Many Internet users know what a regular phishing attack looks like, where an email comes in with a link asking you to click it and enter your credentials into a fake site meant to steal that info. What about a sneaky one that exploits user inattention to their browser tabs?
Reported on the blog Krebs on Security a new phishing attack was invented recently where the unattended tabs left open in your browser will be changed with a JavaScript code embedded in the website. The tab’s favicon and title will be changed to look like a frequently visited site and the tab content will be changed to a fake version of that website. The point is to trick the user into thinking they left that site open and got logged out and they will want to re-enter their login information.
Consider the following scenario: Bob has six or seven tabs open, and one of the sites he has open (but not the tab currently being viewed) contains a script that waits for a few minutes or hours, and then quietly changes both the content of the page and the icon and descriptor in the tab itself so that it appears to be the login page for Gmail.
The attack doesn’t even have to change the text in the address toolbar, because nobody looks there to double check where they are going. People rely more on the visual cue of the favicon and tab title. The attack exploits user inattention and trust in the tabs remaining unchanged. When the user has put their info into the fake site it will then redirect to the real site. In the Gmail example they will be redirected to the real Gmail and it will be logged in because it was never logged out in the first place.
A working proof-of-concept can be found at Mozilla Firefox creative lead Aza Raskin’s site.
If you go there and leave it open while on another tab it will switch to a fake Gmail. The only way to avoid the attack beyond being vigilant of tabs is to use the noscript addon for Firefox and it has been reported to not work quite as well on other browsers. Luckily it seems that this attack isn’t actually out in the wild, at least not yet.
June 2, 2010
Devious New Phishing Tactic Targets Tabs
No Comments »
No comments yet.
RSS feed for comments on this post. TrackBack URL
Leave a comment
You must be logged in to post a comment.