iPhish: Phishing Vulnerabilities on Consumer Electronics

As consumer electronic devices with embedded browsers become popular, financial institutions and online merchants set up websites to accommodate visitors using these devices. These devices range from cell phones to gaming consoles, cars, and even refrigerators. Porting a traditional desktop1 browser to a mobile device is more involved than resizing the display. To adapt to the hardware limitations inherent in mobile devices, mobile browsers often remove or replace certain features commonly found in traditional browsers. Unfortunately, some of these features are critical for depending against phishing attacks. We studied browsers on three mobile devices and discovered vulnerabilities in their input, chrome, and URL display. We conducted a user study to confirm our findings on the iPhone Safari browser, one of the most popular mobile browser platforms. For each potential vulnerability, we were able to construct a phishing scenario to successfully fool users into giving away the credentials for a role-played Bank of America account. To mitigate the vulnerabilities, we propose to designate and display URLs in a more phishing-resistant way, and to create an anti-phishing proxy that is independent of mobile devices or browsers.