tel: +2348055401551 (sms, whatsapp)
skype: tokunboajewole

TABNABBING

The following is a white-paper, written by Albert Ninyeh (Ponic), a friend and co-member of a Facebook group, African IT Professionals. The post is with permission of the author.

======== 88888888 ========



Tabnabbing is a computer Exploit and Phishing attack, which persuades users to submit their Login details and Password to popular Websites by impersonating those sites and convincing the user that the site is genuine. The attack's name was given in early 2010 by Aza Raskin, a security researcher and design expert. The attack takes advantage of user trust and inattention to detail in regard to tabs, and the ability of modern web pages to rewrite tabs and their contents a long time after the page is loaded.

The exploit employs scripts to rewrite a page of average interest with an impersonation of a well-known website, when left unattended for some time. A user who returns after a while and sees the rewritten page may be induced to believe the page is legitimate and enter their login, password and other details that will be used for improper purposes. The attack can be made more likely to succeed if the script checks for well-known Web sites the user has loaded in the past or in other tabs, and loads a simulation (Virtual or Fake Website) of the same legitimate sites. This attack can be done even if JavaScript is disabled, using the "meta refreshmeta element, an HTML attribute used for page redirection that causes a reload of a specified new page after a given time interval. Just visit Aza’s article, switch to another tab for 5 seconds and see what happens. Nice clean demo, and as scary as it is simple.
There’s no reload because it’s possible to change favicon, title, and page contents via JavaScript. Reading through the comments, the attack seems to work most consistently and potently in Firefox, with other browsers being a mixed bag based on how they handle dynamic favicons and the focus event.

The steps in detail:
1. A user navigates to your normal looking site.
2. You detect when the page has lost its focus and hasn’t been interacted with for a while.
3. Replace the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of JavaScript that takes place instantly.
4. As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.
5. After the user has entered their login information and you’ve sent it back to your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.

Aza also notes the attack could get a lot more potent if they (a) used the CSS history exploit to discover which sites the user has visited; (b) employed certain other techniques, like timing attacks, to determine which services a user is currently logged into.

Solution:
What should you do to protect yourself? Well, it’s suggested by Aza thinks you should use Firefox, which has an Account Manager feature that is supposed to help protect you from this kind of attack. But what about the next phishing attack? Or what if you prefer a different browser? Read on for a better solution that will allow you to use just about any browser you choose.

To protect yourself against Tabnabbing, 1Password.if you have not really heard of 1Password; it will be a great opportunity to check it out. 1Paaword does not only creates a sure and strong password for you, but also manage your login information’s  and also fill in forms automatically without you always have to type them in which makes it secure from credential harvesting  and also save you a lot of time. NB: 1Password ONLY remembers or fills in form u saved login information’s for. 1Password won't be looked over the way the human eye can be. For instance, if you save your login information in a site such as Gmail in 1password, and another website manages to trick you into thinking that it is Gmail, it won't be fooled or tricked by 1Password. One cool feature about 1password I love most is the Fill and Submit, let’s say Maybe you'll close a tab that you were about to type in your login information’s or let 1password do the filling and accidently, you closed it and re-open a new one; 1Password's awesome "Fill and Submit" feature which will pull up the proper site and automatically log you in. What you almost certainly will not do is blindly type your username and password in, because 1Password makes it so easy to do it securely. Not that 1Password costs $40, but also has a 30 days evaluation; it also has an iPhone and IPad App. 1Password even lets you sync your password data via Dropbox.

References

  • http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/
  • http://ajaxian.com/archives/tabnabbing-phishing-by-switching-background-tab-content
  • http://www.tuaw.com/2010/06/01/protect-your-browser-from-tabnabbing/
  • http://www.breakthesecurity.com/2011/08/advanced-tabnabbing-phishing-attack.html




alt

Comments   

 
0 #1 Albert Ponic 2011-10-17 19:51
Thanks very much Bruh..I really appreciate it all.I will keep u posted with more Articles.
Quote
 

Add comment


Security code
Refresh

I use Linux 24x7

Recent Comments