Hackers Tricks You With Advanced Phishing Attack using Fake Address Bar on Chrome for Android

Jun 04, 2019
Posted by
Cyber Security


Image result for google chrome keyboard shortcuts

Another type of an advanced phishing attack on Android Chrome let hackers conceal the Orignal address bar’ screen space by showing its own fake URL bar when the user scrolls down the web page.

Security researcher James fisher showed this phishing assault by hosting his own domain (jameshfisher.com), and he abuses the defect in chrome browser for mobile.

The fake address bar that related with the phishing site page presented with genuine site URL by capture the original chrome bar.

Regularly, when we scroll down the website page, browser conceals the URL bar and the site page will cover on it on the grounds that the page got to by means of “trustworthy browser UI”.

Here, the phishing site abusing this procedure by showing its own fake URL bar that acted like an authentic bar and trap clients to give away their own data.

This assault is far and away more terrible, generally when users scrolls up the site page they will again achieve the original URL bar, however for this situation, attackers can trap users to never return the original URL bar.

Scientist call it as “scroll jail”, a trap let move whole page content into it, when users scrolls up the page using another component overflow scroll.

According to James Fisher, the user thinks they’re scrolling up in the page, but in fact they’re only scrolling up in the scroll jail! Like a dream in Inception, the user believes they’re in their own browser, but they’re actually in a browser within their browser.

Behalf of demonstration, Fisher utilizing HSBC domain (www.hsbc.com) as a fake URL bar and, by using a similar way attackers could use any genuine site to intercept the URL bar and trap to steal the data.

“Is this a serious security flaw? Well, even I, as the creator of the inception bar, found myself accidentally using it! So I can imagine this technique fooling users who are less aware of it, and who are less technically literate. The only time the user has the opportunity to verify the true URL is on page load, before scrolling the page. After that, there’s not much escape.” Fisher said. He also believes that it might be a security flaw in Chrome browser.