A phishing story, aka why I need to write a mobile version of Flagfox

Over the past year or so, a few different people have requested I add Mobile Firefox support to Flagfox. My response was always the same: I’d like to, but I don’t own an Android device and can’t really afford get the hardware I’d need to develop for mobile. I recently decided to change that by directly asking my users if they’d like to donate towards Flagfox development, including a mobile version. The response was quite encouraging. I’ve gotten a few hundred small contributions and a few larger ones. I’m not exactly rich now, but I now own a mid-range Android phone and a small tablet. I will be starting on work towards getting Flagfox working in Mobile Firefox at some point soon. If anyone would like to be notified of when I have an alpha or a beta ready for testing, follow this blog or me on Twitter.

Today, I shall tell you a story. This is not fiction; I kid you not, this happened today. I have had my new phone for about a week now. I ended up going with one locked into Verizon because I didn’t want to pay the extra $80 needed for an unlocked phone only to probably end up going with them for coverage. I could tell you another story of how many hours of being on hold and getting the run-around it took to actually get the damn thing set up and another call to get texting working, but this story here is about phishing.

Today, I got a text message. I am a new Verizon Wireless customer, and here in my inbox was a text “from” Verizon Wireless telling me to review my account payments after a recent service disruption. It’s highly unlikely that the attacker knew that I had any recent service issue, but it is an amusing coincidence. This message contained a URL to a site on a raw IP address, in the form of “http​://​255.255.​255.255/verizon​.com/​wireless/” (with a real IP address). I looked at this and laughed. If this were my mother’s new phone, her bank account could now be empty.

The part that really gets me is how trivial and perfect of a phishing scam this is. My default messaging app happily linkifies the URL. Tapping on it loads up Mobile Firefox to the URL, and after a moment of seeing the IP in the combination address bar / title bar, I’ve now got “My Verizon – Verify” listed up top. The site itself is perfect. They even have a separate mobile and desktop version, each with the correct styling. (the mobile version looks like Verizon’s app; the desktop version looks like their main site) If I hadn’t read the URL before clicking it I could have already been entering my login information. My guess is some of the people who have been sent this have entered their debit or credit card information to attempt to add money onto their account. This is the best phishing attack I’ve ever heard of, let alone seen. On desktop Firefox, however, the view is a little different. I can actually see the bogus URL, though this is still not something that most people would even notice. What I do have notably different is a big red Chinese flag staring at me. (look… I know not everything in China is a scam, but let’s face it, lots of things are) This is the moment that it occurred to me that Flagfox is really needed on mobile.

I have of course reported this to Verizon and filed a “report web forgery” form to get this into the phishing site blocker registry. I’ve also filed a Firefox bug asking for Firefox to not blindly open sites on raw IP addresses like this. This is just too easy to scam people with. I shouldn’t have to wait until Google gets around to accepting the phishing report to get a big scary warning when I attempt to visit this site.

I generally don’t consider Flagfox to be a full-fledged security tool for most people, though you can do a lot with various external actions. Sometimes, however, it can really be helpful to add an extra level of awareness of what you’re really doing online.

A mobile version of Flagfox will be on its way at some point. (don’t ask me when; I don’t know yet) It will be a little bit easier to get working now that multi-process Firefox is available for testing on desktop, so some of the work I’ve done there will be helpful for mobile. (Flagfox mostly works under Firefox in multi-process mode, but some advanced actions don’t work yet) If anyone would like to be notified of when I have an early alpha or beta ready for people to test, follow this blog or my Twitter account.

At some point in the future I may look into some new way of autodetecting phishing sites based on blatantly wrong IP addresses. That sounds like a complicated thing to do reliably, however, so at the moment it’s only an idea.