How Attackers Fake Chrome’s Address Bar to Trick Users in Full‑Screen Phishing

Attack Overview

Threat actors offering fraudulent technical‑support services have created a phishing technique that specifically targets Google Chrome users. The malicious page forces Chrome into fullscreen mode, hides the native toolbar and address bar, and then overlays a static image that mimics Chrome’s UI. The page also displays counterfeit warning dialogs to keep the victim from closing the tab.

Full‑screen UI Spoofing

When a victim navigates to the malicious URL, embedded JavaScript executes the Fullscreen API, e.g.: document.documentElement.requestFullscreen(); In fullscreen Chrome automatically removes the top toolbar (including the address bar). The attacker takes advantage of this by positioning a JPEG that looks exactly like Chrome’s toolbar at the top of the viewport. The image is sized to Chrome’s toolbar height (≈56 px) and width, so it aligns perfectly when fullscreen is active.

Fake Address Bar Implementation

The counterfeit address bar is a simple <img> element placed with absolute positioning. A minimal example is:

<style>
  #fake-bar {position:fixed; top:0; left:0; width:100%; height:56px; z-index:9999;}
</style>
<img id="fake-bar" src="https://mmbiz.qpic.cn/mmbiz_png/WKtM9X8hT266bF9DbL8D6A6ob18kp8F8CXkTu3Siafv3cejW3HZngHw5bWgvU0pnrWqwhrH8cRg9Fkqic2G0QwvA/640" alt="Fake Chrome address bar screenshot">

Because the image is rendered after the browser has entered fullscreen, it appears to be the genuine address bar. Users who move the mouse to the top of the screen see no visual change unless they use a custom Chrome theme that alters the toolbar appearance.

Fake Chrome Warning Dialogs

In a second stage, the page mimics Chrome’s native “disable pop‑ups” prompt. The attacker creates a modal dialog that looks like the real Chrome UI, but with noticeable errors (misspellings, an incorrect “Press ESC, to close this page!” message). The dialog is built with ordinary HTML/CSS and JavaScript that, after the user clicks the counterfeit “OK” button, repeatedly spawns additional alert windows to overwhelm the victim.

Mitigation and Detection

Never trust unsolicited technical‑support prompts; always verify the URL in the real address bar before interacting.

Disable or limit the Fullscreen API for untrusted sites via browser settings or extensions.

Look for visual cues that indicate an image overlay, such as the absence of the native Chrome UI elements (e.g., missing tab strip, static toolbar).

Be aware of spelling mistakes or non‑standard messages in pop‑up dialogs, which are strong indicators of forgery.

Security tools can monitor calls to requestFullscreen() and the insertion of full‑width fixed‑position images as potential indicators of this attack.