Google protected mobile browsers were open to phishing for over a year
Did you think your mobile browser protected you from phishing attacks?
A research project called PhishFarm suggests otherwise, claiming that mobile browsers protected by Google’s anti-phishing mechanism failed to detect any phishing sites between mid-2017 and late 2018.
The study came from the Laboratory of Security Engineering for Future Computing (SEFCOM) (part of the Center for Cybersecurity and Digital Forensics at Arizona State University). The Anti-Phishing Working Group and PayPal also supported the work.
Browser vendors identify phishing sites and typically add them to a blocklist, which the browsers will then use to stop you getting onto those sites. Google Safe Browsing (GSB) is one such blocklist, and it protects not only Google’s Chrome browser but also Safari and Firefox. Microsoft has its own blocklist, called SmartScreen, protecting its IE and Edge browsers.
Using cloaking techniques to hide their sites from certain viewers, phishing scammers hope to prevent their sites from falling onto these blocklists. The academic study shows that these cloaking techniques have been working. It also revealed a massive hole in GSB’s mobile browser protection that existed for over a year.
The researchers created 2,380 phishing sites on new .com domains. They used one of five cloaking techniques for each site, based on the techniques used by real phishing kits, along with a control group using no cloaking.
The techniques used would restrict everyone other than the following groups:
- A – Control group. No cloaking.
- B – Android or iOS devices.
- C – US users running GSB-protected browsers (Chrome, Firefox, or Safari) on Windows, Mac, or Linux.
- D – Non-US users running GSB-protected browsers (Chrome, Firefox, or Safari) on Windows, Mac, or Linux.
- E – Non-security entities (IP addresses and hostnames not associated with a security entity).
They tested these techniques against 10 anti-phishing mechanisms offered by major companies and found them wanting. Only 23% of the phishing URLs crawled were blocked by at least one browser, the researchers said.
They also found a worrying gap in mobile browser protection:
We identified a gaping hole in the protection of top mobile web browsers: shockingly, mobile Chrome, Safari, and Firefox failed to show any blacklist warnings between mid-2017 and late 2018 despite the presence of security settings that implied blacklist protection.