Mobile Devices: A Phisher’s Paradise

Nikos Virvilis, Nikolaos Tsalis, Alexios Mylonas, Dimitris Gritzalis

2014

Abstract

Mobile devices - especially smartphones - have gained widespread adoption in recent years, due to the plethora of features they offer. The use of such devices for web browsing and accessing email services is also getting continuously more popular. The same holds true with other more sensitive online activities, such as online shopping, contactless payments, and web banking. However, the security mechanisms that are available on smartphones and protect their users from threats on the web are not yet mature, as well as their effectiveness is still questionable. As a result, smartphone users face increased risks when performing sensitive online activities with their devices, compared to desktop/laptop users. In this paper, we present an evaluation of the phishing protection mechanisms that are available with the popular web browsers of Android and iOS. Then, we compare the protection they offer against their desktop counterparts, revealing and analyzing the significant gap between the two.

References

  1. Gartner, “Gartner Says Smartphone Sales Accounted for 55 Percent of Overall Mobile Phone Sales in 3rd Quarter of 2013”. (Online). 2014 Available at: https://www.gartner.com/newsroom/id/2623415 (Accessed: 10 Mar 2014).
  2. Gartner, “Gartner Says Worldwide Mobile Payment Transaction Value to Surpass $235 Billion in 2013”. (Online). Available at: https://www.gartner.com/ newsroom/id/2504915 (Accessed: 10 Mar 2014).
  3. Capaccio, N., “Apple Mobile Devices Cleared for Use on U.S. Military Networks”. (Online). Available at: http://www.bloomberg.com/news/2013-05-17/applemobile-devices-cleared-for-use-on-u-s-militarynetworks.html (Accessed: 10 Mar 2014).
  4. CBC, “Smartphones becoming prime target for criminal hackers”. (Online). Available at: http://www.cbc.ca/ news/technology/smartphones-becoming-prime-targetfor-criminal-hackers-1.2561126 (Accessed: 09 Apr 2014).
  5. Mell, P., Kent, K., Nusbaum, J., “Guide to malware incident prevention and handling”, National Institute of Standards and Technology (NIST), 2005.
  6. Virvilis N., Gritzalis D., “Trusted Computing vs. Advanced Persistent Threats: Can a defender win this game?”, in Proc. of 10th IEEE International Conference on Autonomic and Trusted Computing, pp. 396-403, IEEE Press, Italy, 2013.
  7. Virvilis N., Gritzalis D., “The Big Four - What we did wrong in Advanced Persistent Threat detection?”, in Proc. of the 8th International Conference on Availability, Reliability and Security, pp. 248-254, IEEE, Germany, 2013.
  8. Google, “Safe Browsing API”. (Online). Available at: https://developers.google.com/safe-browsing/ (Accessed: 8 Mar 2014).
  9. Microsoft, “SmartScreen Filter”. (Online). Available at: http://windows.microsoft.com/en-us/internetexplorer/products/ie-9/features/smartscreen-filter (Accessed: 8 Mar 2014).
  10. Netcraft, “Phishing Site Feed”. (Online). Available at: http://www.netcraft.com/anti-phishing/phishing-sitefeed/ (Accessed: 8 Mar 2014).
  11. PhishTank, “Join the fight against phishing”. (Online). Available at: https://www.phishtank.com/ (Accessed: 8 Mar 2014).
  12. Abrams R., Barrera O., and Pathak J., “Browser Security Comparative Analysis”, NSS Labs, 2013. (Online). Available: https://www.nsslabs.com/reports/browsersecurity-comparative-analysis-phishing-protection (Accessed: 2 Feb 2014).
  13. Banu, M. Nazreen, S., Munawara Banu, “A Comprehensive Study of Phishing Attacks”, in Proc. of the International Journal of Computer Science and Information Technologies, vol. 4, issue 6, pp. 783-786, 2013.
  14. Rosiello, A. P., Kirda, E., Kruegel, C., Ferrandi, F., “A layout-similarity-based approach for detecting phishing pages”, in Proc. of Security and Privacy in Communications Networks Workshops, pp. 454-463, 2007.
  15. Rani, S., Dubey, J., “A Survey on Phishing Attacks”, International Journal of Computer Applications, vol. 88, issue 10, 2014.
  16. Jansson, K., Von Solms, R., “Phishing for phishing awareness”, in Proc. of Behavior & Information Technology Conference, vol. 32, issue 6, pp. 584-593, 2013.
  17. Bian R. M., “Alice in Battlefield: An Evaluation of the Effectiveness of Various UI Phishing Warnings”. (Online). Available: https://www.cs.auckland.ac.nz/ courses/compsci725s2c/archive/termpapers/725mbian 13.pdf (Accessed 2 Feb 2014)
  18. Darwish A., Bataineh E., “Eye tracking analysis of browser security indicators”, in Proc. of Computer Systems and Industrial Informatics Conference, pp. 1- 6, 2012.
  19. Akhawe D., Felt A. P., “Alice in Warningland: A largescale field study of browser security warning effectiveness”, in Proc. of the 22nd USENIX Security Symposium, 2013.
  20. Egelman S., Schechter S., “The Importance of Being Earnest (In Security Warnings)”, in Proc. of Financial Cryptography and Data Security, Springer, pp. 52-59, 2013.
  21. Egelman S., Cranor L., Hong J., “You've been warned: an empirical study of the effectiveness of web browser phishing warnings”, in Proc. of the SIGCHI Conference on Human Factors in Computing Systems, pp. 1065-1074, 2008.
  22. Sheng S., Wardman B., Warner G., Cranor L. Hong J., Zhang C., “An empirical analysis of phishing blacklists”, in Proc. of the 6th Conference on Email and Anti-Spam, 2009.
  23. Kirda E., Kruegel C., “Protecting users against phishing attacks with antiphish”, in Proc. of Computer Software and Applications Conference, vol. 1, pp. 517-524, 2005.
  24. Zhang, H., Liu, G., Chow, T. W., Liu, W., “Textual and visual content-based anti-phishing: A Bayesian approach”, in Proc. IEEE Transactions on Neural Networks, vol. 22, issue 10, pp. 1532-1546, 2011.
  25. Vidas T., Owusu E., Wang S., Zeng C., Cranor L., Christin N., “QRishing: The Susceptibility of Smartphone Users to QR Code Phishing Attacks”, in Proc. of Financial Cryptography and Data Security, pp. 52- 69, 2013.
  26. Xu Z., Zhu S., “Abusing Notification Services on Smartphones for Phishing and Spamming”, in Proc. the 6th USENIX conference on Offensive Technologies, pp. 1-11, 2012.
  27. “Anti-Phishing protection of popular web browsers,” AV Comparatives, Dec 2012. (Online). Available: http://www.av-comparatives.org/images/docs/ avc_phi_browser_201212_en.pdf (Accessed: 05 Jan 2014).
  28. Mazher N., Ashraf I., Altaf A., “Which web browser work best for detecting phishing”, in Proc. of Information & Communication Technologies Conference, pp. 1-5, 2013.
  29. Mylonas A., Tsalis N., Gritzalis D., "Evaluating the manageability of web browsers controls", in Proc. of the 9th International Workshop on Security and Trust Management, pp. 82-98, Springer (LNCS 8203), UK, 2013.
  30. Mylonas A., Dritsas S, Tsoumas V., Gritzalis D., “Smartphone Security Evaluation - The Malware Attack Case”, in Proc. of the 8th International Conference on Security and Cryptography, pp. 25-36, SciTePress, Spain, July 2011.
  31. Bradley, T., “Android Dominates Market Share, But Apple Makes All The Money”. (Online). Available at: http://www.forbes.com/sites/tonybradley/2013/11/15/a ndroid-dominates-market-share-but-apple-makes-allthe-money/ (Accessed: 12 Apr 2014).
  32. Sobrier J., “Google Safe Browsing v2 API: Implementation notes”. (Online). Available: http://www.zscaler.com/research/Google%20Safe%20 Browsing%20v2%20API.pdf (Accessed: 10/01/2014).
  33. iCloud (Online) Available at: https://www.icloud.com/ (Accessed: 8 Mar 2014).
  34. OWASP. “Certificate and Public Key Pinning”. (Online). Available at: https://www.owasp.org/index.php/ Certificate_and_Public_Key_Pinning (Accessed: 18 Mar 2014).
  35. Theoharidou M., Kotzanikolaou P., Gritzalis D., “A multilayer Criticality Assessment methodology based on interdependencies”, Computers & Security, Vol. 29, No. 6, pp. 643-658, 2010.
  36. Theoharidou M., Kotzanikolaou P., Gritzalis D., “Riskbased Criticality Analysis”, in Proc. of the 3rd IFIP International Conference on Critical Infrastructure Protection, Springer, USA, March 2009.
Download


Paper Citation


in Harvard Style

Virvilis N., Tsalis N., Mylonas A. and Gritzalis D. (2014). Mobile Devices: A Phisher’s Paradise . In Proceedings of the 11th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2014) ISBN 978-989-758-045-1, pages 79-87. DOI: 10.5220/0005045000790087


in Bibtex Style

@conference{secrypt14,
author={Nikos Virvilis and Nikolaos Tsalis and Alexios Mylonas and Dimitris Gritzalis},
title={Mobile Devices: A Phisher’s Paradise},
booktitle={Proceedings of the 11th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2014)},
year={2014},
pages={79-87},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005045000790087},
isbn={978-989-758-045-1},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 11th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2014)
TI - Mobile Devices: A Phisher’s Paradise
SN - 978-989-758-045-1
AU - Virvilis N.
AU - Tsalis N.
AU - Mylonas A.
AU - Gritzalis D.
PY - 2014
SP - 79
EP - 87
DO - 10.5220/0005045000790087