You might not realize you’re on a bogus site despite your best efforts.
Cyberattackers don’t need to find obscure technical flaws to launch phishing attacks — they might just need a screen capture and some clever web coding. Developer James Fisher has found a relatively simple exploit in Chrome for mobile that takes advantage of how the app displays the address bar. When you scroll down from the top of a page, the approach displays a fake address bar that won’t disappear until you visit another site. The attacker can even craft the page to prevent you from seeing the real address bar when you scroll up.
Fisher’s approach is focused on Chrome and is only a proof of concept for now, but it could theoretically display fake address bars for a variety of browsers and even include interactive elements. In other words, a phishing campaign could produce a convincing site beyond just the content of the page. You’d have to pay attention to the starting address to know what’s happening, and not everyone will catch that irregularity.
We’ve asked Google for comment. It’s not clear how many phishers will use techniques like this. There is a way to double-check, though. The 9to5Google team noted that you can force the real address bar to show by locking and then unlocking your phone again. It’s not bullet-proof as a result, but many people won’t know to try this and might be fooled as a result.