Malicious actors frequently exploit URLs as part of their phishing, social engineering, and scam attacks. Research recently conducted at Urbana-Champaign by Google and the University of Illinois found that 60 per cent of users were misled when a URL route had a deceptive brand name. Web browser vendors have started exploring various methods in an effort to prevent URL spoofing, such as only showing the registered portion of the domain — or highlighting it in the address bar — instead of displaying the full URL. Even Google plans to play with such apps. Chrome 86, expected to be published in October, will only display the default domain name and full URL when the user hovers over the address. Instead, if they don’t like the new feature, users may right-click on the URL and pick the “Always display complete URLs.”
It’s worth pointing out that random Chrome users will participate in the trial and it won’t involve enterprise apps. However, users who are not included in the experiment but who want to check it out and provide input can install Chrome’s Canary or Dev versions and allow some chrome:/flags flags. “Our aim is to understand — through real-world usage — how this show of URLs allows users to know that they are visiting a malicious website and protects them from phishing and social engineering attacks,” the Chrome Security Team explained.
