Chrome ‘Inception Bar’ Phishing Attack Lets Hackers Trick Users With Fake URL Bar. Here’s How to Avoid It

Google recently came up with a new security feature that warned users against lookalike URLs, helping them to distinguish between genuine and fake Web addresses. But it appears that a more grave issue has raised its head, a new type of phishing attack that has been proven to work on Chrome for mobile. Dubbed the ‘inception bar', the technique allows hackers to mask the real URL on Chrome for mobile and show a fake URL instead, complete with a padlock icon to deceive users into believing that the page they are scrolling is legit and secure. What's worse is that the fake URL can also be made to appear as a dynamic bar with interactive content.

Documented by developer James Fisher, the hack allows malicious parties to take advantage of the fact that Chrome for mobiles hides the URL bar when users scroll down to clear screen space for displaying more content. Malicious webmasters can take advantage of this fact to trick users into visiting a malicious webpage by hiding the real URL bar with a doctored URL, complete with the padlock icon to further remove any doubt. This fake URL bar is dubbed the ‘inception bar'.

The fake website can then prompt users to submit data such as log-in credentials. Chrome for mobile shows the URL of a webpage when users scroll back to the top, but hackers can even trick the browser into hiding the real URL bar altogether. Moreover, the malicious parties can lock users in what is called a ‘scroll jail', a technique that deceives users into believing that they are scrolling a webpage by even mimicking a fake page refresh response.

While hackers can use a static image of a URL bar to mask the real URL, they can even create an interactive URL bar to make the trick look more believable. “Is this a serious security flaw? Well, even I, as the creator of the inception bar, found myself accidentally using it! So I can imagine this technique fooling users who are less aware of it, and who are less technically literate”, Fisher wrote.

He adds that the only chance to identify the trick and verify the real URL is during the page load process, and after that, it is virtually impossible to discern. We tried out the phishing attack proof-of-concept URL on both Chrome for Android and iOS, and found it to work. We've reached out to Google for a comment on the new phishing attack, and will update this space when we hear back.

So far, there have been no reports of malicious parties exploiting the hack to deal damage. But there are a few measures one can take to protect themselves from the “inception bar' hack:

• While browsing a webpage on Chrome for mobile, lock the screen and then unlock it. Doing so will automatically show the real URL bar that was hidden while scrolling through a webpage. In case the inception bar trickery is at work, users will see two URL bars simultaneously – the real one at the top and the doctored one below it.  
• Inception bars often display an incorrect number of tabs, so if you keep a check on the number of webpages you have opened in different tabs, the anomaly can be spotted.
• Chrome's dark mode renders all UI elements black. So, if a hacker has superimposed a fake URL bar, it will appear white or in a different colour. This can also be tested by switching back to the normal mode in order to identify a fake URL bar if the image was created against a dark background. You can also enable the Reader mode or change background themes to spot any suspicious UI element.