Chrome exploit uses a fake address bar for phishing attacks
Fisher’s approach is focused on Chrome and is only a proof of concept for now, but it could theoretically display fake address bars for a variety of browsers and even include interactive elements. In other words, a phishing campaign could produce a convincing site beyond just the content of the page. You’d have to pay attention to the starting address to know what’s happening, and not everyone will catch that irregularity.
We’ve asked Google for comment. It’s not clear how many phishers will use techniques like this. There is a way to double-check, though. The 9to5Google team noted that you can force the real address bar to show by locking and then unlocking your phone again. It’s not bullet-proof as a result, but many people won’t know to try this and might be fooled as a result.