In 2011 IBM gained access to the log files of several Web servers that were hosting websites conducting phishing attacks. Analyzing these log files was an interesting exercise. Specifically, they provided visibility into how many users accessed the websites, when they visited them, whether they submitted their login information and what devices they used to access the website. Here are some of the findings from these logs:

1. Mobile Users Are the First to Arrive

As soon as a phishing website is broadcast through fraudulent email messages, the first systems to visit it are typically mobile devices. This makes sense since mobile users are “always on” and are most likely to read email messages as soon as they arrive. Meanwhile, desktop users only read messages when they have access to their computers. Also, most fraudulent emails call for immediate action. For example, they usually claim that suspicious activity has been detected in the user’s account and that immediate action is required. Most victims who fall for this ploy will visit the phishing site quickly.

The first couple of hours in a phishing attack are critical. After that, many attacks are blocked by phishing filters or taken down. Hence, mobile users are more likely to be hit by phishing just because they’re “always on.”

Here are some mobile user-agent fields spotted in the log files:


Mobile Safari: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7


Mobile Safari: Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B367 Safari/531.21.10


Mobile Safari: Mozilla/5.0 (Linux; U; Android 2.2; en-gb; HTC_Desire-orange-LS Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1


BlackBerry Browser: BlackBerry8520/ Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/123 Mobile Safari: Mozilla/5.0 (BlackBerry; U; BlackBerry 9780; en-GB) AppleWebKit/534.1+ (KHTML, like Gecko) Version/ Mobile Safari/534.1+


Symbian Browser: Mozilla/5.0 (SymbianOS/9.3; Series60/3.2 NokiaE72-1/031.023; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/

2. Mobile Users Accessing Phishing Websites Are Three Times More Likely to Submit Their Login Info than Desktop Users

Most users who are at risk of phishing attacks through a dangerous website do not submit their personal information. Some submit fake information. However, compared with desktop users, mobile users are three times more likely to submit private information once they access a phishing website. Why do mobile users trust phishing websites more? One explanation could be that it’s harder to spot a phishing website on a mobile device than on a computer. As a research experiment, IBM analysts compared the user experience of accessing a phishing website on a BlackBerry and an iPhone. Here’s what they found:


It’s very difficult to tell whether an email is associated with fraudulent activities since the “From” field doesn’t include the sender’s address; rather, it includes the name of the sender (such as ACME Bank). Some users could interpret that the device trusts the sender more because it just shows the name and not the full address. Although email addresses can be spoofed, certain users will not click through the link in the message if the entire address is visible and appears “phishy.”

In HTML mail (the most common format for fraudulent messages), when a link is embedded as a href, hovering over the link will not reveal the actual address. When the user clicks on the link, the BlackBerry device presents the following message: “Continue to” with the real address appended. Due to the limited screen size, if the URL is long enough and well-crafted (e.g., it starts with www.acmebank,com.vdgrtgrt…), it is hard to detect that the URL is not legitimate.

Once the BlackBerry switches to the browser and starts loading the phishing website, the top bar shows the website name created by the fraudster (e.g., Welcome to ACME Bank) and the real address is not presented. If the phishing website is a good clone of the authentic bank’s website (and most are), there is no easy way of determining that the website is fraudulent.


The experience on this device is similar to the BlackBerry until the user clicks on a link. iPhone devices don’t ask the user if they want to open the URL; they automatically load the page. Unlike the BlackBerry, the iPhone does have an address bar, but due to size limitations, only the beginning of the URL is shown. Here, again, if the URL is well-crafted (e.g., www.acmebank,com.vdgrtgrt…), it’s hard to detect that the URL is not legitimate.

Based on IBM’s findings, it is equally difficult to spot phishing websites on BlackBerry and iPhone devices.

Old Techniques, New Channel: Mobile Malware Adapting PC Threat Techniques

3. Eight Times More iPhone Users Fell Victim to Phishing Attacks Than BlackBerry Users

According to Comscore’s October 2010 U.S. Mobile Subscriber Market Share, BlackBerry devices (RIM) are still the market-share leader in the U.S. with almost 36 percent, compared to iPhones (Apple) with 26 percent. Then why are more iPhone users accessing phishing websites? One explanation could be that BlackBerry users, many of whom are issued their device by a business, are more educated about phishing attacks and thus less likely to click these links; and they may also have better protection on their mail servers. Although no data is available to validate this theory, this is a very plausible reason for these findings, assuming the iPhone is in fact more commonly used in the private sector. Also, the message that BlackBerry devices present when a user clicks on the link in a phishing email may discourage a certain percentage of victims from proceeding to the phishing website.

Another possibility is that the Comscore market share numbers are inaccurate, and the iPhone has a greater market share than currently documented.


Mobile users: Never click on links in email messages since it is difficult to determine who sent the message, what the destination address is and what consequences may occur (phishing attacks, malware, scam, etc.).

Banks: When customers access Web applications using a mobile device, present them with a noticeable welcome message that reminds them to:

  • Never click on links in email messages or on the Web that claim to take them to the bank’s website;
  • Always type the bank’s address in their browser;
  • Download a secure mobile browser (IBM Security Trusteer offers one) that can protect them against mobile threats.

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…