Cyber expert James Fisher discovered a new phishing method he calls the “inception bar.” He named it after the movie Inception, and just like the movie, the phishing method traps you in a fake reality. You can see an example of how it works on his website.
He discovered the exploit in Chrome for mobile, confirming what we already know: mobile is the number one threat target going forward.
According to James, “In Chrome for mobile, when the user scrolls down, the browser hides the URL bar. When the user scrolls up, Chrome will re-display the true URL bar. But we can trick Chrome so that it never re-displays the true URL bar! Once Chrome hides the URL bar, we move the entire page content into a ‘scroll jail.’ Then the user thinks they’re scrolling up in the page, but in fact they’re only scrolling up in the scroll jail! Like a dream in Inception, the user believes they’re in their own browser, but they’re actually in a browser within their browser.”
James elaborates, “The user should be able to scroll to the top of the jail, at which point Chrome will re-display the URL bar. But we can disable this behavior, too! We insert a very tall padding element at the top of the scroll jail. Then, if the user tries to scroll into the padding, we scroll them back down to the start of the content! It looks like a page refresh.”
The real scary part, James admitted, is that even though he created the inception bar, he found himself being tricked by it. When asked how users can protect themselves from such an exploit he said, “I don’t really know. I see it as a security flaw in Chrome. But what’s the fix?”
Okay, so a cyber expert identifies a flaw in Chrome capable of being used to phish users and the exploit is so perfect even he falls for it and he has no idea how to protect users against it. The next time someone tries to convince you the best way to protect yourself against phishing is awareness training, have them read this article.
The only way to prevent being phishing by an exploit this good is real-time link checking. Even if someone pulls off the perfect phish and gets you to click on a malicious link, real-time link checking checks the link as you click on it and protects you from being phished. And of course for it to be really useful, the real-time link checking MUST work with mobile devices.
If you really want to frustrate hackers, get cloud-based phishing protection that protects all your devices no matter how good their phishing method is. It’s fast, it’s affordable and that’s no fake reality.