Wow – I’ve just finished reading a recent blog post by Aza Raskin (creative lead for Firefox) and he presents an interesting new phishing attack vector for us to be(a)ware of, that of ‘Tabnabbing’.
The attack is structured as follows:
- The attacker gets a user to browse to a staging site
- When the user switches focus to another tab, the staging site then changes the favicon, and the content displayed on the page to something which the user will be familiar with – in his example, Aza uses a Gmail login or ‘credentials expired’ page.
- When the user next scans their open tabs, they recognise the familiar tab and switch to it – believing it to be the genuine article.
- Because it’s an existing open tab, they implicitly trust that the domain is what it should be – and from there the credentials are captured – and the user is redirected back to the legitimate site, oblivious that they’ve been scammed.
While this in itself is a rather graceful attack, Aza goes on to explain how the effectiveness can be further increased by mining the users browser history and then displaying a page, on demand, relevant to the users past logins to services. If that’s not enough to have you scanning your browser address bar every time you switch tabs, how about adding the ability detect if the user is already logged on to that service, then redirected them, after the credential capture, to the already authenticated service.
This attack demonstrates, quite clearly, that as the browser becomes more and more the entry point into the way we access the functionality used for both professional and social interactions, it is also becoming an attack vector with a massive potential for damage and loss.
Be careful out there.