Hackers are now launching new sophisticated phishing attack on android chrome web browser.
Which let the attacker hide the original address bar screen space by displaying there own fake URL bar when scrolling down on the web page.
A
Cyber Security researcher by the name James Fisher has recently demonstrated a new phishing attack method by hosting it on his own domain ( Jamesfisher.com), in which he exploits a flaw in a Google chrome web browser for Android.How does it work? (Fake URL)
When a Victim visits the phishing site associated with the attack, it intercepts the original chrome URL bar and posed with SSL ( Secure socket layer) encryption example: ” https://www.domianname.com ” which will trick the user, letting he/she believes its a legitimate site with a legitimate URL.
In The current versions of the Chrome web browser for mobile when a user scrolls down on a webpage, the browser automatically hides the URL bar and the webpage will overlap on it displaying almost full with an exception of phone candy-bar.
Hackers are now abusing this nifty feature by disguising the webpage as a “trustworthy browser UI” by displaying it very own fake URL bar posing to as legitimate site, to let the person feel at ease give away their personal information.
YOU MAY ALSO LIKE : Hackers are tapping in phone network using SS7 Exploit to empty bank accounts.
DEMO – New Advanced Phishing Attack Targeting Chrome Browser for Android
The attack doesn’t stop there it gets even worst in case a user wants to scroll back up to see the original URL, the attacker can trick the user to never reappear the original URL bar.
Researcher refers to this process as “scroll jail” which store all the content within it and when a user scrolls up the page it uses a new element “overflow: scroll“.
How to do a phishing attack : SocialFish V3 – The Ultimate Phishing Tool
According to James Fisher, the user thinks they’re scrolling up in the page, but in fact, they’re only scrolling up in the scroll jail! Like a dream in Inception, the user believes they’re in their own browser, but they’re actually in a browser within their browser.
within the demonstration, Fisher uses HSBC domain (www.hsbc.com) as it fake URL bar, but in a real-world attack the attacker will use a much more relevant and trustworthy domain to tailor is attacker needs to increase their success rate.
In a report, Fisher stated “Is this a serious security flaw? Well, even I, as the creator of the inception bar, found myself accidentally using it! So I can imagine this technique fooling users who are less aware of it, and who are less technically literate. The only time the user has the opportunity to verify the true URL is on page load, before scrolling the page. After that, there’s not much escape.”
Possible Mitigation
The phishing trick demonstrated by Fisher specifically works on Android phones. iOS users remain safe since Chrome for iOS continues to display the URL bar.
Fisher calls the Inception a security flaw in the Chrome for Android browser. He says that the technique is powerful enough to trick most users. As a possible fix, he suggests Google include some feature signaling URL bar collapse instead of entirely hiding it from the web page.
“One compromise would be for Chrome to retain a small amount of screen space… to signal that “the URL bar is currently collapsed”, e.g. by displaying the shadow of an almost-hidden URL bar.”
For now, we advise all Android users to be very careful while browsing on their phones. Since the trick is now publicly disclosed.