image
A mobile phishing campaign that targeted customers of more than a dozen North American banks, including Chase, Royal Bank of Canada and TD Bank, managed to hook nearly 4,000 victims. The attacks used an automated SMS tool to blast bogus security text messages to mobile phone users between June and last month. Mobile security firm Lookout identified the “mobile-first” phishing campaign and said that victims were sent text messages claiming that their bank detected suspicious activity tied to their account. The SMS-based messages each included a link to one of over 200 phishing pages. “The [phishing pages] are built to look legitimate on mobile, with login pages mirroring mobile banking application layouts and sizing, as well as including links like, ‘Mobile Banking Security and Privacy’ or ‘Activate Mobile Banking,'” wrote Lookout researchers Apurva Kumar, staff security intelligence engineer and Kristin Del Rosso, senior security intelligence engineer, in a report published Friday. In their report, researchers pointed out that mobile-based phishing campaigns have advantages over their desktop equivalents. For one, mobile phishing messages and spoofed sites are less likely to be scrutinized, they said. “Since mobile users are typically on the move and less likely to scrutinize the authenticity of an SMS message, text messages have become an attractive new attack vector,” researchers wrote. Also, often a condensed mobile site will not display an entire URL, making it harder…

Source