A relatively simple exploit in Chrome for mobile has been discovered and called ‘inception bar’. The attack allows for a site to spoof a URL in the mobile version of Chrome when scrolling, subsequently locking them into a false UI.
Chrome inception bar phishing method replaces real address bar with a fake one: Chrome is one of the most widely used browsers on mobile phones and is generally considered safe as it is developed and maintained by Google. However, developer Jim Fisher… https://t.co/dAokFPjwkB pic.twitter.com/lg8rK2dyaL
— MaxIT (@maxitonline) April 30, 2019
Gavin Millard, VP of Intelligence at Tenable:
“Reminiscent of the age old trick of copying “Trusted Sender” notifications and inserting them into nefarious emails, this neat approach to spoofing the address bar could lead to many users falling foul to enterprising attackers.
“Users fall for fake websites constantly, hence the continued scourge of phishing sites, but this new approach could fool even the most cyber savvy individual. Exploiting this could lead to confidential information disclosure and fraud.
“Whilst the proof of concept by Mr Fisher isn’t perfect, Google and others should consider implementing mitigation techniques like the “Line of Death” to make the demarcation between browser UI and web content more obvious.”
Corin Imai, Senior Security Advisor at DomainTools:
“Targeting easily recognisable websites is a tried and trusted ploy to get potential victims to let their guard down. This proof of concept highlights the importance of prevention technologies being employed; Although educational measures undoubtedly have their place, the sophistication of this scam would likely mean it fools even the most security conscious among us.
Much like with phishing campaigns impersonating Netflix, which were able to replicate backsplashes and logos almost to perfection, security is becoming a matter of a multi-faceted approach: education, email filtering and solid antiviruses should be all part of any organisation’s security standpoint. As long as phishing scams like these remain successful and therefore profitable they aren’t going anywhere; It’s up to us to make them obsolete with these measures.”
Chris Doman, Security Researcher at AT&T Cybersecurity:
“It’s a nice new variation on an old trick.
“This kind of fake UI is surprisingly tricky to block in all cases – but Google can detect exact copy-cats of James’s code fairly easily.
“A saving grace is this requires you to scroll down first, but it’s also trivial to autoscroll down a page.”