Tabnabbing (A new Phishing Attack)

^DooM^ · Post by **^DooM^** » 2010-05-26 01:24

The attack goes like this:

1. A user navigates to a normal looking site.

2. The page detects when the page has lost its focus and hasn’t been interacted with for a while.

3. It replaces the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.

4. As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.

5. After the user has entered their login details the information is stored by the attacker and the user is then redirected back to Gmail. Because the user never actually logged out of gmail it will appear as if the login was successful and the user is none the wiser.

Be careful out their, 'tis a jungle

Bill48105 · Post by **Bill48105** » 2010-05-26 03:37

Thx DooM. Guess we can add it to the list of reasons to keep javascript disabled. Tis crazy that browsers let JS have so much control of what can be change/controlled so this exercise in social engineering is even possible. Suppose we can look forward to legit stuff getting broken as updates kick in to help try & stop stuff like this.

Slug · Post by **Slug** » 2010-05-26 06:01

Is this browser specific ?

Caspar · Post by **Caspar** » 2010-05-26 09:06

Or just don't use Gmail (you have your own mailserver mostly here

)

dzekas · Post by **dzekas** » 2010-05-26 09:48

Slug wrote:Is this browser specific ?

No.

Caspar wrote:Or just don't use Gmail (you have your own mailserver mostly here )

Attacker can display your bank login page.

If you go to malicious site by clicking link in unprotected webmail, attacker can display login page for that webmail system.

Caspar · Post by **Caspar** » 2010-05-26 16:12

^DooM^ wrote: 3. It replaces the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.

so it does show GMAIL what is (i mostly think) not commonly used here.

Bill48105 · Post by **Bill48105** » 2010-05-26 16:29

I think he was using that as just one example and it could be any site/service not just gmail..

^DooM^ · Post by **^DooM^** » 2010-05-26 17:05

Could be any website, GMAIL was just proof of concept.

Tabnabbing (A new Phishing Attack)

Tabnabbing (A new Phishing Attack)

Re: Tabnabbing (A new Phishing Attack)

Re: Tabnabbing (A new Phishing Attack)

Re: Tabnabbing (A new Phishing Attack)

Re: Tabnabbing (A new Phishing Attack)

Re: Tabnabbing (A new Phishing Attack)

Re: Tabnabbing (A new Phishing Attack)

Re: Tabnabbing (A new Phishing Attack)