Google Chrome hit with new phishing scam that uses fake address bar to steal passwords and credit card information
- A convincing phishing scam mimics trusted sites with a fake address bar
- The ‘inception bar’ also traps unwitting victims into clicking a fake web page
- From there, scammers can steal users passwords or other sensitive information
- Google has not announced if it’s aware of the problem or whether a fix is coming
A new and surprisingly simple phishing method has affected Google Chrome’s mobile browser, disguising itself as some of victims’ most-trusted websites.
According to developer Jim Fisher, who posted about the exploit on his personal blog, hackers can use a mixture of coding and screenshots to trick victims into giving up their private data.
The scam, which Fisher calls the ‘inception bar’ targets Android mobile users for Chrome by using a fake address bar that not only displays the name of a legitimate website, but also an SSL badge – used to verify a site’s authenticity – indicating that the page is safe.
A new phishing scam uses screen shots to fake an address bar and affects users of Google Chrome on Android.
When mobile users scroll using Google Chrome on Android, the address bar located at the top of the page automatically disappears.
Normally, when users scroll back up, the bar would reappear, but Fisher shows that he’s found a way to trap users in a ‘scroll jail.’
This is essentially a page within a page – hence the title, ‘inception bar’ – where even if a user attempts to scroll back up the top of the page to access the address bar, they’re forced back down, trapped in the phony page.
In a demonstration, Fisher is able to change the displayed URL of his own website to that of HSBC Bank.
This trick would be useful for scammers who attempt to camouflage a malicious web page as a legitimate one and steal important information from users, like passwords and credit card information.
With some added coding, Fisher says that the scam could be made more sophisticated, by making the fake bar interactive.
‘With a little more effort, the page could detect which browser it’s in, and forge an inception bar for that browser,’ said Fisher.
‘With yet more effort, the inception bar could be made interactive. Even if the user isn’t fooled by the current page, you can get another try after the user enters ‘gmail.com’ in the inception bar!’
Google has worked to include a host of new features in the past few months intended to crack down on phishing scams.
It’s not year clear how users can shield themselves from the phishing scam, Fisher said.
Dailymail.com has reached out to Google for comment on the attack.
‘How can you guard yourself against this attack? I don’t really know,’ he said.
‘One compromise would be for Chrome to retain a small amount of screen space above, instead of giving up literally all the screen space to the web page.
‘Chrome could use this space to signal that ‘the URL bar is currently collapsed,’ [by] displaying the shadow of an almost-hidden URL bar,’ he added.
According to 9to5Google, the best way to check if your address bar has been co-opted by bad actors is to ‘lock’ your phone and then ‘unlock’ it. That method, the post says, should reveal both bars.
While Fisher’s demonstration was carried out on Google Chrome, the scam would potentially affect other browsers with similar features.
Google has a continued to introduce a host of new security feature that specifically target phishing including disallowing embedded browsers and other features that notify users when they’re browsing a ‘potentially harmful’ website.
What is ‘phishing’ and how do you avoid getting scammed?
Phishing involves cyber-criminals attempting to steal personal information such as online passwords, bank details or money from an unsuspecting victim.
Very often, the criminal will use an email, phone call or even a fake website pretending to be from a reputable company.
The criminals can use personal details to complete profiles on a victim which can be sold on the dark web.
Cyber criminals will use emails in an effort to elicit personal information from victims in order to commit fraud or infect the user’s computer for nefarious purposes
Some phishing attempts involve criminals sending out infected files in emails in order to take control of a victim’s computer.
Any from of social media or electronic communication can form part of a phishing attempt.
Action Fraud warn that you should never assume an incoming message is from a genuine company – especially if it asks for a payment or wants you to log on to an online account.
Banks and other financial institutions will never email looking for passwords or other sensitive information.
An effected spam filter should protect from most of the malicious messages, although the user should never call the number at the bottom of a suspicious email or follow their link.
Experts advise that customers should call the organisation directly to see if the attempted communication was genuine.
According to Action Fraud: ‘Phishing emails encourage you to visit the bogus websites.
‘They usually come with an important-sounding excuse for you to act on the email, such as telling you your bank details have been compromised, or claim they’re from a business or agency and you’re entitled to a refund, rebate, reward or discount.
‘The email tells you to follow a link to enter crucial information such as login details, personal information, bank account details or anything else that can be used to defraud you.
‘Alternatively, the phishing email may try to encourage you to download an attachment. The email claims it’s something useful, such as a coupon to be used for a discount, a form to fill in to claim a tax rebate, or a piece of software to add security to your phone or computer.
‘In reality, it’s a virus that infects your phone or computer with malware, which is designed to steal any personal or banking details you’ve saved or hold your device to ransom to get you to pay a fee.’
Source: Action Fraud