Internet Security Fundamentals - Online Edition

13 Smartphones & Tablets

More and more of us are using our smartphones and tablet computers as our primary way of accessing the internet outside of work. This trend is set to grow, and the criminals know this is too big an opportunity to miss. Currently 90% of all mobile device malware is aimed at systems using Google Android, which accounts for the highest number of users worldwide. One study found that 86 per cent of Android mobile-malware payloads were repackaged with legitimate apps, which is how users were tricked into installing them.

 

Mobile phone scams have been around for ages, but now internet enabled smartphones have given criminals and unscrupulous companies a wider range of tools and techniques to get people to unwittingly agree to signing up for their 'premium' services. Recently after opening an ad-supported app on my smartphone, I was presented with a free competition to win an iPad. There were over 5 multiple choice questions, each were well presented and hard enough to catch a few people out. After the 4th question I was told that if I answered the final question correctly, I would need to give my name and mobile number to enter the competition. The fifth question was quite easy, at which point I noticed the small print. By entering my mobile number, I would be agreeing to a competition subscription service charged at £4 a week. The problem with these ‘scams’ is that weeks can go by before people realise they are being charged, as their mobile bill is monthly. Together with long 30-day cancellation terms, the end result is that people could easily be £30-£50 poorer for entering what appeared to be a free competition.

Another opportunity smartphones present for criminals is for them to trick a device into sending a premium rate text message repeatedly. Previously stolen phones would be setup to call premium rate numbers, but now a virus can automate the whole process. A 20-year-old French hacker was arrested after tricking over 17,000 Android smartphone users to downloading his fake apps, which then sent out 1/2 million euros worth of premium text messages. The particular trick he used has since been fixed in later versions of Android, but there are lots of devices that could still be affected.

 

If you have an Android based device, I highly recommend you install one of the free antivirus apps such as Avast Mobile Security or Sophos Intercept X for Mobile for Android, or if you prefer a paid for multi-device solution like F-Secure TOTAL or Bitdefender Total Security, offers a wider range of protection. Users of Apple iOS devices are less likely to encounter malware, but also have the same Avast and Sophos free options.

 

The trend to 'root' or ‘jailbreak’ a device, which basically gives the user complete access and control, also removes many built-in security features. Because you can now install unauthorised apps, bypassing the official app stores of your device, you are effectively unlocking every door in the house and opening all the windows, and then sitting in the garden. To top it off, your warranty is also invalidated, so long term the cons outweigh any benefits. Some recent reports by antivirus companies claim that over 10% of all apps in unofficial app stores are malware, while others claim 30% or higher, so it’s best to avoid all unofficial app stores even if you have antivirus installed.

 

Whatever mobile device you use, you can still fall victim to WiFi snooping, traditional phishing scams and also phishing scams based around your app store ID. Every mobile device needs to have an online ID provided by the developer of the mobile operating system, for Apple iOS, you need an Apple ID, Android, a Google account, Windows Mobile, a Microsoft Live ID and for Blackberry, a Blackberry ID. So now we have phishing email scams based around this device ID, which is normally linked to lots of other cloud services. When you first setup a new device, a number of verification emails are normally sent to allow you to purchase apps. The criminals know this and constantly send out phishing emails hoping to get lucky. Here are three Apple ID based phishing scams I received posing as verification emails:

This can look identical to the genuine email, but the ‘click here to confirm’ link goes to: http://www.altlinks.ru/admin/.apple/ which is a redirector that could actually take you to any web address the criminals want.

This rather impressive attempt was reportedly from secure@icloudmessagecentre.co.uk and had a convincing link going to: https://icloudmessagecentre.net/myappleaccountmessageview-ticket-id8912380357849182wua-secureapple/?

 

But it was nothing compared to this pixel perfect fake.

Which then goes on to ask for a social security number, driving license and even a passport number. So not only would you be giving up your Apple ID credentials, but the criminals would also have everything they need for identity fraud.

This fake iCloud email arrived with a subject of ‘Account will be deleted after 5 hours! Please Confirm !!’ from an account named Payment Pending which on a mobile hides the email address, but on a computer is displayed as Payment Pending from webmaster@taste.vwdheal.com which is obviously not from Apple.

Another trick the criminals use is to send you a confirmation order for a brand-new top of the range mobile phone, that is going to be shipped to a stranger, that you will be paying for. In the email below, they are hoping that you are an Apple customer, and that you see red and click ‘Cancel Order’ because obviously you didn’t order a new phone for someone you don’t know.

Clicking ‘Cancel Order’ then takes you to the Apple ID login page for you to enter your credentials as expected.

 

Or does it?

Could you tell that the first one was fake, and the second one was real?

As this problem has grown so big, Apple has issued guidance to help identify legitimate emails at: https://support.apple.com/en-us/102406. Also, there are premium app subscriptions that can help protect you against advanced scams and WiFi snooping for both iOS and Android, like F-Secure’s Freedome VPN which basically encrypts all your internet activities. If you do all your online banking and internet shopping on a mobile device, I urge you to seriously consider one of these types of services which work out slightly more than a single premium take-away coffee per month.

 

Mobiles also give criminals the opportunity to start a phishing scam via a SMS text message with a web link. It is very easy for criminals to spoof a text message from what they hope is your mobile phone network provider. By spoofing a genuine text message mobile number, the fake text message will appear grouped with any real text messages from you have previously received. Because of this grouping with previous legitimate text messages, the criminal’s message is automatically trusted by most people and rarely given a second thought.

 

Obviously, if it’s the wrong the mobile provider, you’ll be suspicious, but otherwise the small mobile phone screen helps the criminals to hide the full web address of their fake websites. 

 

Take this text message supposedly from O2, which points to a convincing but totally fake sign in page. People see the domain ‘o2.uk’ but don’t realise they are actually at ‘bill979.com’.


In the following example a text message is claiming to be from WhatsApp and that my subscription has expired. It then goes on to say that you need to verify your account and offers a special deal of a lifetime subscription for 99p by clicking on the shortened bit.ly web link. Here the criminals are relying the fact not everyone would realise that WhatsApp is now completely free, together with the smaller mobile screen size to hide the look-a-like web domain of vvhats-app.co.uk, where two v’s would hopefully look like a w on a mobile screen. Straight away they ask for your name, address, date of birth and contact details, they then ask for a debit or credit card and bank account details.


Step 3 of 3 goes on to ask for a Security Question, giving you the choice of Mother’s Maiden Name, Passport Number or Driving License Number, basically everything needed for ID theft.

 

Another trick the criminals use to get all your bank account details and personal information is the fake ‘your direct debit has been suspended’ email alert. There are a number of payments people must make annually, like income tax, but in the UK, we also have an annual TV license per household which carries a large fine if not paid, so a lot of people take advantage of the smaller multiple direct debit payments option. So, here we have a perfect example of a nearly universal tax/bill that many people pay by direct debit and failure to do so could result in a hefty fine. The hook, carrot and stick already created for the criminals to base their fake mobile centric email campaigns, like this one below:


Another trick cybercriminals use is to make a website look like a mobile phone system alert dialog, warning you that you have been compromised or that your device has been infected with a virus or even multiple viruses. Here the goal is to get you to install an app and for verification your account credentials (which is often the real goal), or to trick you into buying an overly expensive app (often a Virtual Private Network or VPN app with a high monthly subscription) which is defined as ‘fleeceware’ in the glossary of this book. The original website link source is often a SMS text message or mobile phone based social message, rather than an email, as this scam only works if viewed on a mobile phone.

 

The following two images are examples of the same fake link aimed at iPhone users, the first image is on an iPhone, while the second is on an Android phone, displaying different content (though still mentioning an iPhone).


Unfortunately, there are now new ways that you can be scammed and charged while surfing on your smartphone. Recently one of my colleagues was internet surfing on his smartphone to pass the time while in a doctor’s waiting room. They clicked an advert from a mainstream website and answered some questions on a really easy quiz. Soon afterwards a SMS text message arrived informing them that they had just been charged £30 as there was a £6 charge for each question. Unfortunately, the advert had been placed in between some just for fun questions from the main website, which my colleague was just working their way through. They didn’t read the small print and clicked the answers, but at no point was my colleague asked to confirm payment, no ID of any kind is requested.

 

They were charged using a system called Payforit Single Click, a legitimate service which the mobile phone networks have adopted to make instant payments. So be careful when surfing on a mobile because you can now be charged just for clicking something. It might be to view a video, submit an answer or download a document. If you can try to ask your mobile phone provider if you can opt out of premium services or Payforit (ask for a MPAY bar) and set up a spend threshold alert. Also having the mobile phone provider’s adult content filter turned on will also help block some of the websites that use these instant payments, so check with customer service in case you’ve requested it to be turned off in the past. Keep an eye out for a website banner like the one below, which shows that you are agreeing to be charged. Either way, be extra vigilant when browsing the internet on your smartphone, otherwise you could be in for a nasty shock when your mobile phone bill arrives.

Another area you need to watch out for is the fake app purchase confirmation email. In the example below a high-cost app has supposedly been downloaded, but if it was a mistake you can click the ‘Cancellation Form’ link. Notice how there is no £ or $ sign as well as a range of typos. Clicking the cancellation link may take you to a fake login page where they hope to capture your username and password for your Apple or Android account, or take you to a website loaded with an exploit kit to silently install a virus or Trojan.

 

From: AppStore [mailto:isto@isapp.net]

Sent: 21 August 2015 19:12

To: Nick Ioannou <nick.ioannou>

Subject: Your recipt No. 2183124194

 

Your AppID was just used to download GPS Toolbox from the AppStore on a computer or device that had not previously been associated with that AppID.

 

Order ID Number: PIE93UD9END8DJ

 

Order total: 49.00 

If you initiated this download, you can disregard this email. It was only sent to alert you in case you did not initiate the download yourself.

 

If you did not initiate this download, we recommend that you go to Cancellation Form to cancel this order.

 

If you receive an app purchase confirmation, you can check from your device or via a computer. From an Apple device open the App Store, select Updates, then Purchased or visit reportaproblem.apple.com which will list all your recent purchases. For Android devices, open the Google Play Store app, touch the Menu icon and select My account.

With a large number of people now working from home, there has been a large rise in fake courier and postal service SMS text messages. Typically, they say that there is a problem with a delivery, a delivery was missed or that a small fee needs to be paid. These point to fake web domains that contain the name of the service and most of the time, seem perfectly plausible.

 

Here’s an example of a typical text message claiming to be from the courier Hermes. The link seems perfectly plausible and looks the part. The giveaway for most people is the date of birth field in the verify your identity.


Now things look a lot different if you try to open that same link in a desktop browser, chances are a modern web browser, or your antivirus software will block the attempt to visit the fraudulent website. In some cases, the website checks to see whether you are using a mobile and if not, sends you to a legitimate page, in order to try and fool you.

Most people think that it would not be easy or even possible for fraudsters to purchase web domains containing brand names of major companies, but with so many domain name combinations being purchased daily in the hundreds, the opposite is true.

 

Here's another text message claiming to be from the courier DPD. Once again, the web link seems more than plausible, and if the fraudsters spoof the official text message number, the fake website message could be in a list with real messages from that courier.

Following the link took you a perfect copy of the DPD website asking for a name and postcode. Every menu button worked, instantaneously taking you to the real DPD website, they just hoped you clicked the back button, to return to the fake version. In order to see what happened, I entered the name ‘Smith’ and the postcode of the MI5 Security Service building in London.

It didn’t really matter what was entered, as the second page asked everything the fraudster needed, before moving on to payment information. If you think you may have been tricked by one of these fraudulent messages, please contact your bank immediately.

 

Couriers and postal services are great candidates for these types of scams, with more and more people ordering goods online, combined with many more people working from home, missing a delivery is a common place occurrence. If you receive a similar message and are not sure if it is real or fake, visit the website of the reseller you are expecting a delivery from and request the courier tracking code. If are not expecting a delivery, ignore the link in the message and search for the official website of the named courier service, to contact them to verify the message.

Here are a few more fraudulent web domains for Royal Mail in the UK.

This one is https://royalmail.deliveryconfirmation-id.com

While this one is https://royalmail.mypackageupdates-id.com

Here is another fake delivery email from noreply@freightgpt.com using the gpt ending to associate it with ChatGPT to appear more official. If you decide to verify any suspicious emails on a desktop or laptop, carefully view them without clicking any links) and know that hovering over a button may display something completely different to the destination address.

Always check the link address by what is displayed in the bottom left of a desktop browser.

In the UK the National Cyber Security Centre (NCSC has taken down close to 10 million malicious domains over the past seven years, but the criminals spin up new plausible sounding domains as fast as they are taken down. So you don’t get caught out, here is a list of the official UK websites of the major courier companies:

Please create a list for your own country and keep it handy. Remember, subdomains may be valid if they have the full stop before the valid domain name, for example https://about.ups.com is a valid subdomain, but https://about-ups.com is not. Please note, this applies to any website domain, not just couriers.

 

Here are a few more examples of fake courier emails:

Moving on, your mobile device’s app store is also a very lucrative way of signing you up for a recurring subscription and the criminals know this too. So much so, they have created mundane apps with a free trial, linked to ridiculously priced automatic subscriptions that can cost thousands. Though it is not just about hoping to catch people out that forget to unsubscribe, these apps use typography and graphics to mislead and hide their true nature. The criminals are also using a sneaky trick on Apple iPhones with TouchID enabled. By unexpectedly showing a payment prompt and knowing that people will instinctively press the home button to exit the app, except pressing the home button instead confirms payment. If you see any unexpected demands for payments, make sure to press the power button instead of the home button.

 

Apple has pulled many of these apps from their App Store, but only with the condition that the apps are clearer about their subscription costs. They have not banned anyone creating a £100 a month subscription ringtone customisation app or a £10 a month calculator. The best way to protect yourself is to disable any in-app purchasing functionality. In Apple iOS, this can be found in Settings - Screen Time - Content & Privacy Restrictions - Content & Privacy Restrictions - iTunes & App Store Purchases.


It is also worth turning off Touch ID for the App Store and possibly Apple Pay (especially if you rarely use it) via Settings - Touch ID & Passcode. For Android, you cannot actually disable in-app purchases, only force authentication via Play Store - Settings - Purchase verification – Verification frequency - Always. Be vigilant when installing new apps, otherwise they may end up costing you more than the device you are using them on did.

 

There has been a trend for cybercriminals to create mobile apps that behind the scenes use your mobile data connection to carry out click fraud, where your mobile generates pay-per-click (PPC) revenue from online adverts. These apps are often useful utilities that you install and then forget about or even games, and while they are not malicious to you, they could cost you money if you go over your monthly data allowance and as well as generally slowing down your smartphone.

 

Still, one of the biggest issues with smartphones is still having them stolen or just losing them, especially as many people use their mobile as the second part of a two-factor authentication login process where a code is sent via SMS to their mobile. So, make sure that your device is backed up and you have your device PIN or pattern lock enabled. 

 

When it comes to choosing a PIN code, try not to use any of these common codes:

 

Four-digit PINs Six-digit PINs
 0000 1998 000000  159753
0852 222 111111 654321
1010 2580 112233 666666
1111 4321 121212 789456
1212 5555 123123  
1234 5683 123456  

Also avoid using your birth year as a PIN code. If your phone is also your only camera and photo album, make sure that your photos are saved to a cloud backup service so that losing your phone is not a major loss. Lastly, if you have a ‘find my phone’ location tracking feature enabled, make sure it cannot be disabled without a PIN number.

Your smartphone is a portable computer that many of us use every day for sometimes up to five years. Just remember that cyber threats are not the only problems you may encounter during this time. Expect your smartphone to either stop working (water is normally involved) or go missing and plan for this event, so if it does happen, it won’t be a crisis.

 

Index or next chapter eBay & PayPal


Like what you see? Purchase an offline copy (PDF is updated quarterly)
Also, volume Licensing available for up to 100 copies from £0.40 a copy