Did you think your mobile browser protected you from phishing attacks?
A research project called PhishFarm suggests otherwise,
claiming that mobile browsers protected by Google’s anti-phishing mechanism failed to detect any phishing sites between mid-2017 and late 2018. The study came from the Laboratory of Security Engineering for Future Computing (SEFCOM) (part of the Center for Cybersecurity and Digital Forensics at Arizona State University). The Anti-Phishing Working Group and PayPal also supported the work. Browser vendors identify phishing sites and typically add them to a blocklist, which the browsers will then use to stop you getting onto those sites. Google Safe Browsing (GSB) is one such blocklist, and it protects not only Google’s Chrome browser but also Safari and Firefox. Microsoft has its own blocklist, called SmartScreen, protecting its IE and Edge browsers.
Using cloaking techniques to hide their sites from certain viewers, phishing scammers hope to prevent their sites from falling onto these blocklists. The academic study shows that these cloaking techniques have been working. It also revealed a massive hole in GSB’s mobile browser protection that existed for over a year. The researchers created 2,380 phishing sites on new .com domains. They used one of five cloaking techniques for each site, based on the techniques used by real phishing kits, along with a control group using no cloaking.