When you use Chrome for Android, it hides the URL bar in order to give the user much more screen space to browse the internet. After a web page has been loaded, Google Chrome on Android conceals information about the URL and expands the real estate space on the mobile phone screen, in order to show the actual content on the website. This feature, even though may be handy for users, can be exploited by phishing attackers in order to exploit users when they are browsing the internet. You can use
PhishProtection.com and
ProofPoint.com to protect yourself from phishing.
It has been already demonstrated by James Fisher in his blog post that, the content can easily be made very convincing as if it is hosted on the real and genuine website, along with the HTTPS sign and other features. The phishing attackers would be then waiting for the user to click a link in a message and then scrolling down, upon which the URL is hidden from the face of the user. This feature is non-existent on the Chrome for iOS, as Apple devices still show the original URL bar even during scrolling down. But in this case, the URL bar could be replaced by a fake URL bar which is already built into the web page of the phishing attacker’s website.
James Fisher also said that attackers can also mimic the design of the Google Chrome web browser as well. In this type of attack, there will be a padding element where the user will not be able to see the URL bar anymore, even if he or she scrolls up or down, which Chrome normally shows the URL bar. This is termed as ‘scroll jail’. Even though the user might think that he or she is scrolling up, in fact, he or she is scrolling up in ‘scroll jail’. The name of this attack has been named after the sci-fi movie named, Inception, starring Leonardo DiCaprio.
The ‘scroll jail’ will be like a dream in Inception. The user will think that they are browsing in Google Chrome, but actually, they’re within another browser within their own Google Chrome browser. Even though Google might not flag it as a security vulnerability, it not be the first time a Google feature that has been exploited by the scammers. It was last year as well, that Fisher founded that dots in between writing a Gmail address will still go to the owner of the original email address. This allowed Gmail accounts to be created by scammers in order to con Netflix account owners by adding payment card details to the scammer’s account. Phishing attacks like these can be avoided by using services from
Cofense.
The reason behind this is that Gmail does not recognise the dots, even though other online services do recognise and allow the creation of accounts based on the dotted email accounts. The same was reported by ZDNet as well, as scammers used this trick to apply for fraudulent unemployment benefits and also file fake tax returns as well. Fisher does suggest Google Chrome could leave a small space at the top of the screen to show that the URL bar has collapsed.