Home > CAPEC List > CAPEC-164: Mobile Phishing (Version 3.4)  

CAPEC-164: Mobile Phishing

Attack Pattern ID: 164
Abstraction: Detailed
Status: Stable
Presentation Filter:
+ Description
An adversary targets mobile phone users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user. Mobile Phishing is a variation of the Phishing social engineering technique where the attack is initiated via a text or SMS message, rather than email. The user is enticed to provide information or visit a compromised web site via this message. Apart from the manner in which the attack is initiated, the attack proceeds as a standard Phishing attack.
+ Alternate Terms

Term: Smishing

Term: MobPhishing

+ Likelihood Of Attack


+ Typical Severity


+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.98Phishing
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
  1. Obtain domain name and certificate to spoof legitimate site: This optional step can be used to help the adversary impersonate the legitimate site more convincingly. The adversary can use homograph or similar attacks to convince users that they are using the legitimate website. Note that this step is not required for phishing attacks, and many phishing attacks simply supply URLs containing an IP address and no SSL certificate.

    Optionally obtain a domain name that visually looks similar to the legitimate site's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L)
    Optionally obtain a legitimate SSL certificate for the new domain name.
  2. Explore legitimate website and create duplicate: An adversary creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the website that they are trying to impersonate. That website will typically have a login form for the victim to put in their authentication credentials. There can be different variations on a theme here.

    Use spidering software to get copy of web pages on legitimate site.
    Manually save copies of required web pages from legitimate site.
    Create new web pages that have the legitimate site's look and feel, but contain completely new content.
  1. Convince user to enter sensitive information on adversary's site.: An adversary sends a text message to the victim that has a call-to-action, in order to persuade the user into clicking the included link (which then takes the victim to the adversary's website) and logging in. The key is to get the victim to believe that the text message originates from a legitimate entity with which the victim does business and that the website pointed to by the URL in the text message is the legitimate website. A call-to-action will usually need to sound legitimate and urgent enough to prompt action from the user.

    Send the user a message from a spoofed legitimate-looking mobile number that asks the user to click on the included link.
  2. Use stolen credentials to log into legitimate site: Once the adversary captures some sensitive information through phishing (login credentials, credit card information, etc.) the adversary can leverage this information. For instance, the adversary can use the victim's login credentials to log into their bank account and transfer money to an account of their choice.

    Log in to the legitimate site using another user's supplied credentials
+ Prerequisites
An adversary needs mobile phone numbers to initiate contact with the victim.
An adversary needs to correctly guess the entity with which the victim does business and impersonate it. Most of the time phishers just use the most popular banks/services and send out their "hooks" to many potential victims.
An adversary needs to have a sufficiently compelling call to action to prompt the user to take action.
The replicated website needs to look extremely similar to the original website and the URL used to get to that website needs to look like the real URL of the said business entity.
+ Skills Required
[Level: Medium]
Basic knowledge about websites: obtaining them, designing and implementing them, etc.
+ Resources Required
Either mobile phone or access to a web resource that allows text messages to be sent to mobile phones. Resources needed for regular Phishing attack.
+ Indicators
You receive a text message from an entity that you are not even a customer of prompting you to log into your account.
You receive any text message that provides you with a link that takes you to a website which requires you to enter your credentials.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
Access Control
Gain Privileges
Read Data
Modify Data
+ Mitigations
Do not follow any links that you receive within text messages and do not input any login credentials on the page that they take you too. Instead, call your Bank, PayPal, eBay, etc., and inquire about the problem. Safe practices also include leveraging the entity's mobile application or directly typing the entity's URL in the browser and only then logging in. Never reply to any text messages that ask you to provide sensitive information of any kind.
+ Example Instances
The target receives a text message stating that their Apple ID has been disabled due to suspicious activity and that they need to click on the link included in the message to log into their Apple account in order to enable it. The link in the text message looks legitimate and once the link is clicked, the login page is an exact replica of Apple's standard login page. The target supplies their login credentials and are then notified that their account has now been unlocked. However, the adversary has just collected the target's Apple account information, which can now be used by the adversary for a variety of purposes.
+ References
[REF-590] "What is smishing?". NortonLifeLock Inc.. 2020-11-13. 2018-01-18. <https://us.norton.com/internetsecurity-emerging-threats-what-is-smishing.html>.
[REF-591] "What is Smishing and How to Defend Against it?". AO Kaspersky Lab. 2020-11-13. <https://usa.kaspersky.com/resource-center/threats/what-is-smishing-and-how-to-defend-against-it>.
[REF-592] Jovi Umawing. "Something else is phishy: How to detect phishing attempts on mobile phones". Malwarebytes. 2020-11-13. 2018-12-10. <https://blog.malwarebytes.com/101/2018/12/something-else-phishy-detect-phishing-attempts-mobile/>.
[REF-593] Aaron Cockerill. "5 most common mobile phishing tactics". AT&T Cybersecurity. 2020-11-13. 2020-04-17. <https://cybersecurity.att.com/blogs/security-essentials/mobile-phishing>.
+ Content History
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modification DateModifierOrganization
2017-01-09CAPEC Content TeamThe MITRE Corporation
Updated Alternate_Terms
2020-12-17CAPEC Content TeamThe MITRE Corporation
Updated @Status, Alternate_Terms, Consequences, Description, Example_Instances, Execution_Flow, Indicators, Likelihood_Of_Attack, Mitigations, Prerequisites, References, Skills_Required
Previous Entry Names
Change DatePrevious Entry Name
2017-01-09Mobile Phishing (aka MobPhishing)
More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 17, 2020