For more than a year, mobile browsers like Google Chrome, Firefox, and Safari failed to show any phishing warnings to users, according to a research paper published this week.
“We identified a gaping hole in the protection of top mobile web browsers,” the research team said.
“Shockingly, mobile Chrome, Safari, and Firefox failed to show any blacklist warnings between mid-2017 and late 2018 despite the presence of security settings that implied blacklist protection.”
The issue only impacted mobile browsers that sued the Google Safe Browsing link blacklisting technology.
The research team — consisting of academics from Arizona State University and PayPal staff — notified Google of the problem, and the issue was fixed in late 2018.
“Following our disclosure, we learned that the inconsistency in mobile GSB blacklisting was due to the transition to a new mobile API designed to optimize data usage, which ultimately did not function as intended,” researchers said.
PHISHFARM RESEARCH PROJECT
The discovery of this significant security bug came during an academic research project named PhishFarm, started in early 2017.
During PhishFarm, researchers created and deployed 2,380 phishing pages mimicking the PayPal login page. Researchers didn’t measure how fast their URLs landed on URL blacklists. This type of research has been done in the past.
Instead, they focused on deploying phishing pages with “cloaking techniques” aimed at tricking URL blacklist technologies and then recording the time it took for these “cloaked” phishing pages to land on lists of “dangerous sites” — or if they landed at all.
For PhishFarm, researchers tested URL blacklists such as Google Safe Browsing, Microsoft SmartScreen, and those managed by US-CERT, the Anti-Phishing Working Group, PayPal, PhishTank, Netcraft, WebSense, McAfee, and ESET.
Further, the research team’s phishing pages also used six (actually five) cloaking techniques researchers said they’ve seen used by phishing kits in the real-world:
– Cloak A – allow all users to view the phishing page, aka a no-cloak mode used as a baseline for all detections
– Cloak B – allow only users from mobile devices
– Cloak C – allow only US users from desktop devices
– Cloak D – allow only non-US users from desktop devices
– Cloak E – block visitors from IP addresses known to be associated with security vendors
Results varied per URL blacklists and cloaking technique [check graphs at the end of the research paper], but the thing that stood out during their research was that cloaks A, E, and F had zero detections on mobile browsers that were using Google’s Safe Browsing URL blacklist.
When researchers repeated their tests in mid-2018, they got the same results, at which point they realized that Google’s Safe Browsing technology was not working as intended on mobile devices. [Cloak A was effectively a “no cloak,” meaning that Safe Browsing was not alerting users about any phishing pages, even if they used cloaking technologies or not — effectively not working at all].
The issue was eventually fixed by the end of 2018, researchers said.
Fortune 100 passwords, email archives, and corporate secrets left exposed on unsecured Amazon S3 server
Fortune 100 passwords, email archives, and corporate secrets left exposed on unsecured Amazon S3 serverSome of the world’s biggest companies have had 750GB worth of their innermost secrets revealed on unsecured Amazon S3 buckets, available for anybody to download – no...
New Microsoft Excel Attack SurfacesResearchers have identified a security hole in Microsoft Office’s Excel spreadsheet program that allows an attacker to trigger a malware attack on remote systems. A feature in Microsoft Office’s Excel spreadsheet program called Power...
Malicious URL attacks using HTTPS surge across the enterpriseCyberattacks launched against the enterprise which makes use of the HTTPS protocol are increasing alongside spoofing and cloud-based threats, new research suggests. According to FireEye's Q1 2019 Email...
Stay Up to Date With The Latest News & Updates
Join Our Newsletter
Get weekly tech updates and immediate alerts when there is a zero-day or security issue!