Friday, December 9, 2011

Facebook Phishing Works Better on an Android (Than a PC)

Your Android device may put you at significantly more risk to a phishing attack than your computer does. Yesterday I blogged about a phishing attack that appeared as a comment in my nephew’s Facebook status update. There was an interesting difference between clicking on the link in the comment on my android phone and clicking on the link on my computer.

I have disable apps on Facebook. I do this because apps are one of the ways in which I believe Facebook has historically shared my information without my prior knowledge or approval. I also don’t believe apps on Facebook are well enough vetted to warrant trust in many cases, but mostly I disable apps because if you don’t disable apps then creepy advertisers stalk you mercilessly.

The phishing attack I reported in the blog started at and on my computer when I clicked the link Facebook recognized that I don’t use apps and would not take me to the page unless I enabled apps, which I did not do.

No compare the PC experience to the Android experience. I clicked on the link in the Android Facebook app and Facebook took me to their apps page which in turn took me to a Google page which in turn to me to the Russian page that was hosting the phishing attack. Naturally this all occurred so quickly it simply looked like I went from clicking on a comment to a Facebook login page.

There is another even more significant difference. On my computer when I went to access the phishing page my browser warned me that it was an attack page. On my Android phone there were no warnings. I did some testing with samples from and it appears that the stock Android browser has no anti-phishing technology built in at all.

The tiny web pages that are often displayed differently on a small portable computing device, such as a cell phone, already take away some potential visual clues, but the lack of anti-phishing technology on the platform make users of Android (and possibly Windows, Apple, and Nokia) devices put users at a higher degree of risk, unless… you come back for my next blog about the two simple rules of avoiding phishing attacks. The two rules even help Windows, Linux, and Mac users. Yes, Mac users are at as much risk to phishing attacks as Windows users are, even if Apple pretends that Macs are invincible. Phishing for login credentials isn’t an operating system dependent attack, it’s a user attack.

Randy Abrams
Independent Security Analyst

No comments:

Post a Comment