A convincing new phishing scam that mimics trusted sites with a fake address bar has been discovered on the mobile version of Google Chrome.
The flaw, dubbed ‘Inception bar’ by security researcher James Fisher, could enable hackers to launch phishing attacks on unsuspecting users.
Typically, when users scroll down any page in Chrome for android, the address bar disappears to fill the page with more space for content. Attackers can then exploit this vulnerability to display a fake URL address bar to trick users into thinking they are visiting a legitimate website instead of a fake one.
The scam is so convincing, that even when the user scrolls up again, the attacker can block them from seeing the official web address. Fisher commented on how the scam tricks users: “The user thinks they’re scrolling up in the page, but in fact they’re only scrolling up in the scroll jail! Like a dream in Inception, the user believes they’re in their own browser, but they’re actually in a browser within their browser.”
Not only will the fake address bar display the name of a legitimate website, but it will also display an SSL secure site seal to convince users they are on an authentic and credible site.
The scam could effectively be used to trick users into thinking they are on a legitimate banking website and therefore safe to enter sensitive information such as their username and password.
In a demonstration of how the scam works, Fisher was able to change the displayed URL of his own website to that of UK banking giant, HSBC.
According to Google, one of the best ways to check if your address bar has been tampered with is to lock your phone and then unlock it again. This should force Chrome for Android to show its real address bar whilst also displaying the fake one as seen in the above image.
In the last five years, there has been an 85% increase on phishing attacks on mobile, highlighting just how vigilant users need to be on this particular platform. Unlike desktops, the mobile interface conceals a lot of red flags that would highlight a potential phishing attack.
To avoid being phished on mobile, you should always stick to safe and trusted browsers, bookmark sites to prevent landing on unknown pages, only buy apps from authorised sources and use anti-virus software for mobile. It’s also important to trust your gut and if something doesn’t seem quite right about a site, whether it’s sub-standard graphics, poor formatting or an inability to interact with the site, you should leave immediately.
MetaPhish provides a powerful defence against phishing and ransomware attacks by training employees to identify and respond appropriately to these threats. Get in touch for further information on how we can help protect your business.