CAPEC-164 - Mobile Phishing (aka MobPhishing)

An attacker targets mobile phone users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user. Mobile Phishing is a variation on the Phishing social engineering technique where the attack is initiated via mobile texting rather than email. The user is enticed to provide information or go to a compromised web site via a text message. Apart from the manner in which the attack is initiated, the attack proceeds as a standard Phishing attack.

Severity

Likelihood

Confidentiality

Integrity

Availability

Attacker needs mobile phone numbers to initiate the connection. The attacker must guess an area of interest for the mobile user to entice them to follow the link provided in the text message. The attacker must have a replicated web site as in a normal Phishing attack.

Either mobile phone or access to a web resource that allows text messages to be sent to mobile phones. Resources needed for regular Phishing attack.