Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Tabnabbing new method for phishing. InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Tabnabbing new method for phishing.

Published: 2010-05-25
Last Updated: 2010-05-25 19:33:46 UTC
by donald smith (Version: 1)
5 comment(s)

New method for phishing discovered by Aza Raskin “creative” lead for firefox.

http://www.security.nl/artikel/33401/1/Duivelse_nieuwe_phishingaanval_gebruikt_tabs.html
I had to run this thru google translation service and it did a decent job but not perfect.
I modified it somewhat based on my understanding of the issue.
There is a good flash video that shows how the attack works.

Here are the steps as outlined in the translated version of his description.

User navigates to your normal looking site.

The phishing site detects when the page has lost focus and it hasn't been interacted with for a while.

Replace the favicon on the tab with the Google favicon, the title with "Gmail: Email from Google", and the page with a Google log look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.

The user scans their many tabs open, the favicon and title act as a strong visual cue and memory is malleable, moldable … and the user will simply think that they will most likely left a Gmail tab open. When they click back to the fake Gmail tab, they'll see the standard Gmail login page, assume they've been logged out, and provide their credentials to log in. When they click back to the Gmail tab fake, they'll see the standard Gmail login page, Assuming they've logged out, and provide their credentials to login. The attack preys on the perceived immutability of tabs.

Assuming the user had left a Gmail tab open where they had previously correctly authenticated. Also assuming the user has entered their login information and you've sent it back to your server, the phishing site can now redirect you to Gmail because they were never logged out in the first place, it will appear as if the login was successful.

 

Keywords:
5 comment(s)
Diary Archives