A new angle on phishing

Electronic consumer banking is about to get a lot more complicated. Mobile banking – the ability to conduct transactions and account enquiries via your mobile phone using J2ME-based applications – will create another channel by which fraudsters can access bank account details.

Mophophishing is just one method we predict these scammers will use. The hacker can send the user what to all intents and purposes looks like the genuine mobile banking application. Unlike email phishing, mophophishing is very difficult to detect.

Spotting a phishing email is relatively straightforward, as the user only needs to examine the source code of an HTML email and inspect the domain name and path of any link to verify its authenticity.

However, in a transactional mobile application, this information is concealed deep within the application code itself, and unless the user decompiles this, they have no way of knowing whether they are being directed to a genuine website.

Mophophishing can be carried out in one of two ways but, in both instances, the mobile phone application is the primary method of access.

In the first scenario, a user has installed a mobile banking application on their mobile phone to allow them to administer their bank account on the move. They receive a WAP Push message (similar to an SMS) indicating an update is required.

Once accepted, the update is installed to the phone. This then overwrites the original application with a slight modification. When this connects to the server, it is routed to a different server that harvests the username and password.

To the user, the login seems to fail and the application no longer works. However, the fraudster now has the credentials to log into their account and remove funds.

Alternatively, a mophophisher could instruct a rogue server to monitor and cache all the data passed between a mobile phone and an online banking website. All data is relayed to the legitimate banking server but is 'tapped' en route. Valuable data can then be identified and used by the phisher to access the bank account. To the victim, the application works exactly as it is intended to do.

The first style of attack could be mitigated by use of a digital SSL certificate, which the user would need to accept. Alternatively, a client-side certificate could help, but this might be a problem to maintain as users change mobile phones more regularly than they change PCs.

However, if traffic from the application was being routed via a rogue server, this could issue a bogus certificate; few users know how to check the validity of SSL certificates.

With regard to the second attack method, strong encryption of the data stream would prevent the attacker identifying valuable data, yet this is often overlooked by the application developers.

For the consumer, already wary of online banking after repeated phishing scams and cross-scripting attacks, mophophishing might prove to be the final straw.

Ken Munro is managing director of SecureTest