Thursday, May 27, 2010

Tabnabbing, the future of phishing attacks

Aza Raskin has discovered a new kind of phishing attack which permits to deceive the user when he navigates on the attacker's website and he determines to look a website in an other tab. Actually, it works also if the user use multiple browser windows but it's less stealthy. This attack works on all browsers (there is a little bug with the favicon on Safari).

Tabnabbing is very simple to understand and implement. So when the user navigates on the attacker's website, a javascript code is executed and wait that the user go on an other tab (without close the first). If the first tab has lost the focus for more than 5 seconds, in the second tab, the favicon, title and content of the webpage change thanks to the javascript code. There is little chance that the user see the title and favicon changement because he is navigating the second website. When the user come back to his first tab, he will see the "new page" wich can look-like to his webmail. And if he logs on it, the attacker will get his credentials.

If you want to test this you can go here or you can see his Proof of Concept in video :


This new phishing attack can be improved with an other technique (using Javascript and CSS), which permits to know some websites the user has visited before.


Raskin's article :  http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/
His Wikipedia's page : http://en.wikipedia.org/wiki/Aza_Raskin
His Twitter : http://twitter.com/azaaza
POC : http://www.azarask.in/projects/bgattack.js

No comments:

Post a Comment