Updated: Aug 8, 2019
False login pages are a common method of phishing login credentials from users. If a website looks legit, it’s easy for your muscle memory to kick in and for you to start typing your username and password without checking that the URL is correct (or the website is legitimate). Complicating matters is a new issue, recently profiled by developer Jim Fisher, that shows just how easy it is for a website to use a fake address bar to make you think you’re somewhere you’re not.
Usually, you can take a peek at the padlock icon to the left of the address bar to figure out whether a website is authentic or not. Don’t put blind trust in that little graphic, however, as phishers have devised a way for mobile web pages to display fake URL bars in Chrome that include the padlock icon and a replacement URL. This “inception bar,” as it's known, replaces the real address bar in your browsing window. If you aren’t paying much attention, you might assume that your browser is working as intended.
This entire trick is possible because the UI on the mobile version of Chrome often disappears as you scroll down a page, and website developers can override and prevent the UI, including URL bar, from reappearing. As Fisher describes:
This is bad, but it gets worse. Normally, when the user scrolls up, Chrome will re-display the true URL bar. But we can trick Chrome so that it never re-displays the true URL bar! Once Chrome hides the URL bar, we move the entire page content into a “scroll jail” - that is, a new element with overflow:scroll. Then the user thinks they’re scrolling up in the page, but in fact they’re only scrolling up in the scroll jail! Like a dream in Inception, the user believes they’re in their own browser, but they’re actually in a browser within their browser. But it gets even worse! Even with the above “scroll jail”, the user should be able to scroll to the top of the jail, at which point Chrome will re-display the URL bar. But we can disable this behavior, too! We insert a very tall padding element at the top of the scroll jail. Then, if the user tries to scroll into the padding, we scroll them back down to the start of the content! It looks like a page refresh.
You can force the Chrome app to show the UI, even if the website normally blocks it. All you have to do is lock your phone screen while the Chrome app is open, then unlock it. This resets the Chrome app window so that the UI will display. If the URL is a fake, you’ll see two URL bars displayed—the one on top is the true URL, and the one on the bottom is the inception bar.
If you’re browsing with multiple tabs open, keep a close eye on the number displayed in the tabs icon. Inception bars will often display incorrect numbers here.
The new dark mode in Chrome Android makes it easier to spot inception bars, too. When dark mode is enabled, the URL bar and other UI elements will be black, so (fake) white URL bars are easier to spot—or vice versa, if you’re using the normal Chrome mobile UI theme and the fake URL is black. This is also true when using reader mode, simpler UI modes, or alternate themes in Chrome mobile that change the way the URL bar looks.