New Phishing Attack Copies Google Chrome Address Bar To Dupe Users

By   ISBuzz Team
Writer , Information Security Buzz | Apr 30, 2019 01:30 pm PST

A relatively simple exploit in Chrome for mobile has been discovered and called ‘inception bar’. The attack allows for a site to spoof a URL in the mobile version of Chrome when scrolling, subsequently locking them into a false UI.  

Experts Comments: 

Gavin Millard, VP of Intelligence at Tenable:   

“Reminiscent of the age old trick of copying “Trusted Sender” notifications and inserting them into nefarious emails, this neat approach to spoofing the address bar could lead to many users falling foul to enterprising attackers.    

“Users fall for fake websites constantly, hence the continued scourge of phishing sites, but this new approach could fool even the most cyber savvy individual. Exploiting this could lead to confidential information disclosure and fraud.    

“Whilst the proof of concept by Mr Fisher isn’t perfect, Google and others should consider implementing mitigation techniques like the “Line of Death” to make the demarcation between browser UI and web content more obvious.”   

Corin Imai, Senior Security Advisor at DomainTools:   

“Targeting easily recognisable websites is a tried and trusted ploy to get potential victims to let their guard down. This proof of concept highlights the importance of prevention technologies being employed; Although educational measures undoubtedly have their place, the sophistication of this scam would likely mean it fools even the most security conscious among us.   

Much like with phishing campaigns impersonating Netflix, which were able to replicate backsplashes and logos almost to perfection, security is becoming a matter of a multi-faceted approach: education, email filtering and solid antiviruses should be all part of any organisation’s security standpoint. As long as phishing scams like these remain successful and therefore profitable they aren’t going anywhere; It’s up to us to make them obsolete with these measures.” 

Chris Doman, Security Researcher at AT&T Cybersecurity:   

“It’s a nice new variation on an old trick.   

“This kind of fake UI is surprisingly tricky to block in all cases – but Google can detect exact copy-cats of James’s code fairly easily. 

 “A saving grace is this requires you to scroll down first, but it’s also trivial to autoscroll down a page.”   


Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x