iPhone, BlackBerry, Palm Pre All Vulnerable To Spear-Phishing Experiment

[Howell, Paul]

At
URL:http://www.darkreading.com/story/showArticle.jhtml?articleID=2211001
50

Phony LinkedIn invitation from 'Bill Gates' lands in smartphone inboxes
By Kelly Jackson Higgins,  DarkReading 
Oct. 28, 2009 


Three of the most popular smartphones -- iPhone, BlackBerry, and Palm
Pre -- fell victim to a recent spear-phishing experiment that sent users
a phony LinkedIn invitation from "Bill Gates," according to the security
expert who conducted the research.

The experiment, which was aimed at measuring the effectiveness of email
security controls in several major products and services, demonstrated
just how powerful social engineering can be and how little technology
can do about it. Joshua Perrymon, CEO of PacketFocus, sent a spoofed
LinkedIn email to users in different organizations who had agreed to
participate in the test; he was able to get his spoofed message through
100 percent of the time. He tested 10 different combinations of email
security appliances, services, and open-source and commercial products;
four major client email products; and the three major smartphone brands.

The results took Perrymon by surprise; he has contacted the various
affected vendors and is working with some of them to come up with
"fixes," or solutions, to the problem. He announced today that Apple's
iPhone, RIM's BlackBerry, and Palm's Palm Pre all failed the experiment,
delivering the phony LinkedIn messages to users' inboxes. Perrymon says
he sent all three smartphone vendors his research paper and details on
the experiment, but he has not received a response from any of them.

Next week, Perrymon plans to name the email appliances that failed the
test, and the following week the email services that missed the phishing
message.

At the time of this posting, neither Apple, RIM, nor Palm had responded
to inquiries about Perrymon's findings.

Perrymon says he worked with iPhone users who agreed to participate in
his experiment, and he tested his own BlackBerry and Palm Pre phones.
"What I found on the Palm and BlackBerry is [that there is] no
protection to any type of phishing attacks," he says. "The Palm runs on
Linux, so I SSH'ed into it and looked around. The email client is built
in JavaScript and made to download emails from a server -- POP, IMAP, or
Exchange. So if the hosted server doesn't pick up on the email, then the
phone gets the attack delivered."

And it's harder to spot a real attack in the smartphones because you
can't see the detailed email headers, he says.

Each of the smartphones' browsers also let users click on the attack, so
Perrymon says the issue is both in the phones' email clients and browser
software. "I'm working on client-side exploits on the phones, but not
ready to release anything yet on that," he says.

Perrymon, who performs spear-phishing assessments for clients, used his
own phishing framework tool, called User Attack Framework (UAF), in the
experiment. UAF automated the experimental attack and let him track its
success. It also captured information about the "victim" after he or she
clicked on the "invite" and was directed to the phishing site, including
his or her IP address, user ID, location, browser, and operating system.

The trouble with socially engineered, targeted attacks is that there's
no real "patch" to protect products and users from falling for them.
Email authentication technologies like PGP are not widely adopted, and
it's difficult for vendors to spot spoofed email messages, experts say.

Meanwhile, Perrymon says he told Apple, RIM, and Palm that even if they
don't have a fix for the attack, they should at least "address the
issue."



------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------