September 10, 2014 at 18:29

Tabnabbing: Extravagant Phishing


    The last three days are noteworthy because three large databases of Yandex mail accounts , Yandex.ru and Gmail got into the network .

    Many users of Habr, as well as other thematic resources on security issues, agree that the accounts most likely got into the databases either as a result of infection of users' computers with Trojans, or as a result of phishing attacks.

    In the wake of these heated discussions, I would like to talk about one of the beautiful ways to steal user data, quite old, but still relevant, which was not written about on the hub.

    In 2010, Asa Raskin , son of Jeff Raskin, shared on his blog a very interesting, it seems to me, phishing method, which he called Tabnabbing.

    Its essence is as follows:

    1. The attacker attracts the user to a page on his site that looks completely normal and the way the user expects to see it.
    2. The attacker determines that the user has not interacted with the page for a long time, or even switched to another tab.
    3. While the page is inactive - its favicon is replaced with the site icon, under which it will be masked.
    4. The content of the page changes to the content of the fake login form of the site under which it is masked.
    5. With a certain rather high degree of probability, the user, returning to the tab - without hesitation, will automatically enter his username and password.
    6. After intercepting the authorization data, the user can simply be redirected to the attacked site, because most likely he is already authorized on it and this is what he will expect.

    Implementation

    The prototype code that tracks user behavior may look something like this: 

    window.onblur = function(){
  TIMER = setTimeout(time_to_change, 5000);
}  
window.onfocus = function(){
  if(TIMER) clearTimeout(TIMER);
}
function time_to_change() {
  if( HAS_SWITCHED == false ){
    change_content();
    change_title( "Gmail: Email from Google");    
    set_favicon("https://mail.google.com/favicon.ico");
    HAS_SWITCHED = true;    
  }
}


    That is, the interception of user behavior itself is quite trivial, and not complicated. Further, the change_content () function is responsible for creating new elements of the DOM tree that will be displayed on top of the original page content.

    And if you like to nostalgic:

    Aza Raskin, in his post on this topic, implemented an example of this behavior, and if you switch the tab with the post, returning to it you will receive a screenshot of the 2010 Gmail authorization page.

    In any case, I would like to remind you - be extremely careful, this is the basis of your online safety.
    Tags:

    Also popular now: