Mobile Phishing Attacks Use Fake WAP Pages

Security researchers from Symantec have spotted phishing attacks that target mobile users and make use fake WAP pages for popular services.

Mobile phishing is not very widespread at the moment, but the number of attacks continues to grow due to the increased popularity of smartphones.

Many companies offer a version of their websites for mobile devices. These can be designed for smartphones or as WAP pages for old feature phones that don't have advanced browsers.

WAP pages use a reduced number of Web technologies, mainly XHTML, and almost no graphics, in order to reduce traffic because WAP speeds are very restricted.

"Symantec has recorded phishing sites spoofing such Web pages and has monitored the trend. In June, social networking and information services brands were observed in these phishing sites," the company warns.

In one case, the page consisted of nothing more than a login form, which, after collecting the inputted credentials, redirected victims to the actual WAP page of the site they were trying to access.

This is meant to trick users into discarding the incidents as mere errors and not become suspicious when they don't find themselves logged into the real websites. In addition, phishers seem to host the rogue pages on compromised legit websites from the .mobi domain space.

"Over the past six months, about 65 percent of these phishing sites spoofed brands from the banking sector, whereas 19 percent were from the e-commerce sector and the remaining were from the ISP, social networking, and information services sectors," says Symantec security expert Mathew Maniyara.

Security experts have warned in the past that mobile users are more susceptible to phishing because of the way mobile browsers display URLs. Since a phone's screen has limited space, URLs are truncated when shown in the address bar. This allows attackers to create overly long URLs in order to hide the rogue domain name.