According to a research paper published this week, mobile browsers like Firefox, Safari and Google Chrome were unable to show any phishing warning to the users. During the mid-2017 and late 2018, these browsers did not show any blacklist warnings even though the security settings implied blacklist protection. Only those mobile browsers that used Google safe browsing link blacklisting technology were impacted.
The significant security bug was discovered during an academic research project named PhishFarm that started in early 2017. During the research project, 2,380 phishing pages were created and deployed by the researchers that mimicked the PayPal login page. The research team consisted of academic staff from Arizona State University and PayPal staff. The issue was fixed in the late 2018.
Researchers tested URL blacklists such as Microsoft SmartScreen, Google Safe Browsing and those managed by US-CERT, Netcraft, the Anti-Phishing Working Group, PayPal, McAfee, PhishTank, WebSense and ESET.
Later, it was discovered that the inconsistency in mobile GSB blacklisting was because of the transition to a new mobile API designed for optimizing data usage. However, the results were not as per the expectation and did not perform the function that they were expected to perform.
The phishing pages were deployed with “cloaking techniques” that was intended to trick URL blacklist technologies and the time for these “cloaked” phishing pages to land on lists of “dangerous sites” was recorded.
The simple cloaking techniques that represent real-world attack that also including those based on device type, Geolocation or JavaScript. On an average, these were effective in reducing the probability of blacklisting by more than 55%.
The phishing pages also used six cloaking techniques researchers said they’ve seen used by phishing kits in the real-world:
- Cloak A — allows users to view phishing page, aka a no-cloak mode used as a baseline for each detection.
- Cloak B — allows only mobile devices’ users
- Cloak C — allow U.S. users from desktop devices
- Cloak D — allow non-U.S. users from desktop devices
- Cloak E — block visitors from IP addresses that are known to be associated with security vendors
- Cloak F — allow browsers where JavaScript is enabled
Results varied as per the URL blacklists and cloaking technique. During the research, zero detection were found on the mobile browsers that used Google’s Safe Browsing URL blacklist in cloaks A, E, and F.
When the tests were repeated in the mid-2018, the results were found to be same. At this point, it was realized that Google’s Safe Browsing technology was not working on mobile devices as per the expectations. In case of Cloak A, Safe Browsing was not able to alert users about phishing pages, whether they used cloaking technologies or not. This issue was also eventually fixed by the end of 2018.
Preventive measures:
1. Ensure that applications are downloaded from only trusted source.
2. Disable the setting to download applications from untrusted source
3. Do not click on links that seem suspicious.
