Phishing isn't exactly a new topic in regards to cyber security, though new and creative ways of conducting this practice are found often. One such way is the newly discovered and cleverly titled "inception bar".
Courtesy of developer James Fisher, this rather simple trick has been demonstrated in Chrome for mobile and makes use of the browser's behavior in regards to the address bar. While you scroll down, in an effort to give more space to the webpage, Chrome likes to hide the address bar, and that's exactly where this so-called "inception bar" comes in.
As can be seen above, the proof of concept used the HSBC website as a replacement for the real website on which the user was. This is done via something Fisher calls a "scroll jail", whereby the entire content of the page is trapped inside a new element with overflow:scroll, thus creating a sort of browser within a browser - a reference to 2010's Inception and its dreams within dreams concept. Depending on the lengths to which the attacker wants to go, the fake address bar could even be made interactive.
To create a more elaborate illusion, the developer stated that folks with malicious intent could go as far as to add a "very tall padding element at the top of the scroll jail." This would be done to prevent Chrome's normal behavior of re-displaying the address bar when a user scrolls up by simply scrolling the user back down when they try to scroll up into the aforementioned scroll jail. In effect, this would look like a page refresh.
While the illusion could very well be broken by simply navigating to one of Chrome's menus, it's nonetheless a disconcerting, though pretty creative way of implementing a phishing attack.
Source: James Fisher
7 Comments - Add comment