Researchers at PhishLabs have discovered a new phishing scam targeting mobile app users by exploiting the narrow URL address bars on mobile browsers, preventing the user from viewing the entire web address. Scammers are padding URLs with subdomains and hyphens to make them appear legitimate. The scammer creates a link with the URL of a legitimate site followed by a series of hyphens, then the link’s true destination address at the end, out of the user’s view. When a user visits the site, it is disguised as the legitimate website and requests the user’s login credentials. This phishing scam has mainly been spread via SMS text messages targeting Facebook users, but researchers have observed the attack against other services. Once the scammer has obtained the credentials, they can use their access to spam the victim’s friends, further spreading the infection, and can use the credentials to log into more sensitive sites, such as those for banking, if the victim reuses their passwords. The NJCCIC recommends users remain vigilant when using mobile devices, avoid clicking on links from untrusted or unverified sources in social media or apps, and enable two-factor authentication on all online and mobile app accounts, where available. Users are also reminded to avoid the sharing of credentials between multiple online accounts and to consider installing a mobile anti-virus solution.
Real world example: