New mobile Phishing Method using fake address bar and scroll locking
Phishing, the attempt to steal important data such as login information, passwords, or credit card numbers from unsuspecting users, is still a major threat on today's Internet. Microsoft's Security Intelligence report saw phishing emails increase by 250% in 2018 alone.
Most web browsers come with certain defenses, usually in form of blacklists and other defensive measures to detect phishing attacks.
One problem with the approach is that it addresses known phishing sites for the most part. The Inception Bar is a new phishing method designed specifically for mobile.
Many mobile web browsers hide the address bar when a user starts to scroll to expand the content of the active webpage. Since space is a premium on mobile, it makes sense to use the address space for that. Doing so removes the strongest identifying indicator for that webpage, and it also makes way for the new phishing method.
Basically, what the phishing method does is put a fake copy of the address bar at the top of the screen in the fixed location the address bar is found in usually. Browsers would normally display the address bar again when users scroll up but the implementation of a scroll lock on the page prevents that from happening.
The effect is that the fake address bar -- that looks similar to the real one -- is shown to users and that it becomes difficult to exit the page. Even worse, since it is fake, it is possible to make it display any site URL. A dedicated web developer could create a full copy of Chrome's address bar and not just a lookalike.
You can see it in action on James Fisher's website. Note that you will experience this method first hand if you use the mobile version of Chrome to access the site; on desktop, you may watch the animated GIF to see how it works when you connect using mobile devices.
Fisher's method works in Chrome for mobile; he notes that one could check for the user agent to display similar fake address bars for other mobile web browsers.
I accessed the site on Chrome Stable and Chrome Canary for Android. The replacement worked in Canary but it did not in Chrome Stable. Whether that is caused by a setting in the browser or something else is unclear.
You can get out of it by activating any link on the site if you are stuck in mobile Chrome.
Detecting that it is fake
For now, it is easy to detect whether the address bar is real or fake; the tab and menu icons don't do a thing, and it is not possible to edit the URL either.
Things could get more complicated if the phishing method is developed further. Someone could use a form instead that accepts input and make the icons behave more or less like they would.
The tab count that is displayed could still be an indicator, and most users probably know the site they accessed and may notice that the new site displayed is different from it.
Now You: What is your take on this method?
That’s not good. Fortunately I normally use Samsung Internet, which isn’t affected, though I do occasionally use chrome, which does display the above behavior on my phone.
I cannot tolerate mobile browsers that hide the address bar (almost all of them), so I use Maxthon Browser for Tablet (which they pulled from Google Play). It has an option to lock the address bar/toolbar so it is always visible even when you scroll down. Maxthon Browser for Tablet (not phones) also has the best implementation of tabs in a mobile browser (like a desktop browser).
“Many mobile web browsers hide the address bar when a user starts to scroll to expand the content of the active webpage. Since space is a premium on mobile, it makes sense to use the address space for that. Doing so removes the strongest identifying indicator for that webpage, and it also makes way for the new phishing method.”
I very much dislike the automatic hiding of the address bar without user consent. It is very important to be able to easily determine the loaded page or even at the expense of screen space. These days, a new page may also be shown without much disturbance by simply scrolling a page (some news sites do this), which may make the Address bar hiding problem worse.
The current Firefox for Android hides the Address bar by default, but has a setting to disable the hiding. Chromium for Android, and many browsers based on it, also hide the address bar automatically, but, unfortunately, does not appear to have appear to have an option to allow the address bar to stay on screen. Although, I otherwise believe Chromium-based browsers for Android with extension support to generally be a better choice than Firefox for Android (for Windows/Linux, its vice versa), the forced hiding of the address bar often has me using Firefox for Android over the Chromium-based browsers.
“What is your take on this method?”
It seems like a decent and effective method. It does not seen that novel, however. I do think that I have seen spoofing of address bar while using web browsers on Windows (where almost all my web browsing was done) in the past.
Gotta admit, that’s pretty smart by the phishers! haha
That is an Android problem, not iOS.
On iOS using Safari the address bar is always visible. No gsbc.com
When using Chrome (which runs Safari) I get 2 address bars ! The top is Jameshfisher.com and a second bar under the top bar with http://www.gsbc.com
Firefox on iOS behaves the same a Safari, address bar always visible and no gsbc.com.
2/10 low effort, not working, colours don’t match, wrong tab count. Disqualified for the haircut. Next!
Some above are saying that FF on Android does the same thing (hike the address bar). AFAIK, I have stock FF on Android Pie and it kept the address bar visible when I went to the site. Chrome, of course as written, did not.
IMO, Google wastes too much time on eye candy and hiding app elements for a few pixels of screen gain.
Jojo, Firefox has a setting that can toggle the behavior. Currently, it called “Full-screen browsing” and is located in Settings –> General. The setting should be toggled off to avoid the Address bar being hidden.
>> Normally, when the user scrolls up, Chrome will re-display the true URL bar. But we can trick Chrome so that it never re-displays the true URL bar!
And it works in Firefox 66 mobile, but without replacing the real URL bar.
Doesn’t work in my WebView browser (Naked Browser Pro, running on Chromium/Blink).
The FF setting to hide the URLbar is [b]browser.chrome.dynamictoolbar[/b], not full-screen-something.
And it “works” in Brave – just like Firefox – because it’s just a simple layer, most likely (which means it works as intended only in Chrome). I wonder, why is it invisible in WebView? (last updated 28/4/2019)