1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tabnabbing: A New Type of Phishing Attack

Discussion in 'BlackHat Lounge' started by HoNeYBiRD, May 27, 2010.

  1. HoNeYBiRD

    HoNeYBiRD Jr. VIP Jr. VIP

    Joined:
    May 1, 2009
    Messages:
    5,902
    Likes Received:
    7,138
    Gender:
    Male
    Occupation:
    Geographer, Tourism Manager
    Location:
    Ghosted
    "Most phishing attacks depend on an original deception. If you detect that you are at the wrong URL, or that something is amiss on a page, the chase is up. You've escaped the attackers. In fact, the time that wary people are most wary is exactly when they first navigate to a site.
    What we don't expect is that a page we've been looking at will change behind our backs, when we aren't looking. That'll catch us by surprise."


    How the attack works:


    1. A user navigates to the attacker's normal looking site.
    2. The attacker detect when the page has lost its focus and hasn't been interacted with for a while.
    3. Replace the favicon with the Gmail favicon, the title with "Gmail: Email from Google", and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.
    4. As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they'll see the standard Gmail login page, assume they've been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.
    5. After the user has entered their login information and the attacker sent it back to his server, the attacker redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.
      Code:
      http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/
    Firefox's fix: Firefox Account Manager
    Code:
    http://hacks.mozilla.org/2010/04/account-manager-coming-to-firefox/

    So be careful what's happening on the open tabs in the background behind your back and always check the url before you login somewhere! ;)
     
    • Thanks Thanks x 4
    Last edited: May 27, 2010
  2. azu12

    azu12 Regular Member

    Joined:
    Jun 21, 2010
    Messages:
    204
    Likes Received:
    11
    Home Page:
    thanks for the information
     
  3. Nocturna

    Nocturna Newbie

    Joined:
    Jul 5, 2011
    Messages:
    9
    Likes Received:
    0
    Wow that's clever!
     
  4. matthew1471

    matthew1471 Newbie

    Joined:
    Jul 6, 2010
    Messages:
    15
    Likes Received:
    1
    I think there's a bit of javascript in a sticky in the black hat forum for thi.?

    Sent from my HTC Desire using Tapatalk