Did you think your mobile browser protected you from phishing attacks?
A research project called PhishFarm suggests otherwise, claiming that mobile browsers protected by Google’s anti-phishing mechanism failed to detect any phishing sites between mid-2017 and late 2018. The study came from the Laboratory of Security Engineering for Future Computing (SEFCOM) (part of the Center for Cybersecurity and Digital Forensics at Arizona State University). The Anti-Phishing Working Group and PayPal also supported the work. Browser vendors identify phishing sites and typically add them to a blocklist, which the browsers will then use to stop you getting onto those sites. Google Safe Browsing (GSB) is one such blocklist, and it protects not only Google’s Chrome browser but also Safari and Firefox. Microsoft has its own blocklist, called SmartScreen, protecting its IE and Edge browsers.
Using cloaking techniques to hide their sites from certain viewers, phishing scammers hope to prevent their sites from falling onto these blocklists. The academic study shows that these cloaking techniques have been working. It also revealed a massive hole in GSB’s mobile browser protection that existed for over a year. The researchers created 2,380 phishing sites on new .com domains. They used one of five cloaking techniques for each site, based on the techniques used by real phishing kits, along with a control group using no cloaking.
Mobile versions of Chrome, Firefox and Safari failed to identify any of the test phishing sites protected with filters E and F, and wouldn’t even identify the same sites when uncloaked (group A), they explain. The problem was down to a new mobile application programming interface (API) in the Google Safe Browser that was supposed to optimize data usage but, in fact, broke protection for mobile browsers.