October 4, 2012

Hook, line and sinker: the dangers of Location-Based Services

Ran Mosessco Principal Security Researcher

Any new technology involves potential risks as well as potential benefits. Location-Based Services (LBS) are a case in point. Mobile apps using geolocation information are increasingly popular, offering people new ways to connect with nearby friends or find people with shared interests. Advertisers can tempt nearby customers with coupons and discounts, targeting people around the corner, and therefore more likely to stop in than those on the other side of world.

Many sites use visitors' IP addresses to do a geolocation lookup in order to serve local content and ads. These can range from perfectly legitimate local headlines to the all-too-familiar "Local girls in [your city here] want to meet you tonight!" Using a new, mobile twist on an old threat, LBS can also help phishing and other scammers find likely victims. As we noted in a previous post, scammers--like legitimate businesses--try to optimize their operations to avoid wasting time and resources on unproductive activities. LBS can help them do this in several ways.

Websense researchers have found many cases of LBS-based phishing attacks. Here we illustrate an example from MoMo, a Chinese LBS social networking app. To the right is a screenshot showing a message allegedly from a pretty girl just 124.78 km away from you.


Along with an attractive picture, she says, “Hello! I just got here and want to meet people around. It’s a pleasure if we can be friends. Here is my blog site [URL deleted]. You can see my pictures and know me more from there first.”

The link leads to a phishing page that tries to steal the username and password of your account at QQ.com, a major Chinese portal that ranks 9th overall in the Alexa Internet ranking. The links could just as easily be spam or drive-by-downloads.

Why might this approach be more productive from the spammer's perspective than traditional email spam? First, a "local" contact may seem more trustworthy, encouraging you to lower your guard. Second, the attractive profile pics are very tempting bait. And finally, browsers on mobile devices can't show the full URL, so the part that victims see often looks legit. 

This is just the latest wrinkle in concerns over LBS-based apps. Last year, a British security firm found that mobile check-ins via Facebook, Twitter, and other social media, are extensively used by burglars to target empty homes to rob. The average home robbery takes only ten minutes, which means you can easily be cleaned out while you're enjoying coffee at your favorite Starbucks (after announcing to the immediate world that you're there).

But it's not enough to simply keep quiet about where you are because some apps make the announcement for you.  Geotagging on cameras and phones, for example, automatically embeds GPS data into photos.

LBS can be a particular concern with children. On the one hand, geolocation can offer parents peace of mind, knowing their youngsters can be found quickly if they wander off. On the other hand, predators can easily target potential victims by inducing naive kids to reveal personal data, or just by using automated geolocation information. Kids and teens often share photos taken with their mobile phones, and anyone with some basic technical skills and an EXIF interpreter can extract embedded data to determine exactly where the photo was taken. Even if the phone's GPS is turned off, some apps include GPS-enabling permissions.

Websense will continue to monitor developments in this area to protect our customers, their data, and systems from new and evolving security threats.


Ran Mosessco

Principal Security Researcher

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.