A new method for hiding the true location of a website from users of the mobile Chrome Web browser has come to light.
Phishers can trick users into revealing their credentials for a legitimate website to operators of a malicious one, security researcher James Fisher reported in a post on his personal blog Saturday.
Scammers can exploit mobile Chrome’s feature that hides the address bar when users are scrolling on a Web page by inserting an address bar that allows a fake site to pose as a legitimate one, such as that of a bank, Fisher explained.
Making matters worse, scammers can create a “scroll jail” that prevents users from seeing the true URL for the page even when they scroll to the top.
“The user thinks they’re scrolling up in the page,” Fisher wrote, “but in fact they’re only scrolling up in the scroll jail! Like a dream in Inception, the user believes they’re in their own browser, but they’re actually in a browser within their browser.”
Although Fisher’s discovery isn’t good news for consumers, it seems to be a minor issue, because a Web page’s true URL will appear in the address bar initially, noted Thomas Reed, director of Mac & Mobile at Malwarebytes, a cybersecurity software maker based in Santa Clara, California.
“It would require a very specific set of user behaviors to make this useful,” he told TechNewsWorld. “I can see some people exhibiting those behaviors, though, so it’s definitely an issue.”
However, “I wouldn’t consider this a serious threat, because users would just need to pay attention to the URL bar when they first visit the site,” Reed said. “Honestly, I don’t foresee this getting used much, if at all.”
It’s far easier for someone phishing for personal information to use a homograph attack, he pointed out. In that type of attack, a scammer takes a domain name and substitutes characters that at first glance look like the original characters. A zero might be substituted for the letter “O,” for example, or a one for the letter “l.”
The attack Fisher described is a proof-of-concept demonstration, not something found in a hacker’s toolkit, said Cameron Palan, a senior threat research analyst at Webroot, an Internet security company in Broomfield, Colorado.
“This isn’t an attack discovered in the wild and may never affect users if Chrome is updated quickly,” he told TechNewsWorld.
Google, which owns Chrome, did not respond to our request to comment for this story.
Low ROI for Hackers
It’s not likely that this phishing ploy poses a major threat to consumers, said Jonathan Tanner, a senior security researcher with Barracuda Networks, based in Campbell, California.
“The amount of technical ability and time required to successfully implement this will make it unlikely to be seen much in the wild, and Google — and possibly other browser makers — will undoubtedly patch this faster than the speed at which it could become a common sight for phishing pages,” he told TechNewsWorld.
“I doubt the returns on implementing this method would be worth the work,” he said. “It’s unlikely that this technique alone would result in a significant increase in follow-through on the part of users being phished.”
Unlike some browser attacks, this one isn’t based on a vulnerability, observed Mounir Hahad, head of the threat lab for Juniper Networks, a network security and performance company based in Sunnyvale, California.
“This is trickery,” he told TechNewsWorld.
“There is no way to force the download of malicious content, trigger a remote code execution or any malicious activity,” Hahad said.
“This is just a visual trick that may make some people believe they are on a different website than the one they actually surfed to,” he continued.
This type of trickery need not be limited to mobile Chrome, Hahad pointed out. “Other browsers and other operating systems have different implementations that may allow for a less sophisticated version of this trick.”
Consumer Protect Thyself
While the fake address bar attack is designed to be stealthy, an alert consumer can identify it.
“Consumers can recognize this type of attack when the website in the address bar changes unexpectedly after scrolling down the Web page and doesn’t seem to respond to interaction as expected,” Hahad explained.
“Tap the bar to test it,” Webroot’s Palan added. “The fake one is nonfunctional. Also, the number of current tabs displayed on the fake bar will not likely match your own.”
Once a user starts scrolling down the page, distinguishing the fake browser from the real browser can be very difficult, noted Paul Bischoff, a privacy advocate for Comparitech, a reviews, advice and information website for consumer security products based in Maidstone, Kent, UK.
“The best way to spot the fake is to take note of the real page URL before scrolling down,” he told TechNewsWorld.
Consumers should be wary of links that lead to login screens, Barracuda’s Tanner advised.
“Better yet, manually type in the full and correct URL for any site that a you want to login to. That should be sufficient for users to protect themselves,” he recommended.
“While novel, this attack is not particularly significant and won’t likely be used much in the wild so general security measures are sufficient,” Tanner added.
If faking an address bar the way Fisher described were to catch on in phishing circles, it would be a bit of an anomaly.
“Most phishing campaigns are platform-agnostic,” Bischoff said. “It doesn’t matter whether you encounter them on mobile or desktop.”
Phishing attacks are very widespread on mobile devices, Malwarebytes’ Reed noted.
“However, one advantage mobile device users have is the availability of apps for most sites that attackers would want to mimic,” he said.
“For example, if you are a Bank of America customer, you’d be more likely to use the Bank of America app than the Bank of America website on your mobile device,” Reed pointed out.
“Still, if an attacker can get a mobile user to tap a link, they can still snare plenty of victims,” he said.
Phishing attacks on mobile devices likely are on the rise due to the rapid growth in the sector, explained Jonathan Olivera, a threat analyst with Centripetal Networks, a cybersecurity solutions provider in Herdon, Virginia.
“The bad actors will always follow the areas that have the most users,” he told TechNewsWorld.
“The mobile platforms and application developers have an incentive to produce as many products as feasible to satisfy their user base,” Olivera said, “which results in security vulnerabilities in many of them.”