The latest trend to be on the lookout for is phishing attacks aimed at mobile users employing fake URLs that include an inordinate number of dashes. Here’s an example: hxxp://m.facebook.com—————-validate—-step1.rickytaylk[dot]com/sign_in.html
At first glance, and especially when these URLs are viewed from a PC, one might wonder how anyone could assume these are legitimate web addresses, but the hackers are actually being quite cunning here.
The ruse is obvious when viewed from a PC web browser, but mobile devices have extremely narrow windows, and can’t display nearly as much information. That’s what the dashes are for. They ensure that the mobile user will see the first part of the URL, which appears legitimate, while the dashes obscure the rest of it, which would be a dead giveaway.
It’s true that at least some of the dashes are visible, and to an attentive user, this will throw up an immediate red flag. It’s also true that it’s possible for mobile users to view the entire URL and check it manually, but in practice, almost no one does this, which is why this new attack vector has been so devastatingly effective against mobile users, who are the intended target.
So far, this type of attack has been directed primarily at Facebook, but any URL can be spoofed in this manner, and once the hacker has his victim on the dummy website, all manner of malware can be thrown at the device in question to infect it.
In a world already awash in threats to be on the lookout for, this gives you yet another reason to be concerned.