Security typography
A new phishin scheme that disguises the URL of malicious websites is targeting Android users and stealing login credentials. typographyimages/Pixabay

Security researchers have discovered a phishing attack targeted at Android users in which malicious mobile websites disguise their true domain in order to trick the user into giving up their username and password, Ars Technica reported.

First spotted by PhishLabs, the emerging mobile attack utilizes a simple and non-technical approach to hide its true intentions. The creators of the phishing sites fill the subdomain address of their site with hyphens that push the page domain out of sight on mobile browsers.

Read: Cyberattacks: Phishing, Ransomware Attacks Rose In 2016, Symantec Reports

The technique, known as URL padding, helps the attackers make their site appear as though it’s trustworthy. If users don’t see the phony domain name sitting atop the otherwise legitimate-looking site, they are less likely to view it as suspicious.

Structure Security
Newsweek is hosting a Structure Security event Sept. 26-27 in San Francisco. Newsweek Media Group

According to PhishLabs’ data, the tactic of URL padding has been on the rise in recent months. The technique was first spotted in attacks launched in January, but a considerable uptick in the method took place in in March and has been a consistent threat ever since.

In the first quarter of 2017, there has been a 20 percent rise in phishing attacks over the final quarter of 2016, according to PhishLabs. The attacks have hit mobile devices—specifically Android devices—especially hard.

Read: Phishing Scams: FBI Says Businesses Have Lost $5 Billion In Phishing, Social Engineering Attacks

Thus far, the phishing sites have primarily targeted Facebook, but the social network isn’t the only site the attackers have their eyes on. Malicious sites designed to imitate sites like Apple, Comcast and Craigslist. Any site that requires an email address and password for authentication could be mocked up as part of the scheme.

Examples of the false domains can be seen below:[dot]html[dot]tv/craig2/[dot][dot]com/Login%20-%20OfferUp.htm

Thus far, it’s not clear how people land on the phishing sites to begin with, though it’s believed text messages containing shortened URLs are the most likely culprit, as opposed to the typical email phishing method.

“The trouble with mobile devices is that even people who are normally security conscious treat them differently,” Crane Hassold—a senior security threat researcher at PhishLabs’ Research, Analysis and Intelligence Division (RAID)—wrote in a blog post.

“As a population, we’ve been conditioned to check our phones constantly, and to browse or follow links in a far more lackadaisical manner than we would on a desktop or laptop. As a result, we’re generally paying far less attention to any warning signs that might crop up,” Hassold said.

A report published earlier this year by Symantec found that phishing attacks were as prominent as ever in 2016. While emails were typically the “weapon of choice” for attackers, but any platform—including SMS—that can be exploited with relatively common software and scripting language can be used to launch attacks.

The security research firm found that simple phishing attacks, where a message contains a malicious attachment or link, were responsible for scamming more than $3 billion from businesses in the last three years.