Tabnabbing – An Even More Evil Phishing Attack

Image by Flickr user 'Toasty' http://www.flickr.com/photos/toasty/1276202472/Wow – I’ve just finished reading a recent blog post by Aza Raskin (creative lead for Firefox) and he presents an interesting new phishing attack vector for us to be(a)ware of, that of ‘Tabnabbing’.

For many of us, phishing attempts, (that is – attempts by ‘evil’ sites or emails to pretend they are from legitimate sources and then dupe the user into revealing login credentials or other useful information) are fairly easy to spot. Some are stupidly obvious such as the now well known tale of the government official who needs to get large sums of money out of the country, others are less blatant and use shortened URL services or minor misspellings to trick people into clicking their links. But now, joining the ever growing list of ways to socially engineer an inattentive user into revealing useful information, is some very clever javascript which seeks to fool us when we’re not looking!

The attack is structured as follows:

  1. The attacker gets a user to browse to a staging site
  2. When the user switches focus to another tab, the staging site then changes the favicon, and the content displayed on the page to something which the user will be familiar with – in his example, Aza uses a Gmail login or ‘credentials expired’ page.
  3. When the user next scans their open tabs, they recognise the familiar tab and switch to it – believing it to be the genuine article.
  4. Because it’s an existing open tab, they implicitly trust that the domain is what it should be – and from there the credentials are captured – and the user is redirected back to the legitimate site, oblivious that they’ve been scammed.

Continue reading “Tabnabbing – An Even More Evil Phishing Attack”

“If something seems too good to be true…

…it probably is.”

It’s an old, well-worn saying for sure, but it holds as true today as it did way back whenever the anonymous, cynical, amateur philosopher came up with it.

Recently in New Zealand, there have been an increase in phishing attempts trying to get people to open email attachments which then deploy malware onto the computer, and recruit your PC into a global network of compromised machines.

A few weeks ago, there were a number of emails arriving to various mailboxes I hold claiming to be from DHL or UPS and containing details of a package delivery, over the last few days, this threat has evolved to include messages purporting to be from Amazon and including details of a paid order.

The short version of this post is simply:

Don’t open attachments from people you do not know”

…but we can also extend this advice to “Treat any attachments or links from people you think you may know with a healthy dose of caution”.

For those who are interested in a little more information

The biggest risk around phishing attacks is they take advantage of our human nature of curiosity, implied trust of people (especially those we believe we know) and, dare we say it – greed. These “social hacks” are useful in that it’s relatively simple to change the appearance of an email so it looks like it comes from a friend or colleague, or to obscure a link to make it appear that is comes from your bank, or favourite social networking site.

It’s human nature…

The very nature of how we as humans operate is once we recognise a name we believe we can trust, we instinctively lower our defenses to being scammed and are often convinced to click that link, or open that email attachment.

The best defense against such attempts is a healthy dose of skepticism, look closely at the link, does it look long and complicated, does it redirect through a web domain that you don’t recognise?

Scan your email attachments – and, if you are in any doubt, contact your friend/colleague to check on the attachments validity. Or, visit the website directly rather than clicking on the link within the message – if it is your bank contacting you, you’ll still be able to access the information directly from the bank website, if it is a message from Facebook – you’ll also be able to get those updates direct from the site.

Protection at Home

In terms of viruses and malware, we don’t have anything near the same level of protection that we may enjoy on a corporate network. It’s up to us, whether we’re at work or home, to make the right decisions when dealing with any communications which may expose us, our machines, our data to risk. Email, Instant Messenger links, Social Network links/messages/applications, the list goes on – they’re all targets

The best advice I can offer is:

  • Keep your operating system and applications updated with the latest patches as they are released
  • Invest in a good anti-virus/anti-malware program, keep it updated daily – and use it to perform regular full scans on your systems, as well as checking out those suspicious files
  • Access websites from your browser rather than via emailed links
  • Perform regular backups of your important files (don’t forget your digital photos & video)
  • If you think you may have been compromised, scan your systems, change your passwords and seek help.

Above all, employ a healthy dose of skepticism when dealing with communications that you are not expecting, even when you believe you know the sender – and be careful out there…