Cyber CitadelCyber Citadel
Resources

Address Bar Flaw and Rise in Spear-Phishing During Covid-19

How a mobile browser vulnerability and the explosion in spear-phishing attacks during the pandemic are putting hundreds of millions of users at risk.

Back to Resources

Watch: Address Bar Spoofing Explained

Cybercriminals increased their rates of spear-phishing attacks by 667 per cent this year due to Covid-19 and online dependency, according to IT security company Barracuda Networks.

Spear-phishing is a targeted form of phishing in which attackers craft highly personalised emails designed to trick specific individuals into revealing sensitive information, clicking malicious links or downloading malware. Unlike traditional phishing, which casts a wide net, spear-phishing leverages research about the target to make the deceptive communication appear legitimate and trustworthy.

Compounding this threat, Cyber Citadel Lead Security Researcher Rafay Baloch and Rapid7 Director of Research Tod Beardsley disclosed a critical vulnerability affecting the address bars of multiple mobile web browsers. The affected browsers include Safari, Opera, Yandex, UC Browser, Bolt and RITS, putting hundreds of millions of users at risk.

The Vulnerability

Baloch discovered the address bar spoofing flaw in 2020 and reported it to the affected vendors on August 10. Following the standard responsible disclosure timeline of 60 to 90 days, the vulnerability was publicly disclosed on October 20.

The vulnerability exploits a flaw in how browsers handle JavaScript manipulation during page loading. By carefully timing the execution of JavaScript code, an attacker can change the URL displayed in the browser's address bar without actually navigating to that page. This means a user could be viewing a malicious website while the address bar displays the URL of a trusted site such as a bank or government portal.

The rise in Covid-19-related keyword domains has made this vulnerability particularly dangerous. Attackers have registered thousands of domains containing terms like "covid," "coronavirus" and "vaccine" to lure victims, and address bar spoofing makes it nearly impossible for users to verify whether they are on a legitimate site.

Apple, Opera and Yandex responded to the disclosure and worked to patch the vulnerability. UC Browser, which has over 500 million users, was notably slower to respond, leaving a vast number of users exposed for an extended period.

Impact on Security

The address bar is widely regarded as the only reliable security indicator available to users. While security certificates and lock icons provide some assurance, the URL displayed in the address bar is the primary way users verify the identity of the website they are visiting.

"Address bar spoofing is going to be used more and more in the future." — Rafay Baloch, Cyber Citadel

Anti-phishing tools and browser-based security features are unable to detect address bar spoofing because the attack operates at a level below these protections. The browser itself is displaying the fraudulent URL, so security extensions and filters that check the displayed URL will see the spoofed address rather than the actual malicious domain.

CVE Listings

The following CVEs were assigned for the disclosed vulnerabilities:

  • CVE-2020-7363 / CVE-2020-7364 — UC Browser and UC Browser Mini
  • Opera Mini — address bar spoofing vulnerability
  • Opera Touch — address bar spoofing vulnerability
  • CVE-2020-7369 — Yandex Browser
  • CVE-2020-7370 — Bolt Browser
  • CVE-2020-7371 — RITS Browser
  • CVE-2020-9987 — Apple Safari

Published in South China Morning Post — 24 October 2020.

Ready to protect your company and launch your SOC-as-a-Service?

Get StartedUnsure? Talk to a cyber security expert