Tabnabbing (A new Phishing Attack)

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
^DooM^
Site Admin
Posts: 13853
Joined: 2005-07-29 16:18
Location: UK

Tabnabbing (A new Phishing Attack)

Postby ^DooM^ » 2010-05-26 01:24

The attack goes like this:

1. A user navigates to a normal looking site.

2. The page detects when the page has lost its focus and hasn’t been interacted with for a while.

3. It replaces the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.

4. As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.

5. After the user has entered their login details the information is stored by the attacker and the user is then redirected back to Gmail. Because the user never actually logged out of gmail it will appear as if the login was successful and the user is none the wiser.

Be careful out their, 'tis a jungle ;)
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

Bill48105
Developer
Developer
Posts: 6171
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Tabnabbing (A new Phishing Attack)

Postby Bill48105 » 2010-05-26 03:37

Thx DooM. Guess we can add it to the list of reasons to keep javascript disabled. Tis crazy that browsers let JS have so much control of what can be change/controlled so this exercise in social engineering is even possible. Suppose we can look forward to legit stuff getting broken as updates kick in to help try & stop stuff like this.
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
hMailServer build LIVE on my servers: 5.4-B2014050402
Latest test builds: http://www.hmailserver.com/forum/viewtopic.php?f=10&t=21420

User avatar
Slug
Moderator
Moderator
Posts: 1368
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Re: Tabnabbing (A new Phishing Attack)

Postby Slug » 2010-05-26 06:01

Is this browser specific ?
hMailServer 5.4 B1944 external MySQL 5.5
Win 2003 SP2 | IIS 6 | ClamAV 0.97.3 | PHP 5.3.17 | Roundcube Webmail 0.8.2

User avatar
Caspar
Senior user
Senior user
Posts: 378
Joined: 2008-09-08 11:47
Contact:

Re: Tabnabbing (A new Phishing Attack)

Postby Caspar » 2010-05-26 09:06

Or just don't use Gmail (you have your own mailserver mostly here :twisted: )
If you have strange problems or errors use the log analyzer! http://log.damnation.org.uk
Join us on IRC! http://hmailserver.com/irc_fullscreen.php

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: Tabnabbing (A new Phishing Attack)

Postby dzekas » 2010-05-26 09:48

Slug wrote:Is this browser specific ?

No.
Caspar wrote:Or just don't use Gmail (you have your own mailserver mostly here :twisted: )

Attacker can display your bank login page.

If you go to malicious site by clicking link in unprotected webmail, attacker can display login page for that webmail system.

User avatar
Caspar
Senior user
Senior user
Posts: 378
Joined: 2008-09-08 11:47
Contact:

Re: Tabnabbing (A new Phishing Attack)

Postby Caspar » 2010-05-26 16:12

^DooM^ wrote:3. It replaces the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.

so it does show GMAIL what is (i mostly think) not commonly used here.
If you have strange problems or errors use the log analyzer! http://log.damnation.org.uk
Join us on IRC! http://hmailserver.com/irc_fullscreen.php

Bill48105
Developer
Developer
Posts: 6171
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Tabnabbing (A new Phishing Attack)

Postby Bill48105 » 2010-05-26 16:29

I think he was using that as just one example and it could be any site/service not just gmail..
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
hMailServer build LIVE on my servers: 5.4-B2014050402
Latest test builds: http://www.hmailserver.com/forum/viewtopic.php?f=10&t=21420

^DooM^
Site Admin
Posts: 13853
Joined: 2005-07-29 16:18
Location: UK

Re: Tabnabbing (A new Phishing Attack)

Postby ^DooM^ » 2010-05-26 17:05

Could be any website, GMAIL was just proof of concept.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ


Return to “Off-topic discussions”



Who is online

Users browsing this forum: No registered users and 2 guests