Google Chrome hit with a new phishing scam that uses a fake address bar to steal passwords

A surprisingly simple new phishing method has affected Google Chrome's mobile browser, posing as some of the most trusted victims' websites.

According to developer Jim Fisher, who has published an article about the exploit on his personal blog, hackers can use a mixture of coding and screenshots to entice victims to give up their personal data.

The scam, which Fisher calls the "intro bar," targets Android mobile users for Chrome using a fake address bar that not only displays the name of a legitimate website, but also an SSL badge – used to check the authenticity of a site – indicating that the page is safe.

A new phishing scam uses screenshots to simulate an address bar and affects Google Chrome users on Android.

When mobile users scroll to Chrome on Android, the address bar at the top of the page automatically disappears.

Normally, when users come back, the bar reappears, but Fisher shows that he has found a way to trick users into a "scroll prison."

This is essentially a page in a page – from where the title, "creative bar" – where even if a user tries to scroll the top of the page to access the address bar, it is forced to go back, trapped in a false identity. page.

In a demonstration, Fisher is able to change the displayed URL of his own website by that of HSBC Bank.

This trick would be useful for crooks who try to hide a malicious webpage in a legitimate page and steal important information from users, such as passwords and credit card information.

Fisher adds that with a little extra coding, the scam could be made more sophisticated by making the fake bar interactive.

"With a little more effort, the page could detect the browser in which it is located and create a creative bar for that browser," Fisher said.

"With even more effort, the starter bar could be made interactive. Even if the user is not fooled by the current page, you can try again after entering "gmail.com" in the creation bar! "

Google has been working in recent months to include a host of new features designed to combat phishing scams.

It's not clear how users can protect themselves from phishing, Fisher said.

Dailymail.com asked Google to comment on the attack.

& # 39; How can you protect yourself from this attack? I do not really know, he says.

"A compromise would be that Chrome keeps a small amount of screen above, instead of literally giving up the entire screen to the web page.

"Chrome could use this space to report that" the URL bar is currently minimized ". [by] displaying the shadow of an almost hidden URL bar, "he added.

According to 9to5Google, the best way to check if your address bar has been co-opted by bad actors is to "lock" your phone and then "unlock" it. This method, according to the message, should reveal the two bars.

Although Fisher's demo was done on Google Chrome, the scam could potentially affect other browsers with similar features.

Google has continued to introduce a host of new security features that specifically target phishing, including the banning of built-in browsers and other features that warn users when they are browsing a site. Web "potentially dangerous".

What is "phishing" and how to avoid being ripped off?

Phishing involves cyber criminals who attempt to steal personal information such as online passwords, bank details or money from an unsuspecting victim.

Very often, the criminal will use an email, a phone call or even a fake website claiming to belong to a reputable company.

Criminals can use personal information to complete profiles on a victim, which can be sold on the dark Web.

Cyber ​​criminals will use emails to obtain personal information from victims in order to commit fraud or infect the user's computer for harmful purposes.

Some phishing attempts involve criminals sending infected files in emails in order to take control of the victim's computer.

No matter which social media or electronic communication may be part of a phishing attempt.

Action Fraud warns you that you should never assume that an incoming message comes from a real business, especially if the latter requests a payment or wants you to connect to an online account.

Banks and other financial institutions will never be looking for passwords or other sensitive information via email.

An anti-spam filter made must protect from most malicious messages, even if the user should never call the number located at the bottom of a suspicious email or follow his link.

Experts advise clients to call the organization directly to find out if the communication attempt is genuine.

According to Action Fraud: "Phishing emails make you want to visit fake websites.

"They usually have a big excuse to follow up on the email. They tell you, for example, that your bank details have been compromised or pretend to be from a company or agency and you are entitled to a refund, a discount, a reward or a discount.

The e-mail prompts you to follow a link to enter crucial information, such as your login credentials, your personal information, your bank details or any other item that may be used to scam you.

Phishing e-mail can also encourage you to download an attachment. The email indicates that this is a useful item, such as a coupon to use as a discount, a form to fill out to claim a tax refund, or software to secure your phone or computer.

"In reality, this is a virus that infects your phone or computer with malware, designed to steal all the personal or banking information you have stored or to keep your device ransomed to make you pay for it. fresh."

Source: Fraud by action