iPhish: Phishing Vulnerabilities on Consumer Electronics

Yuan Niu, Francis Hsu and Hao Chen.

As consumer electronic devices with embedded browsers
become popular, financial institutions and online merchants
set up websites to accommodate visitors using
these devices. These devices range from cell phones
to gaming consoles, cars, and even refrigerators. Porting
a traditional desktop1 browser to a mobile device
is more involved than resizing the display. To adapt to
the hardware limitations inherent in mobile devices, mobile
browsers often remove or replace certain features
commonly found in traditional browsers. Unfortunately,
some of these features are critical for depending against
phishing attacks. We studied browsers on three mobile
devices and discovered vulnerabilities in their input,
chrome, and URL display. We conducted a user study to
confirm our findings on the iPhone Safari browser, one of
the most popular mobile browser platforms. For each potential
vulnerability, we were able to construct a phishing
scenario to successfully fool users into giving away the
credentials for a role-played Bank of America account.
To mitigate the vulnerabilities, we propose to designate
and display URLs in a more phishing-resistant way, and
to create an anti-phishing proxy that is independent of
mobile devices or browsers.