phishing

Updated: Apr 12, 2020

With almost everyone on their smart mobile phones these days, mobile phishing has become a rampant crime for attackers. Research suggests that every 20 seconds, a new phishing site is created (quite worrying!).

To make things worse, techniques and campaigns done by cybercriminals vary which makes it difficult to identify a trend. There is, however, an observable pattern as shown by the research conducted by Wandera.

New attacks are being made every day and usually lasts for less than 24 hours before campaigns are shut down and recreated on another site. These phishing attacks luckily can be recognized with common features, particularly on the popular messaging applicationWhatsApp.

There has been an observable increase in phishing attacks that focuses mainly on WhatsApp. Where attacks look to gain more victims after every success. Traditional phishing campaigns were mainly done by emails. Most attacks nowadays are varied and make use of different vectors. This is because email clients now have effective security technologies that can detect and filter suspicious messages in the inbox.

This is why phishers are now targeting apps like Skype, WhatsApp and SMS because they have lesser protection which makes it easier for these attackers. According to research from IBM, mobile-based desktops are three times more effective than desktop phishing because there are millions of messaging apps that people use making it near impossible to have an in-app defence.

The cybercriminals can target users in places where they do not expect malicious messages. Emails usually have the message flagged to warn that the mail is risky which is something that WhatsApp does not yet have. In fact, once the link is shared to the app, they’d have all the factors which make it seem legit like a snippet of the site along with a logo and the title of the page. Once the user makes the mistake of clicking the links in the message, anything could happen! Often they will be taken to a page that tries to make a  sale or an offer to a particular brand in a limited amount of time. The phisher could create content which offers the user to complete a brief questionnaire and display a fake timer to condition the user’s sense of urgency. What makes the attacks increase exponentially is how they exploit their victims even further by instructing them to share their campaign to their contacts. Although this technique has been going on for a while now, with the incorporation of WhatsApp, it automatically reaches a “viral” status.

Attackers would then send a message that is auto-sent to seemingly random selection of their contacts which are often people that their current victim trusts. Depending on the campaign, phishers would then ask either before or after the completion of the form to send the link of their page to their other contacts in WhatsApp otherwise they wouldn’t be able to claim their rewards. Because of this, every time someone falls for their trick, they would reach more victims within the application. These fake pages would also have pseudo-Facebook comments to trick people into thinking that it is a legit promotion site.

Based on Wandera’s find, most of these campaigns aim to extract private information like name, address, phone number and credit card numbers. Although there are efforts by websites implementing HTTPS which is very useful, most of the general users, do not have sufficient knowledge for protection. Attackers often use an SSL certificate when mobile browsers would display a @secure@ marker near the address bar in sites.

Many users, unfortunately, mistake it as an information of validation from Google or Apple. There are organizations that offer a free certificate to website owners like let's Encrypt to reinforce the idea that their phishing pages are legitimate which makes it efficient for them to attack. Now living in the age of GDPR, mobile users should be able to learn to identify the different forms of phishing with the undeniable growth of phishing campaigns in mobile applications, particularly in WhatsApp. It is indeed hard to find a specific pattern regarding these campaign attacks because one would slightly vary from the other and would eventually be altered as the criminals would find out what works and what doesn’t. Therefore, mobile users should be vigilant with these phishers.