Mobile URL Phishing

UPDATE: This does not work now, as Google has identified this subdomain as a phishing attack!

I'm not the first one to think of this, but I haven't read about it as much as I would expect.

How it works
  1. Have a domain available to edit/use
  2. Choose a target site to mock, preferably with a long URL (e.g. store.steampowered.com
  3. Create subdomains on your site
    • com is a subdomain of ism.codes
    • steampowered is a subdomain of com.ism.codes
  4. Navigate to that site on a mobile device, prefix the URL with www if you need to make it longer. If the overall URL is long enough, you will be able to see the part about store.steampowered.com but not ism.codes.

This is scarier than Tabnabbing in my opinion because with that, there was at least a way to passively detect (checking the URL bar) that the site was being imitated. With this, one would have to actively tap the URL bar to check the entire URL.

Example usage:
Hey, go buy some games on Steam!

How can this be prevented?

Hmm. Manually checking the URL of every website that you enter credentials on would work, but that's a hassle. Chrome doesn't allow for mobile extensions to warn you about stuff like this.
In a case like this, showing the end of the URL host could work- showing ...com.ism.codes would let the user know that they are on my website, not the official Steam site.