| Researchers May 9, 2019


May 9, 2019

Mobile phishing protection: how to defend against https phishing attacks

By Jeremy Richards

Although much has already been published about the prevalence of https websites in phishing attacks, it’s important to keep this threat top of mind-- after all, phishing attacks are increasingly targeting mobile users.

First developed in 1994, the SSL certificate has long been regarded as the gold standard for digitally certifying the identity of a website and encrypting website traffic. Websites secured by SSL certs are designated by the prefix 'https' and typically accompanied by a padlock icon in the browser status bar. This encryption helps protect against man-in-the-middle attacks, spoofed websites, and eavesdroppers so that your information remains secure.

Unfortunately, without a central authority governing the creation of https sites, hackers are registering and spinning up https-enabled phishing sites at a rapid pace. Once clicked, the link directs the user to the phishing site, which appears completely legitimate. The user observes both the padlock in the status bar, the https prefix, and relevant content -- as a result, feels confident enough to proceed as usual -- entering credentials, personal information, or even credit card information.

Phishing attacks are even harder to detect on mobile devices, as the features, functionality, and even the screen size of today’s mobile devices offers attackers an advantage in phishing.

Five reasons mobile is a prime phishing target

But why are mobile devices a prime target for these attacks? Below are a few basic reasons:

  1. Almost everyone has a mobile device, that they bring with them everywhere  
  2. Mobile displays are relatively small, so the finer nuances of a threat may be concealed
  3. A large ecosystem of mobile email, messaging, and apps provide a large attack surface for phishing
  4. Mobile users often multitask while on the go and may easily overlook a potential threat
  5. Many organizations now embrace the use of smartphones and tablets to increase productivity in the workplace, therefore, sensitive corporate data is stored on mobile devices
Lookout helps defend against phishing attacks

To detect fraudulent https sites, Lookout Phishing AI processes 15 Million TLS certificate events and 150,000 new domain registrations daily. With this level of AI analysis, Lookout consistently discovers nearly 15,000 high-confidence phishing domains each month and expects these numbers to increase.

While Lookout Phishing AI detects and monitors phishing campaigns, Lookout Phishing and Content Protection verifies the safety and validity of a website prior to granting access. This means, if you accidentally click a link to a malicious https site, Lookout will protect enterprises and their data by blocking access to the site and notifying them of this threat.

Https phishing attacks may be common and hard to spot, but with Lookout deployed, enterprises have comprehensive mobile phishing protection -- ensuring that their corporate data is secure in today’s post-perimeter, cloud-first, mobile-first world.

Learn more about how to secure your corporate data from mobile phishing attacks.


Author

Jeremy Richards,
Principal Security Researcher