Did you think your mobile browser protected you from phishing attacks?
The study came from the Laboratory of Security Engineering for Future Computing (SEFCOM) (part of the Center for Cybersecurity and Digital Forensics at Arizona State University). The Anti-Phishing Working Group and PayPal also supported the work.
Browser vendors identify phishing sites and typically add them to a blocklist, which the browsers will then use to stop you getting onto those sites. Google Safe Browsing (GSB) is one such blocklist, and it protects not only Google’s Chrome browser but also Safari and Firefox. Microsoft has its own blocklist, called SmartScreen, protecting its IE and Edge browsers.
Using cloaking techniques to hide their sites from certain viewers, phishing scammers hope to prevent their sites from falling onto these blocklists. The academic study shows that these cloaking techniques have been working. It also revealed a massive hole in GSB’s mobile browser protection that existed for over a year.
The researchers created 2,380 phishing sites on new .com domains. They used one of five cloaking techniques for each site, based on the techniques used by real phishing kits, along with a control group using no cloaking.
The techniques used would restrict everyone other than the following groups:
- A – Control group. No cloaking.
- B – Android or iOS devices.
- C – US users running GSB-protected browsers (Chrome, Firefox, or Safari) on Windows, Mac, or Linux.
- D – Non-US users running GSB-protected browsers (Chrome, Firefox, or Safari) on Windows, Mac, or Linux.
- E – Non-security entities (IP addresses and hostnames not associated with a security entity).
They tested these techniques against 10 anti-phishing mechanisms offered by major companies and found them wanting. Only 23% of the phishing URLs crawled were blocked by at least one browser, the researchers said.
They also found a worrying gap in mobile browser protection:
We identified a gaping hole in the protection of top mobile web browsers: shockingly, mobile Chrome, Safari, and Firefox failed to show any blacklist warnings between mid-2017 and late 2018 despite the presence of security settings that implied blacklist protection.
Mobile versions of Chrome, Firefox and Safari failed to identify any of the test phishing sites protected with filters E and F, and wouldn’t even identify the same sites when uncloaked (group A), they explain. The problem was down to a new mobile application programming interface (API) in the Google Safe Browser that was supposed to optimize data usage but, in fact, broke protection for mobile browsers.
The researchers are especially concerned about this given the increasing proportion of mobile traffic on the web.
Microsoft’s Edge, protected by the company’s SmartScreen technology, was the best-performing browser in the PhishFarm tests, according to the paper. This is because it was the only native anti-phishing blocklist that used heuristics to evaluate new URLs on the fly, looking for telltale signs such as deceptive domain names.
What would be great is if each browser blocklist shared information with the other, the researchers added. GSB and SmartScreen don’t currently share data with each other, according to the report Third-party clearing houses like the Anti-Phishing Working Group (APWG) and PhishTank provided more standardized protection across all browsers, but their timeliness and accuracy wasn’t as good as the blocklists controlled directly by the browser vendors:
Closer cooperation could thus not only speed up [blocklisting], but also ensure that malicious sites are blocked universally.
The researchers have since worked with Google to fix the problem so that now mobile browsers are better protected. Still, this shows that for the best protection of all you might want to use a combination of systems from multiple vendors – along with good old-fashioned common sense. Always think twice before clicking on a link, and ideally use bookmarks or enter the link manually when visiting online services.