Address bar spoofing makes mobile phishing more powerful

How do you check which website you’re on as quickly as possible? The answer is simple and obvious: You just look at the address bar in your web browser.

Like any real world physical address, the URL displayed in a web browser will reassure you that you’ve journeyed to the right place — and can let you make other decisions, such as gauging how trustworthy the source you’re looking at might be, accordingly.

But what if the address bar was lying to you? What if it showed a legitimate website address but was, in fact, a completely different website?

That, in essence, is the threat of address bar spoofing, a type of phishing attack that exploits vulnerabilities discovered in web browsers to let a malicious web page show a different web address (most likely a legitimate one) instead of the page the user is actually on at the time.

The dangers of address bar spoofing

This alteration of a web browser’s address bar so that it displays an illegitimate address is achieved by running a script that removes the actual address bar and replaces it with a fake one composed of an image or text. These address bar spoofing attacks have been around for years, but in the era of mobile-first computing they have also been discovered in mobile browser apps — ranging from Apple’s Safari and Opera Touch to less well-known ones such as Yandex Browser and Bolt.

While such exploits are typically patched where discovered (especially when you’re dealing with major players like Apple versus smaller, more niche developers), these fixes still require users to ensure that their browsers are up-to-date and suitably patched in order to benefit from the protection.

The potential damage of address bar spoofing is obvious. By getting users to visit a site they believe is the genuine article, but in fact isn’t, it would be possible to leverage all kinds of attacks against users — whether it’s tricking them into downloading malicious software, entering personal details such as passwords or credit card information, or just providing misleading information under the guise of a genuine website.

The results could be devastating, leading to stolen funds, identity theft, or other cyberattacks being waged against the user.

Things get worse on mobile

Phishing attacks (which refer to a type of social engineering attack in which an attacker masquerades as a trusted entity to get users to open something like an email, instant message or text message) are even harder to detect on mobile.

For one thing, the smaller screen size of mobile phones, compared to laptops or desktop computers, makes it harder to check the complete URL of a website in a way that allows discrepancies to be highlighted. In many cases, mobile URLs are shortened or only show the main domain name.

Along with link shortening, there’s also no ability to hover over a link to see the link target as you might do on a computer. This is one way a person might ordinarily recognize that they have been sent a fraudulent link that doesn’t line up with the one way that then appears in their search bar. Finally, with so many apps for attackers to send links over or via, there are new opportunities for sharing these dodgy links with potential victims.

Phishing attacks exploit human vulnerabilities

Address bar spoofing is far from the only type of phishing attack users might face. Other approaches might, for example, take the form of email-based phishing scams which try and fool users into clicking dubious links or giving up personal information. In all cases, the intention is to abuse human trust by misleading them about the actions they are being asked to carry out.

Because phishing attacks exploit human error, part of dealing with phishing attacks is based on proper training. Vigilance is essential. Users must be educated about the risks they face, such as the associated dangers of clicking links or entering their identifiable data without being completely sure that they are dealing with exactly who they think they are online.

Organizations should also take steps like incorporating two-factor authentication (2FA) which adds an additional layer of security by asking users for more information when they try and access password-protected information or areas. That might mean a password or passcode and also access to a personally owned object such as a smartphone or the use of biometric information such as a fingerprint. 2FA means that, even if a password was discovered by hackers, they would be unable to use it without the other “factor” needed for authenticating their identity.

Bring in the cybersecurity experts

Bringing in expert anti-phishing solutions is also a smart move. Fortunately, the tools are there to help. Along with implementing 2FA protection (even where this protection is not normally or immediately offered), cybersecurity expert tools such as Web Application Firewalls (WAF) can help block attacks like malware injection attempts or reflected XSS attacks resulting from phishing episodes.

Between proper training and the right cybersecurity tools, you can properly protect your systems and your employees from phishing attacks. It’s one of the smartest investments you can make.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>