In a proof-of-concept (PoC) blog post published earlier this week, developer James Fisher disclosed a new phishing method in Chrome for mobile on Android in which the browser hides the URL bar.
After hiding the URL bar, the browser “passes the URL bar’s screen space to the web page. Because the user associates this screen space with 'trustworthy browser UI,' a phishing site can then use it to pose as a different site, by displaying its own fake URL bar – the inception bar,” Fisher wrote.
“In my proof-of-concept, I’ve just screen shotted Chrome’s URL bar on the HSBC website, then inserted that into this webpage. With a little more effort, the page could detect which browser it’s in, and forge an inception bar for that browser. With yet more effort, the inception bar could be made interactive. Even if the user isn’t fooled by the current page, you can get another try after the user enters 'gmail.com' in the inception bar!”
Still, Fisher’s post has gotten a variety of responses on Twitter, with several noting that they are unable to get the PoC working on Chrome.
"Whilst the proof of concept by Mr. Fisher isn't perfect, Google and others should consider implementing mitigation techniques like the 'Line of Death' to make the demarcation between browser UI and web content more obvious," said Gavin Millard, VP of intelligence, Tenable.
"Users fall for fake websites constantly, hence the continued scourge of phishing sites, but this new approach could fool even the most cyber-savvy individual. Exploiting this could lead to confidential information disclosure and fraud.”
A Google spokesperson told Infosecurity, “Protecting users from phishing has always been important to us. We're constantly improving more holistic solutions to phishing like Safe Browsing, security keys, and Chrome’s password manager. Our team is aware of this issue and continues to explore solutions."