iPhone phishing - What you see, isn't what you get

Published: 2010-11-29
Last Updated: 2010-11-29 20:34:42 UTC
by Stephen Hall (Version: 1)
4 comment(s)

Across at our sister site, the SANS Security Institute the Application Security Street Fighter Blog brings us proof that what you see, isn't what you get. Or at least with the latest in phishing techniques on a mobile platform.

With many financials pushing to have their customers able to access their accounts via mobile devices, they should be away of this technique for spoofing site identification. The threat? The URI bar at the top of the browser page. Fair game it would appear.  

Steve Hall

ISC Handler

Keywords: iphone phishing
4 comment(s)


Firefox 4 beta for Android seems to hide the address bar after the page loads as well. Seems like the same techniques would apply to it.
All recent mobile devices seem to follow this same logic so I assume all are at risk, iPhone was just the one the person chose to test. It also seems that this is just a display of a graphic that looks like the url banner that the browser renders. It could fool a novice user or one in a hurry but I don't think their suggested solutions will help for either of these. They will just confuse the user or be skipped over.

Note this could be launched on any browser that doesn't keep the URL bar in view, you can disable this view on FireFox and Safari on your desktop (few probably do though). This may be more of a user training issue to address as screen real estate is just too valuable on a 3-4 inch screen to keep something static up like that.
and to think that those in the itsec world worked all those years ago to stop the hiding of address bars on browser popup windows and other attempts to obfuscate the true URL... makes me wonder whether browser makers have lost track again.

I actually did think that this "feature" of safari on the iphone was a bit of a worry when I first scored one from work, seems that it's only taken 3 years to see some mention.
Does it really matter anymore? Most people don't EVER look at the url and even if they did, they wouldn't know what to make of it.
It's time to focus on new ways to authenticate a site for normal folks, because the techie, geeky ways (digital certificates, domain name verification, green address bars, etc.) definitely don't work...

Diary Archives