• About the Author
  • About this Blog

  • Devious New Phishing Tactic Targets Tabs

    Most Internet users know to watch for the telltale signs of a traditional phishing attack: An e-mail that asks you to click on a link and enter your e-mail or banking credentials at the resulting Web site. But a new phishing concept that exploits user inattention and trust in browser tabs is likely to fool even the most security-conscious Web surfers.

    As Mozilla Firefox creative lead Aza Raskin describes it, the attack is as elegant as it is simple: A user has multiple tabs open, and surfs to a site that uses special javacript code to silently alter the contents of a tabbed page along with the information displayed on the tab itself, so that when the user switches back to that tab it appears to be the login page for a site the user normally visits.

    Consider the following scenario: Bob has six or seven tabs open, and one of the sites he has open (but not the tab currently being viewed) contains a script that waits for a few minutes or hours, and then quietly changes the both the content of the page and the icon and descriptor in the tab itself so that it appears to be the login page for Gmail.

    In this attack, the phisher need not even change the Web address displayed in the browser’s navigation toolbar. Rather, this particular phishing attack takes advantage of user trust and inattention to detail, or what Raskin calls “the perceived immutability of tabs.” Then, as the user scans their many open tabs, the favicon and title act as a strong visual cue, and the user will most likely simply think they left a Gmail tab open.

    “When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in,” Raskin explained. “After the user has enter they have entered their login information and sent it back your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.”

    Raskin includes a proof-of-concept at his site, which is sort of creepy when you let it run. In fact, at least once while composing this blog post in Firefox I went to click on the tab that had my Gmail inbox open, only to discover I’d accidentally clicked on Raskin’s page, which had morphed into the fake Gmail site in the interim.

    It’s important to keep in mind that this attack could be used against any site, not just Gmail. Also, Raskin includes a few suggestions about how this attack could be made far sneakier — such as taking advantage of CSS history attacks.

    Of course, if you are browsing with the excellent “Noscript” add-on and this is a site you have not allowed to run javascript, the proof-of-concept won’t work until you allow javascript on the page. It did not work completely against the Safari browser on my Mac (no favicon), and the test page failed completely against Google Chrome.

    I’m left wondering what this new form of phishing will be called if it is ever adopted by the bad guys. Tabnabbing? Tabgrabbing? See if you can coin a better phrase in the comments below.

    Bookmark and Share

    Tags: , ,


    1. Kinda just like the paper/presoby Moxie Marlinspike from BH09 but less advanced (no ssl stripping) but the same idea with the perception of the user. In his attack they throw in the favico trick to visually engineer pages.

      Like or Dislike: Thumb up 2 Thumb down 0

    2. Tabnapping!

      Like or Dislike: Thumb up 2 Thumb down 2

    3. in keeping with some of the other web attack names, how about cross site login forgery

      Like or Dislike: Thumb up 1 Thumb down 0

    4. This is why I HATE webmail and use Outlook with SSL POP3 configured to read all mail as plain text. (Minimize any HTML tricks).

      Also, this would be rather easy to mitigate by only opening one tab or window! In fact, I take it further as listed below when it comes to any website of sensitive nature (ex. online banking):

      1. Close all browser tabs and/or windows AND any other web based programs (those that may use the browser cache or Flash Player cache)
      2. Clear browser cache and cookies (I use a batch file that does this and also deletes Flash Player cookie and cache directories)
      3. Launch browser in No Add-ons mode and a blank page
      4. Use a bookmark to bring up the login page or manually type known URL
      5. NEVER browse to any other site while logged into first site
      6. When finished, use the log off function of the website
      7. Close the browser
      8. Repeat step 2 to clear everything again

      It may seem like a pain, but it minimizes the chance of any shenanigans when using sites of sensitive nature.

      Like or Dislike: Thumb up 0 Thumb down 1

    5. Yes, use No-Script aggressively – only run scripts you need to run – and the only java you should use is the stuff you drink.

      Like or Dislike: Thumb up 0 Thumb down 0

    6. The creativity and imagination of cyber-criminals constantly amazes me. The world truly is their oyster, I guess.

      TabCloaking or maybe TabJacking comes to mind.

      Love your blog, Brian.

      Like or Dislike: Thumb up 1 Thumb down 0

    7. I have an invention that fixes the phishing problem for network owners to stop their users being fooled.

      Like or Dislike: Thumb up 0 Thumb down 0

    Leave a comment