Major smartphone brands fall to spear phishing experiment

Speaking to the Dark Reading website, Joshua Perrymon, CEO of PacketFocus, said that he sent a spoofed LinkedIn email to users in different organisations who had agreed to participate in the test and was able to get his spoofed message through 100 per cent of the time.

He claimed that he tested ten different combinations of email security appliances, services, and open-source and commercial products; four major client email products; and the three major smartphone brands – the Apple iPhone, RIM's BlackBerry and Palm's Palm Pre.

Perrymon said he sent all three smartphone vendors his research paper and details on the experiment, but he has not received a response from any of them. Dark Reading claimed at the time of writing, neither Apple, RIM nor Palm had responded to inquiries about Perrymon's findings.

He said he told Apple, RIM and Palm that even if they do not have a fix for the attack, they should at least ‘address the issue'.

Perrymon said: “What I found on the Palm and BlackBerry is [that there is] no protection to any type of phishing attacks.

“The Palm runs on Linux, so I SSH'ed into it and looked around. The email client is built in JavaScript and made to download emails from a server - POP, IMAP or Exchange. So if the hosted server doesn't pick up on the email, then the phone gets the attack delivered.”

Perrymon said that the experiment was aimed at measuring the effectiveness of email security controls in several major products and services, and demonstrated just how powerful social engineering can be and how little technology can do about it.

He told the website that the results took him by surprise, and he has contacted the various affected vendors and is working with some of them to come up with fixes to the problem.


See original article on scmagazineus.com