In a recent blog post published earlier this week, developer James Fisher have disclosed a new phishing method that was found in Google Chrome for Mobile on Android, Which hides the URL bar in Chrome.
After hiding the URL bar, the browser “passes the URL bar’s screen space to the web page. Because the user associates this screen space with ‘trustworthy browser UI,’ a phishing site can then use it to pose as a different site, by displaying its own fake URL bar – the inception bar,” Fisher wrote.
“In my proof-of-concept, I’ve just screen shotted Chrome’s URL bar on the HSBC website, then inserted that into this webpage. With a little more effort, the page could detect which browser it’s in, and forge an inception bar for that browser. With yet more effort, the inception bar could be made interactive. Even if the user isn’t fooled by the current page, you can get another try after the user enters ‘gmail.com’ in the inception bar!”
The Fisher’s post has achieved different types of responses over Twitter, with several nothing that they are unable to get the PoC working on Google Chrome.
The inception bar: a new phishing method https://t.co/8QLtjwacmm
— James Fisher (@MrJamesFisher) April 27, 2019
“Whilst the proof of concept by Mr. Fisher isn’t perfect, Google and others should consider implementing mitigation techniques like the ‘Line of Death’ to make the demarcation between browser UI and web content more obvious,” said Gavin Millard, VP of intelligence, Tenable.
“Users fall for fake websites constantly, hence the continued scourge of phishing sites, but this new approach could fool even the most cyber-savvy individual. Exploiting this could lead to confidential information disclosure and fraud.”
A Google spokesperson told Infosecurity, “Protecting users from phishing has always been important to us. We’re constantly improving more holistic solutions to phishing like Safe Browsing, security keys, and Chrome’s password manager. Our team is aware of this issue and continues to explore solutions.”