URL spoofing flaw prevents mobile victims from determining fake real sites

A URL address bar spoofing vulnerability, if left unpatched, could lead mobile browsers to a fraudulent website where attackers steal individuals’ account credentials and credit card information .

Tod Beardsley, research director at Rapid7, which disclosed the vulnerability, said the flaw, which has been patched by most major browser vendors, is an example of CWE-451 from the list of common weaknesses. This is concerning because victims on mobile devices cannot tell the difference between the real site and the fake site the victims land on.

In its most common iteration, a user would either be tricked into clicking a link on a forum (Reddit) or social media site, or receive a text on their mobile device with a link that directs them to the fraudulent site. Either way, once the user clicks, they are asked to provide something, whether it is credentials or credit card information.

“I can’t really tell the difference,” Beardsley said. “The mobile address bar is so small that it is literally impossible to distinguish between the real site and the fraudulent site.”

Beardsley said many of the major browser vendors, such as Apple Safari and Opera, have already released patches for the vulnerability, which was discovered last summer by researcher Rafay Baloch. Rapid7 has also heard from Yandex and RITS, who have indicated that they intend to release a fix. UC and Bolt, which were also affected by the vulnerability, have yet to contact Rapid7 about a fix.

While the vulnerability has been fixed for the vast majority of mobile users and there really isn’t any imminent danger, Beardsley said he fears the technique might fall into the wrong hands, for example, a bad actor who wanted to spread false information about COVID-19.

Hank Schless, senior director of security solutions at Lookout, said URL spoofing has become one of the most common ways to trick attackers into clicking on a phishing link, especially on mobile devices.

“Mobile phishing attacks can be delivered through countless methods, such as text messages, emails, social media platforms and third-party messengers,” Schless said. “We are all used to tapping on links that are sent to our mobile devices. Think of the countless delivery notifications you receive when you buy something online and how quickly you hit the link to check for tracking information. And because the screen is smaller, it’s really hard to identify a spoofed URL with inconspicuous changes. For example, an attacker can add an accent or special character to a letter in the address that a user wouldn’t even notice.

Comments are closed.