Phishing AI Discovers New Mobile-First Phishing Campaign

Lookout Phishing AI reports a new, sophisticated phishing kit designed specifically for mobile users of a major cell phone network.

Lookout Phishing AI recently uncovered a new, mobile-first phishing kit targeting Verizon customers.  Lookout developed Phishing AI to identify early signals of attacks, build protections for our customers, and provide early warning to any targeted organization. Lookout Phishing AI notified Verizon of its findings; Verizon addressed this with customers previously and continuously monitors customer account security.

Protection against mobile phishing needs to be a top priority for all enterprises today, as mobile phishing has grown by 85 percent year over year since 2011, according to Lookout data. These phishing campaigns against Verizon are just a small subset of phishing kits targeting businesses and consumers. In fact, WIRED recently published a story tax phishing scams. In that case, phishing kits were designed as fake versions of online accounting tools like QuickBooks or tech support agents in order to steal login credentials or personal information like passport numbers.

‍

Mobile-first phishing attack

Earlier this year, I wrote about phishing predictions for 2019, one of which was that we would see an uptick in mobile specific phishing campaigns. Attacks that target mobile devices have emerged as an effective attack vector in the era of post perimeter security since many mobile devices lack traditional security--and I expect we will continue to see these attacks increase alongside mobile device usage. These attacks, when opened on a desktop, clearly look like a poorly made phishing domain, but on a mobile device, they look legitimate.

The attacks targeting Verizon customers that Lookout Phishing AI discovered supports this prediction: when the phishing link is opened on a desktop, it doesn’t look legitimate, but, when opened on a mobile device, it looks like what you would expect from a Verizon customer support application. In fact, the desktop version it even looks like an “app” interface.

Below are screenshots of the desktop version and the mobile version of the phishing kit; as you can see there is even a banner spoofing the Verizon mobile app to lend even more legitimacy:

Desktop view:

‍

Mobile view:

‍

‍

More sophisticated than your average phishing campaign

The mobile-first approach to this phishing kit is not the only aspect of its sophistication. This kit targeted Verizon customers through malicious links masquerading as Verizon Customer Support. This shows that the attackers did their research. For example, the first set of domains include ‘ecrm’.  The phisher is attempting to spoof: “ecrm.verizonwireless[.]com”. In this context we believe ECRM stands for Electronic Customer Relationship Management as it is the domain used to send email from Verizon Customer Service to Verizon customers.

In fact, there were three distinct campaigns targeting the Verizon ECRM server that occurred in the past three months:

Attack #1

• 2018-11-28ecrmverizon.com

Attack #2

• 2019-02-02ecrmverizonwireless.com

Attack #3

• 2019-03-19ecrmemail-verizonwirelesss.com
• 2019-03-19ecrmemail-verizonwirelesss.info
• 2019-03-20ecrmemail-verizonwirelesss.net

Moreover, here is a list of 51 potential Verizon customer phishing domains registered in the last 90 days:

This campaign shows that not only did the attackers research what Verizon’s infrastructure looks like, but that they were relentless in their attack. We lack visibility into the effectiveness of this particular campaign, but for anyone that fell victim there is a very real risk of identity theft or account takeover--which is further compounded by the fact that mobile devices are frequently used in two-factor authentication.

As attackers continue to invest in more sophisticated attacks and focus on mobile devices, it is imperative for businesses and consumers to be aware of mobile phishing attacks, and adopt a post-perimeter security architecture to protect their data.