CAPEC-164: Mobile Phishing

Description
An adversary targets mobile phone users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user. Mobile Phishing is a variation of the Phishing social engineering technique where the attack is initiated via a text or SMS message, rather than email. The user is enticed to provide information or visit a compromised web site via this message. Apart from the manner in which the attack is initiated, the attack proceeds as a standard Phishing attack.
Extended Description

For example, using a different character encoding might cause dangerous text to be treated as safe text. Alternatively, the attacker may use certain flags, such as file extensions, to make a target application believe that provided data should be handled using a certain interpreter when the data is not actually of the appropriate type. This can lead to bypassing protection mechanisms, forcing the target to use specific components for input processing, or otherwise causing the user's data to be handled differently than might otherwise be expected. This attack differs from Variable Manipulation in that Variable Manipulation attempts to subvert the target's processing through the value of the input while Input Data Manipulation seeks to control how the input is processed.

Severity :

High

Possibility :

High

Type :

Detailed
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-98: Phishing Phishing
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • An adversary needs mobile phone numbers to initiate contact with the victim.
  • An adversary needs to correctly guess the entity with which the victim does business and impersonate it. Most of the time phishers just use the most popular banks/services and send out their "hooks" to many potential victims.
  • An adversary needs to have a sufficiently compelling call to action to prompt the user to take action.
  • The replicated website needs to look extremely similar to the original website and the URL used to get to that website needs to look like the real URL of the said business entity.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Medium Basic knowledge about websites: obtaining them, designing and implementing them, etc.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

Either mobile phone or access to a web resource that allows text messages to be sent to mobile phones. Resources needed for regular Phishing attack.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-451: User Interface (UI) Misrepresentation of Critical Information

Visit http://capec.mitre.org/ for more details.