New mobile phishing threat

Next story
Olivia Storey


As the mobile phone market has grown, and Smart phones are in the pockets of most people nowadays, it’s not surprising that hackers are targeting mobile devices more than ever.

Since the birth of the Smart phone and other portable devices, we have quickly become glued to them, and revel in the ease of access to absolutely anything at our fingertips. Need your emails, a food shop or to share your holiday snaps, there is an app available instantly.

Cyber criminals are getting better at hiding the scams and malware, trying to make them look as legitimate as possible.

The latest phishing threat is a ‘URL padding’ technique. Hackers have identified a new way to create believable looking URLs, focussing solely on the mobile market.

Instead of creating a website to imitate a real website, they have started to include real domains within a larger URL, ‘padding’ it out with hyphens to obscure the real destination.

An example of this would be:


Although it does not look terribly convincing, but it starts with the genuine path for Facebook mobile, and when viewed in a mobile browser, only the legitimate part of the URL is seen.

Mark James, ESET IT Security Specialist, discusses how we can be more vigilant on security for our mobile devices.

“Sadly, we still don’t use the same level of scrutiny and caution on our mobile devices that we do on our desktop machines.

“We are used to Operating System and application updates, internet security software and embedded security in our email clients, but on our mobile devices we often don’t have that level of protection.

“On top of that we don’t always see the dangers in clicking links or visiting web pages that we do on the PC.

“Mobiles are without doubt becoming the device of choice.

“Everyone from the young to the old are embracing mobile technology and the freedom it gives, but of course the bad guys are not stupid.

“They know this uptake is a great opportunity to con the unsuspecting public.

“Because of the smaller screens we have on these devices, we need to be extra vigilant.

“For some reason we still think that clicking a link on our mobiles is safer than doing it on our home computer, the problem is it’s not!

“In a lot of cases it’s actually worse. Often our mobile devices have many different apps that are pre logged in for ease and speed.

“We may be fooled into thinking the link is legit just because we recognise the first few characters, or see a name we trust, but we have to check the whole thing.

“As with most cases like this, awareness can be a strong security measure.

“Some people may not be aware that this type of scam exists, so making the public aware is the first step towards protecting ourselves.

“Always be very cautious when opening any links or visiting web pages while on your mobile device, sometimes rotating your device from portrait to landscape may give you more information.

“If you don’t have rotation lock enabled that could give you the heads up, try the same as you would  with your desktop machine, and try typing the website name directly especially if finances are involved.

Don’t be afraid to contact your bank if you think you have been a victim.

“When it comes to scams and identity theft, sooner is much better than later and can be the difference between a successful or failed attempt at stealing your finances.


Have you seen URL padding used before? Let us know on Twitter @ESETUK.


Join the ESET UK LinkedIn Group and stay up to date with the blog. If you are interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.