Tag: Windows Phone
AirDrop lets you move files and other data from a Mac to an iPad to an iPhone, in any combination of directions. Your Apple Watch can unlock your Mac.
Any Apple device can control a Keynote presentation on any other Apple device.
Apple’s Handoff lets you start work on one Apple device and pick up where you left off on another.
Bookmarks, contacts, email settings, passwords, and even credit card details can be synced automatically across all your devices. Windows 10 was supposed to do the same, relying on Windows Phones to be take the role of the iPhone in this fluid ecosystem.
But Windows Phone (renamed Windows Mobile) is in cryogenic suspension, waiting for a future miracle cure to bring it back to life.
Thus, Microsoft’s ambitions to copy Apple’s liquid computing have gone unrealized.To read this article in full or to leave a comment, please click here
That research, the two academics said, will be shared in a future paper.
In the meantime, the Star Wars botnet dataset is available for study; the researchers said the data is tens of times larger than any public collection on Twitter bots. The researchers also said they have not shared their data with Twitter yet because they are waiting for their current research to be approved in a scientific journal. “We would also like to give researchers a chance to get the dataset by themselves before they are gone, this is why we have not reported to Twitter directly, but we will as soon as the paper gets accepted,” Echeverria Guzman said. A request to Twitter for comment was not returned in time for publication. The researchers said the botnet was created in 2013 and has remained hidden since then with relatively little activity.
The mundane pace at which the bots tweeted seemed automated and intentional, the researchers said. Most of the content are benign quotes from Star Wars novels and do not include URLs, giving the tweets the appearance of real human language as a means of side-stepping bot detection services.
The user profiles behind the bots also used tactics that would not trigger alerts, such as having real profile pictures. “All the accounts were created in a short window of time, less than two months.
They all behave in exactly the same way, quoting Star Wars novels including the same hashtags (and adding random hashtags to the quote),” Echeverria Guzman said. “All of their tweets are marked as coming from ‘Windows Phone,’ which means that they are likely to be controlled by the API instead of the Twitter site.
For reference, that source accounts for less than 0.1% of tweets normally.” The clincher, however, connecting the hundreds of thousands of bots to the same network comes in the geographic distribution of the host accounts.
Tweets were tagged with geographic locations which, when mapped, fall within neat rectangles plotted over North America and Europe.
The tweets are distributed within the rectangles, even in uninhabited areas.
The researchers describe the plotting in the paper: “These rectangles have sharp corners and straight borders that are parallel to the latitude and longitude lines. We conjectured that the figure shows two overlapping distributions. One is the distribution of tweets by real users, which is coincident with population distribution.
The other is the distribution of tweets with faked locations by Twitter bots, where the fake locations are randomly chosen in the two rectangles – perhaps as an effort to pretend that the tweets are created in the two continents where Twitter is most popular.” Echeverria Guzman said the split between the two rectangles is exactly 50 percent and the tweets are uniform throughout the rectangle. “All of this is almost impossible to have originated from normal users,” he said. The researchers point out previous work demonstrating how Twitter bots have been able to abuse Twitter’s streaming API.
Bots, the researchers said in their paper, are programmed to time tweets so that they are included in the streaming API as much as 82 percent of the time versus the expected 1 percent. “If and when these bots are activated, they can do all of the threats as listed above—but on a large scale with a sudden effect,” Zhou said. “For example it is known that the Streaming API is susceptible to tampering by bots.
The size of the Star Wars botnet is clearly enough to contaminate the Twitter API and the Twitter environment itself, particularly if focused on a single topic. “In other words, it is scary to know there are bad guys and see the terrible things that they have been doing; yet it is much more scary to know there are a lot of bad guys around, but we have no idea what they are up to.” The researchers said they hope others download and analyze the available data.
They’ve also created a Twitter account, @thatisabot, and website, where bots can be reported.
It also compared a typical Android smartphone to rivals Apple and Microsoft.
According to Google, 39 out of 39 pre-installed apps are from Apple on iPhone 7, and 39 out of 47 pre-installed apps on the Microsoft Lumia 550 are from Microsoft. In a blog post on Thursday, Google general counsel Kent Walker said: "The response we filed today shows how the Android ecosystem carefully balances the interests of users, developers, hardware makers, and mobile network operators.
Android hasn’t hurt competition, it’s expanded it." The 100-plus page response to the commission focuses on metrics in an attempt to add weight to the claim that it hasn't abused any competitive advantage. Walker said: The commission’s case is based on the idea that Android doesn’t compete with Apple’s iOS. We don’t see it that way.
In fact, 89 percent of respondents to the commission’s own market survey confirmed that Android and Apple compete.
To ignore competition with Apple is to miss the defining feature of today’s competitive smartphone landscape. Walker claimed that possible remedies to resolve the case could create fragmentation in the mobile ecosystem. "The commission’s preliminary findings underestimate the importance of developers," he said. Walker continued: The commission argues that we shouldn’t offer some Google apps as part of a suite. No manufacturer is obliged to preload any Google apps on an Android phone.
But we do offer manufacturers a suite of apps so that when you buy a new phone, you can access a familiar set of basic services.
Android’s competitors, including Apple’s iPhone and Microsoft’s Windows phone, not only do the same, but they allow much less choice. Vestager can fine the search behemoth up to 10 percent of its global turnover—around $7.4 billion (£5.9 billion)—if she finds Google guilty of wrongdoing. Google is currently appealing against a similar case in Russia after authorities fined the company approximately 438 million rubles ($6.8 million, £5.25 million) in an almost identical Android antitrust case earlier this year. Yandex, Russia's biggest search engine and the main complainant in that case, is also one of four complainants in the EU case.
Google rivals Microsoft, Nokia, and Oracle—under the Fairsearch umbrella organisation—lodged the first complaint against Android in 2013. Fairsearch said in a statement to Ars: Google says there's no problem because Android is 'open.' The truth is that Android is today a closed operating system, and any claim to the contrary is disingenuous.
Any manufacturer or network operator seeking to differentiate its devices or services is prevented from doing so by the web of Google's contractual restrictions. Google imposes severe sanctions on those who defy its insistence on conformity.
For example, a phone maker that offers even a few phones that do not comply with Google's straitjacket faces a cut-off from all of Google’s branded products. US ad-blocking firm Disconnect and Aptoide, a rival Portuguese Android app store, have also complained. None had responded to requests for comment from Ars at time of publication. Google separately faces antitrust charges on favouring its own search services and price comparison offerings over those of its rivals and for allegedly breaching competition rules with its mammoth ad business. Last week, Google rebuffed both of those charges. This post originated on Ars Technica UK
You've heard the saying, "If it ain't broke, don't fix it." Certainly if your password manager is doing everything it should, you don't necessarily need it to change.
But sooner or later the interface starts to look dated, and the competition comes up with new features.
Accordingly, the free LastPass 4.0 has a bold new online interface, and its new features include a Sharing Center to manage shared passwords and Emergency Access to hand down your passwords to your heirs.
These new features put the free LastPass ahead of even many of its for-pay competitors.
You can use many commercial password managers for free if you accept substantial limitations.
Some, like RoboForm Everywhere 7, limit you to 10-15 passwords before you must pay. Others, like Dashlane 3, are free as long as you stick to one device, no syncing. With such stringent restrictions, these aren't really free products.
When initially released, the free edition of LastPass only let you sync across devices of the same type. You could use it with multiple desktops (Windows, Mac, or Linux), multiple smartphones (Android, iOS, Windows Phone, or BlackBerry), or multiple tablets (Android, iOS, or Windows).
That limitation has been lifted. You can now sync passwords across all your devices, just as you can with LastPass Premium.
Getting Started With LastPass
Setting up a LastPass account is simple.
Start by downloading and installing the free app. You'll be prompted to either sign in to an existing account or sign up for a new one.
As always, you should create a strong password, something that you can remember but that nobody else would guess.
You can add a password hint, but that may not be the best idea.
In June of 2015, hackers apparently stole some data from the LastPass servers.
Thankfully, LastPass's impressive security meaures meant that no actual passwords, master or otherwise, were exposed. Just to be super-safe, the company notified all users to change their master passwords.
The one thing that hackers might have obtained? Password hints.
If you must use a master password hint, make it something cryptic, something only you will understand.
And enable multifactor authentication, as explained below.
Note that nobody at LastPass has access to your data, not without that master password.
In the past, if you forgot your master password and the hint didn't jog your memory, you had no recourse but to start over. Now when you install LastPass on a new device, you get the option to have it save a one-time password for account recovery.
The recovery process requires access to your email account and to the device, so this isn't too much of a security risk.
Even so, I'd be inclined to stick with the master password.
During installation, LastPass offers to slurp up passwords stored insecurely in your browsers.
It also deletes the passwords from unsafe storage and turns off the browser's password capture.
In addition, you can import data from several dozen competing password managers.
Once the LastPass extension is installed in your browsers, you know the drill. Log in to your secure sites as always, and let LastPass save your credentials. You can assign a friendly name for the site at capture time, and add it to a new or existing folder. LastPass itself suggests folders for well-known sites.
Sometimes you'll run across a website that uses a weird login page, something that LastPass doesn't capture automatically. Like RoboForm and Sticky Password Premium, LastPass can handle these. Just enter your credentials and then, before logging in, select Save All Entered Data from the browser toolbar menu.
Clicking the LastPass toolbar button in your browser brings up a menu that includes a menu of all your saved sites.
Each folder becomes a submenu, and you can have nested folders.
The menu of saved logins is a common feature, but LastPass and Sticky Password are among the few that allow nesting.
When you sign up for a new account or change your password for an existing account, LastPass offers to generate a secure password.
By default, the password generator creates 12-character passwords using at least one digit and a mix of capital and small letters. You can crank up the length and include punctuation to get even stronger passwords. On the flip side, if you need to remember the password and can accept a security hit, the Make Pronounceable option gives you passwords like ogypropoitio or morefesticku.
When you do sign up for a new account, LastPass captures your credentials, and it offers to update its saved password when you make a change.
This works whether or not you accept the aid of the password generator.
I wish this component had gotten just a little enhancement in the move to version 4.0.
True Key by Intel Security defaults to generating 16-character passwords using all possible character types. Most users won't bother to change the defaults, so they'll get less-secure passwords from LastPass.
With the move to version 4.0, the online LastPass Vault got a significant makeover. From the vault, you can view, edit, and organize all of your saved logins. You now have the option to see them displayed in a grid of tiles, much the way Dashlane 3 does. LastPass's tiles are rather large; the new ability to collapse the left-hand menu makes more room for them.
A new multi-purpose Add button lets you add a new folder, secure note, or site, or share an existing item with other users (more about sharing later).
In addition, you can now select multiple items at once and perform bulk actions like moving them all to a folder, sharing them, or deleting them.
The concept of setting up a way for your heirs to inherit your passwords originated with the Digital Legacy feature in PasswordBox. PasswordBox has since been subsumed into True Key, but the concept lives on.
For example, Dashlane lets you set up any number of emergency contacts to receive all or some of your passwords. With the free LogMeOnce Password Management Suite Premium, you can define one heir for your entire collection and five for individual logons.
Emergency Access in LastPass works almost exactly the same as the similar feature in Dashlane. You enter your recipient's email address and define a waiting period. Recipients must install LastPass, if they haven't already, and accept your connection request. Now if something happens to you, the recipient simply requests access to your account.
Dashlane does let you pass along just a subset of your saved credentials—for example, you might define a co-worker as recipient of your work-specific passwords.
That's not an option in LastPass.
Here's where the waiting period comes in.
Suppose your supposedly trusted recipient decides to jump the gun and get your passwords before you've kicked the bucket.
The initial request for access triggers an email to you, and you can deny the access request at any time during the waiting period.
In a real emergency, your recipient automatically gets access after that time elapses.
Clicking Emergency Access lets you view two pages, People I Trust (your password heirs) and People Who Trust Me (those who've made you their emergency access contact). On the People I Trust page you can delete anyone from the list, or change the waiting period. On the People Who Trust Me page, you can bow out of the emergency access role.
We normally recommend against sharing your passwords promiscuously, but there are situations that merit sharing. You and your spouse may share a bank account, for example.
If you must share, you should do it safely.
Sharing passwords with other users is a fairly common feature among password managers, though it's found more in commercial products than free ones. 1U Password Manager limits sharing to its mobile app.
Enpass Password Manager 5 sends the credentials as an encrypted data block. Users of the free LogMeOnce can share just five passwords.
That makes LastPass the most flexible free password manager as far as sharing goes. Just point to an item in the vault to reveal the new hover-style choices, click the sharing icon, and enter the recipient's email address. Recipients who already use LastPass will see a notification that a new share has arrived; others will get an email message explaining how to create an account and accept the share.
The recipient can use the shared item to log in; you choose whether or not to make the password visible.
The new Sharing Center within the online vault lets you easily manage your shared items.
As with emergency access, you can relinquish access to credentials that others have shared with you, or cut off others with whom you've shared passwords.
There's also a tab for managing shared folders. However, if you try to make use of it you'll quickly learn that folder sharing is a Premium-only feature.
Filling Web Forms
When you've got a product that can automatically fill in login credentials, it's just a short step to making it fill personal data into Web forms. However, not many free password managers include this feature. LastPass and LogMeOnce are among the few, along with Symantec Norton Identity Safe.
You can define any number of full identity profiles in LastPass, each of them including a variety of personal and contact information along with one credit card and one bank account.
Those with a certain level of Web-design expertise can define custom fields, meaning that when LastPass encounters a field with a specific internal name, it will fill that field with the selected data.
RoboForm lets you create multiple instances of any form-fill field, and Dashlane stores the various components of personal data (phone numbers, emails, and so on) separately. LastPass's one gesture to the need for multiple fields is the ability to create profiles containing nothing but a credit card. When you go to fill a Web form, you can choose to use a personal data profile or to choose personal data and credit card separately.
In the vault, LastPass represents each profile by analyzing the associated credit card number.
It correctly distinguished the MasterCard, VISA, and American Express numbers I tried.
Dashlane takes this concept a step beyond.
It lets you identify each card with a color and bank logo, and displays replicas of the cards for selection when you're filling a form.
To fill a form using LastPass, you need to find the little icon it adds to one of the fields.
Click that icon, select a profile, and boom! Form filled.
In testing, it proved more accurate than most.
It doesn't matter how complex your master password is if a thief gets ahold of it.
From anywhere in the world, the thief can log in as you. LastPass does require email verification the first time you log in from a new device, which might help.
But you can seriously enhance your security by taking advantage of the available multifactor authentication options.
To set up multifactor authentication, you open LastPass's Account Settings dialog, which looks much the same as it did in version 3.0.
In the free edition, LastPass supports Google Authenticator as well as such work-alikes as Duo Mobile and Twilio Authy. Linking your account is just a matter of snapping a QR code using your mobile device.
Thereafter, each time you log in you'll need a one-time code generated by the app as well as your master password.
The free edition also supports authentication via the Toopher and Transakt apps.
These work more simply than Google Authenticator.
Instead of copying a one-time code, you simply accept or reject the connection attempt using your smartphone.
Those without a smartphone can print a wallet-sized authentication grid.
To authenticate, LastPass asks you to enter characters found at specific coordinates on the grid.
Two-factor authentication can get tedious after a while, so LastPass lets you define specific devices as trusted. When you log in from a trusted device, all you need is the master password.
In a similar vein, if you enable mobile device restriction, no login from a mobile device will be accepted if it's not one of your own mobile devices.
Getting all of your passwords safely stored with LastPass is a good first step, but it's not enough. Now you need to go through those passwords and fix the weak ones, and the ones you've recycled for use on multiple websites.
That's where the Security Challenge comes in.
Click the security challenge icon, re-enter your master password, and get ready to see how good (or bad) your passwords are.
Do note that to get the full advantage of the security challenge, including automated password changing, you must launch it from Chrome.
As part of the analysis, LastPass sifts out the email addresses found among your passwords and offers to check them against known compromised sites. Naturally if you find out that one of these addresses is associated with a breach, you should change all associated passwords immediately.
At the top of the resulting report you get an overall percentage score, your standing within the LastPass community, and a score for your master password.
The overall score is mostly based on whether your passwords are strong and unique, but it includes other factors as well.
For example, you lose 10 percentage points if you haven't enabled multifactor authentication.
If you like, you can follow LastPass's prompts to fix four types of problems: compromised passwords, weak passwords, reused passwords, and old passwords. Note that "old" here is measured from the first time LastPass encountered the password.
You can also scroll down for a full list of all your passwords, along with a password strength rating for each, the time it was last changed, and a button to let you update the password.
For some common sites, LastPass displays an Auto-Change button; click it to have LastPass automatically update the password.
At present LastPass can auto-change about 80 sites, while Dashlane's similar feature supports over 500. You can also check off multiple items and update them all at once.
If the site isn't among those LastPass can handle, a Launch Site button lets you go make the change manually.
Still a Winner
Automated password updates slipstreamed into LastPass 3.0, but Emergency Access is new in version 4.0.
The updated user interface for the online vault is a welcome change, as is the handy Sharing Center.
And the breadth of features in this free password manager is amazing.
The fact that the free edition no longer limits you to syncing across devices of the same type is icing on the cake.
LastPass 4.0 remains an Editors' Choice for free password manager.
It shares that honor with LogMeOnce Password Management Suite Premium, which also packs an impressive feature set into a free product.
PCMag may earn affiliate commissions from the shopping links included on this page.
These commissions do not affect how we test, rate or review products.
Someone will inevitably make a mistake, and users are left vulnerable while the company ...
In other words, on devices that do not allow you to disable Secure Boot even if you have administrator rights – such as ARM-based Windows RT tablets – it is now possible to sidestep this block and run, say, GNU/Linux or Android. What's more, it is believed it will be impossible for Microsoft to fully revoke the leaked keys. And perhaps most importantly: it is a reminder that demands by politicians and crimefighters for special keys, which can be used by investigators to unlock devices in criminal cases, will inevitably jeopardize the security of everyone. Microsoft's misstep was uncovered by two researchers, MY123 and Slipstream, who documented their findings here in a demoscene-themed writeup published on Tuesday.
Slip believes Microsoft will find it impossible to undo its leak. Bring you up to speed on Secure Boot Before we delve further, it is important to understand that up until now we've been talking about keys metaphorically: at the heart of this matter are what's called Secure Boot policies. You don't have to completely understand all the ins and outs of Secure Boot to get your head around Microsoft's cockup. However, if you want more details of how Secure Boot works, the Linux Foundation has a guide here [PDF] and Microsoft blogged a gentle introduction here. Basically, what you need to know is this: when Secure Boot is fully enabled in the firmware of a Microsoft device, it will only boot up an operating system that is cryptographically signed by Redmond.
That stops you from booting up any OS you want on your Windows RT tablet, certain Windows Phones and so on. Alongside this, there are Secure Boot policies, which are rules that are loaded and obeyed during early startup by the Windows boot manager.
These policies must also be signed by Microsoft to be accepted, and are installed on devices and machines using a Microsoft-signed tool. For debugging purposes, Microsoft created and signed a special Secure Boot policy that disables the operating system signature checks, presumably to allow programmers to boot and test fresh OS builds without having to sign each one. If you provision this magic policy, that is, if you install it into your firmware, the Windows boot manager will not verify that it is booting an official Microsoft-signed operating system.
It will boot anything you give it provided it is cryptographically signed, even a self-signed binary – like a shim that loads a Linux kernel. The Register understands that this debug-mode policy was shipped on retail devices, and discovered by curious minds including Slip and MY123.
The policy was effectively deactivated on these products but present nonetheless. Now that golden policy has leaked onto the internet.
It is signed by Microsoft's Windows Production PCA 2011 key.
If you provision this onto your device or computer as an active policy, you'll disable Secure Boot.
The policy is universal; it is not tied to any particular architecture or device.
It works on x86 and ARM, on anything that uses the Windows boot manager. Microsoft's response According to the pair of researchers, they contacted Microsoft's security team around March to say they had found the debug-mode policy.
Initially, we're told, Redmond declined to follow up the find, then decided about a month later it was a security issue and paid out a bounty reward. In July, Microsoft pushed out security patch MS16-094 in an attempt to stop people unlocking their Secure Boot-sealed devices.
That added a bunch of policies, including the debug-mode policy, to a revocation list held in the firmware that's checked during startup by the Windows boot manager. That didn't fully kill off the magic policy, however.
The revocation list is checked by the boot manager after policies are loaded.
By the point in the startup sequence, it's too late. However, a Microsoft tool used to provision the policy into the firmware does check the revocation list, and thus refuses to accept the magic policy when you try to install it, so MS16-094 acts mere as a minor roadblock. This week, Microsoft issued patch MS16-100, which revokes more stuff but doesn't affect the golden policy, we're told.
A third patch is due to arrive next month as a follow-up. If you haven't installed the July fix yet, you can use this script to provision the unlock policy onto your ARM-powered Windows RT tablet. You must be an administrator to update the firmware.
After that, you can set about trying to boot a non-Windows OS or any other self-signed EFI binary. We're told by one brave tester that this policy installation method worked on a Windows RT tab that was not patched for MS16-094. The aforementioned script works by running a Microsoft-provided EFI binary during the next reboot that inserts the debug-mode policy into storage space on the motherboard that only the firmware and boot manager are allowed to access. If you have installed the July update, the above script will fail because the updated revocation list will be checked by Microsoft's installation tool and the magic policy will be rejected before it can be provisioned.
In about a week's time, MY123 is expected to release a package that will work around this and install the debug-mode policy on all devices, including Windows RT tablets. People are particularly keen to unlock their ARM-powered Surface fondleslabs and install a new operating system because Microsoft has all but abandoned the platform. Windows RT is essentially Windows 8.x ported to 32-bit ARMv7-compatible processors, and Microsoft has stopped developing it. Mainstream support for Surface RT tabs runs out in 2017 and Windows RT 8.1 in 2018. A policy similar to the leaked debug-mode policy can be used to unlock Windows Phone handsets, too, so alternative operating systems can be installed.
A policy provision tool for Windows Phone is already available. We expect to hear more about that soon. This Secure Boot misstep also affects Windows PCs and servers, but it's not that big a deal for them because these machines are typically unlocked anyway. You can boot your unrestricted computer into its firmware settings, and switch off Secure Boot, or delete all the keys from its database to disable it, if you really want to. You don't need any debug-mode tricks to do that. In the unlikely event you're using a locked-down Secure Boot PC and you have admin rights on the box, and you want to boot something else, all the above is going to be of interest to you.
If you're an IT admin who is relying on Secure Boot to prevent the loading of unsigned binaries and drivers – such as rootkits and bootkits – then all the above is going to worry you. FBI and golden keys To reiterate, these Microsoft-signed resources – the debug-mode policy and the EFI installation tool – are only meant to be used by developers debugging drivers and other low-level operating system code.
In the hands of Windows RT slab owners, whose devices are completely locked down, they become surprisingly powerful. It's akin to giving special secret keys to the police and the Feds that grant investigators full access to people's devices and computer systems.
Such backdoor keys can and most probably will fall into the wrong hands: rather than be used exclusively for fighting crime, they will be found and exploited by criminals to compromise communications and swipe sensitive personal information. Anyone who thinks government servers holding these keys are safe need only be reminded of the OPM megahack; anyone who thinks these keys cannot be extracted from software or hardware need only spend a weekend with a determined reserve-engineer and a copy of IDA Pro. The Secure Boot policies Microsoft is rushing to revoke can't be used to backdoor conversations or remotely hijack systems, but they remind us that this kind of information rarely stays secret. "This is a perfect real world example about why your idea of backdooring cryptosystems with a 'secure golden key' is very bad," Slipstream wrote, addressing the FBI in particular. "Smarter people than me have been telling this to you for so long.
It seems you have your fingers in your ears. You seriously don't understand still? Microsoft implemented a 'secure golden key' system.
And the golden keys got released by Microsoft's own stupidity. Now, what happens if you tell everyone to make a 'secure golden key' system?" We asked Microsoft for comment, and a spokesperson was not immediately available.
If someone gets back to us, we'll update this article. ® Sponsored: Global DDoS threat landscape report
In order to carry out these attacks they are using SMiShing (phishing via SMS) and registering new mobile phish domains created especially for this purpose. In 2015, mobile banking usage in Brazil reached 11.2 billion transactions, an increase of 138% compared to the 4.7 billion transactions registered in 2014. Mobile banking is now the second most popular channel for accessing a bank account in the country – there are more than 33 million active accounts, according to the Brazilian Federation of Banks.
Such numbers and the possibility of cheaply sending SMS messages are very attractive to cybercriminals, who are investing their time and effort to create new attacks. Getting started doesn’t require that much money or preparation: first they need to register a domain (usually a .mobi domain), prepare a phishing page in mobile format, hire a bulk SMS service (as cheap as 2 cents per message sent, and generally paid for with a cloned credit card) and voilá! Getting the telephone numbers of the victims isn’t a problem either: huge databases of mobile numbers can easily be purchased on the Brazilian underground, or can be captured in attacks using WhatsApp as bait.
The SMiShing messages inform recipients about a credit card or a bank account that has supposedly been blocked, and always include a link: “Your data is outdated, your account may be blocked. Please update at <phish URL>” – an SMiShing message sent by phishers Why target users of mobile banking? Because it’s easier to hack a bank account when accessed from a mobile terminal instead of a desktop. We’ve listed some of the reasons for that below: No protection: most smartphone users in Brazil still don’t use a dedicated AV on their phones.
A survey performed by B2B International in 2015 showed only 56% of smartphone owners around the world do so. No security plugins: unlike desktops, most banks still don’t require the installation of a security plugin on user devices, despite most banks offering dedicated access via their mobile apps.
Furthermore, fake mobile banking apps from Brazilian banks have also been found in the Play Store. When a criminal decides to phish a mobile banking user, it’s more effective if the attack is compatible with any mobile browser. Simple authentication: most Brazilian banks use very simple authentication on mobile devices, usually just asking for the account number and a six-digit password. Common SMS usage: it’s very common for banks in Brazil to send notifications via SMS. When you buy something or withdraw money for your account, you’ll receive an SMS confirming the operation.
This approach has allowed Brazilian banks to decrease the number of fraud cases, in particular, this is because customers are aware of any fraud involving their credit cards or bank accounts as soon as it starts.
Confusing a SMiShing message with a legit SMS from your bank is very easy. The mobile versions of these phishing banking websites open correctly in the browser, facilitating the theft of user credentials.
The phishers’ tactic is to force the user to access the website via their mobile devices, and not from a desktop.
If the victim tries to access the phishing domain using their computer, the following message displayed: “Service unavailable for desktops, only for mobile devices” The phishing domain only shows its full content when access is made via a mobile browser: The cybercriminals create phishing pages for several banks, in an array of colors and styles: Most of the domains used in these attacks are using the .mobi TLD: We published a list of some of the domains we found here (if you’re an AV guy, block them!). It’s important to highlight one other thing: if access is made from an IP outside of Brazil, some domains will display nothing.
It’s a method used by Brazilian phishers to keep their attacks alive for as long as possible, because if you don’t see it, you won’t block the domain. Users of our products, including the Safe Browser for iOS, Windows Phone, Android and Fraud Prevention solutions are protected against mobile phishing and SMiShing attacks.