Blog Archive

Tuesday, 25 May 2010

POC: phishing with open browser tabs

Tabnabbing?

Aza Raskin (http://en.wikipedia.org/wiki/Aza_Raskin) a creative lead for Firefox, has a published proof-of-concept for a browser-based attack in which open pages in a browser are switched to carry out phishing attacks. His example shows a Gmail login look-alike page which is inserted into a browser.

As he writes: “This can all be done with just a little bit of JavaScript that takes place instantly.”

When a victim goes back to that page, he assumes he’s been logged out and types in his log-in information which is forwarded to the phishing operator’s site.

There are a lot of ugly possibilities, Raskin writes: “Using my CSS history miner you can detect which site a visitor uses and then attack that. For example, you can detect if a visitor is a Facebook user, Citibank user, Twitter user, etc., and then switch the page to the appropriate login screen and favicon on demand.”

Raskin blog here: “A New Type of Phishing Attack”

Well-known security blogger Brian Krebs also wrote about Raskin’s find very nicely here.

Tom Kelchner

No comments:

Post a Comment