One of the most persistent security issues for mobile and web users is phishing - that’s when thieves try to fool you into giving away your personal data. Fake links can be used to persuade you to part with credit card details, PIN numbers and passwords. Sometimes, thieves are even more brazen, simply asking for your information out right.
Phishing attacks are usually easy to spot. By looking at the originating email address one can often spot there’s something wrong. Reputable companies don’t use cloud addresses, for example. Which means you shouldn’t get a message from your bank without the official bank email address having been used.
Sometimes, the email itself looks questionable, but the email address could appear legitimate. It may originate from a domain with the bona fide company name used somewhere in the address. Or the email may appear to come from the company itself. This is called “spoofing”, a practice where the originating address of an email message is faked.
Email spoofing has been around for a long time. Spoofers simply change the email address in the “From” field so that, with a cursory look, a message might appear to originate from somewhere else. Though some email clients flag this up, not all do - and most mail servers don’t stop this behaviour.
It’s fairly easy to spot if you suspect an email isn’t quite as it seems. If you look at the full header of a message, you should see the real origination point in the “Received” section.
In the smartphone age, email spoofing isn’t the only thing we need to look out for. There is also a rise in SMS or text message spoofing. Like emails, text messages are sent with extra information called a “header” that tells the network where to deliver the message, where it came from and where to send the reply to. It’s this “Sender ID” field that can be most vulnerable as some services treat it as the origin point.
Spoofed SMS messages can, in turn, exploit vulnerabilities in any service that allows you to send updates to it via text message. For example, Twitter recently updated SMS authentication in response to this discovery, but some users may still be vulnerable. If your Twitter account has SMS enabled you should check your user settings and make sure you have the PIN code setting enabled - or that you disable SMS services with Twitter altogether.
In a survey last year, Symantec discovered that the Google Play store contained around 200 applications capable of spoofing SMS headers, with millions of combined downloads. Once spotted, the malicious apps are added to the Norton Mobile Security database - so some protection can be achieved by making sure you’ve installed it. But it pays to remain vigilant.
By Richard Clooke on August 01, 2013