Google Chrome’s mobile browser has been targeted with a relatively simple phishing technique by developer Jim Fisher. According to Fisher, the exploit involves tricking victims into handing over their private information by manipulating the trusted websites of the user.
By using a combination of coding and screenshots, the victims can be easily deceived, explained Fisher in his personal blog post. The reason is a flaw identified in the mobile version of Chrome that lets hackers trick users into thinking that they are visiting an official or authentic website while in reality, it is the fake version that they are visiting.
This could be particularly worrying when a user is visiting the bank website as the information about the bank account number and password for online banking will be shared with the attacker.
Fisher has developed and disclosed a proof-of-concept too. However, so far there is no indication that the vulnerability has been exploited. Although the vulnerability is identified in Chrome at the moment, Fisher believes that other browsers may also be susceptible.
In new versions of Chrome for mobile devices, the address bar disappears when the user scrolls through the page so as to give the user extended display. What happens in this new wave of phishing attacks is that the attackers are exploiting this very feature of Chrome mobile browser. After the address bar is hidden, the hackers enable their own fake version of the website along with an SSL badge to appear on the screen as soon as the user stops scrolling.
However, originally, the address bar doesn’t appear on its own. This is termed by Fisher as a scroll jail for users as there is page uploaded within a page. When the user tries to scroll back up to access the address bar, it doesn’t let them do so and hence, the user is trapped in a loop.
Fisher displayed how the trick worked in the proof-of-concept, where he can be seen changing the URL of his own website with that of HSBC Bank. To make the scam even more sophisticated, hackers can add coding.
“’With a little more effort, the page could detect which browser it’s in, and forge an inception bar for that browser,” said Fisher in hi blog post.
The fix is not easy for this flaw and Chrome developers will have to think out-of-the-box to eradicate the issue given the interactive element involved. Fisher has dubbed this scam the “inception bar” and currently Android mobile users are at risk.