Post new topic Reply to topic  [ 8 posts ] 
Author Message
 Post subject: Tabnabbing (A new Phishing Attack)
PostPosted: 2010-05-26 01:24 
Site Admin
User avatar

Joined: 2005-07-29 16:18
Posts: 13805
Location: UK
The attack goes like this:

1. A user navigates to a normal looking site.

2. The page detects when the page has lost its focus and hasn’t been interacted with for a while.

3. It replaces the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.

4. As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.

5. After the user has entered their login details the information is stored by the attacker and the user is then redirected back to Gmail. Because the user never actually logged out of gmail it will appear as if the login was successful and the user is none the wiser.

Be careful out their, 'tis a jungle ;)

_________________
If at first you don't succeed, bomb disposal probably isn't for you! ヅ


Top
 Profile  
 
 Post subject: Re: Tabnabbing (A new Phishing Attack)
PostPosted: 2010-05-26 03:37 
Developer
Developer

Joined: 2010-04-24 23:16
Posts: 6163
Location: Michigan, USA
Thx DooM. Guess we can add it to the list of reasons to keep javascript disabled. Tis crazy that browsers let JS have so much control of what can be change/controlled so this exercise in social engineering is even possible. Suppose we can look forward to legit stuff getting broken as updates kick in to help try & stop stuff like this.

_________________
hMailServer build LIVE on my servers: 5.4-B2014050402
Latest test builds: http://www.hmailserver.com/forum/viewtopic.php?f=10&t=21420
Urgent? Bored? JOIN US ON IRC!
DOGE ME: DSqtEcqP3Qv6Tj2XrGNpDmEUkSBcpBsuWk


Top
 Profile  
 
 Post subject: Re: Tabnabbing (A new Phishing Attack)
PostPosted: 2010-05-26 06:01 
Moderator
User avatar

Joined: 2005-03-13 05:42
Posts: 1368
Location: Sydney Australia
Is this browser specific ?

_________________
hMailServer 5.4 B1944 external MySQL 5.5
Win 2003 SP2 | IIS 6 | ClamAV 0.97.3 | PHP 5.3.17 | Roundcube Webmail 0.8.2


Top
 Profile  
 
 Post subject: Re: Tabnabbing (A new Phishing Attack)
PostPosted: 2010-05-26 09:06 
Senior user
Senior user
User avatar

Joined: 2008-09-08 11:47
Posts: 372
Or just don't use Gmail (you have your own mailserver mostly here :twisted: )

_________________
If you have strange problems or errors use the log analyzer! http://log.damnation.org.uk
Join us on IRC! http://hmailserver.com/irc_fullscreen.php


Top
 Profile  
 
 Post subject: Re: Tabnabbing (A new Phishing Attack)
PostPosted: 2010-05-26 09:48 
Senior user
Senior user
User avatar

Joined: 2005-10-13 21:28
Posts: 2486
Location: Lithuania
Slug wrote:
Is this browser specific ?

No.
Caspar wrote:
Or just don't use Gmail (you have your own mailserver mostly here :twisted: )

Attacker can display your bank login page.

If you go to malicious site by clicking link in unprotected webmail, attacker can display login page for that webmail system.


Top
 Profile  
 
 Post subject: Re: Tabnabbing (A new Phishing Attack)
PostPosted: 2010-05-26 16:12 
Senior user
Senior user
User avatar

Joined: 2008-09-08 11:47
Posts: 372
^DooM^ wrote:
3. It replaces the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.

so it does show GMAIL what is (i mostly think) not commonly used here.

_________________
If you have strange problems or errors use the log analyzer! http://log.damnation.org.uk
Join us on IRC! http://hmailserver.com/irc_fullscreen.php


Top
 Profile  
 
 Post subject: Re: Tabnabbing (A new Phishing Attack)
PostPosted: 2010-05-26 16:29 
Developer
Developer

Joined: 2010-04-24 23:16
Posts: 6163
Location: Michigan, USA
I think he was using that as just one example and it could be any site/service not just gmail..

_________________
hMailServer build LIVE on my servers: 5.4-B2014050402
Latest test builds: http://www.hmailserver.com/forum/viewtopic.php?f=10&t=21420
Urgent? Bored? JOIN US ON IRC!
DOGE ME: DSqtEcqP3Qv6Tj2XrGNpDmEUkSBcpBsuWk


Top
 Profile  
 
 Post subject: Re: Tabnabbing (A new Phishing Attack)
PostPosted: 2010-05-26 17:05 
Site Admin
User avatar

Joined: 2005-07-29 16:18
Posts: 13805
Location: UK
Could be any website, GMAIL was just proof of concept.

_________________
If at first you don't succeed, bomb disposal probably isn't for you! ヅ


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 


Who is online

Users browsing this forum: No registered users and 4 guests



Search for:
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group