Tabjacking
It is pretty common through the course of using the Internet and e-mail to run across phishing scams and fake web pages attempting to fool you into giving away your user name and passwords. Some are done better than others, and even the most careful users can fall in the trap.
There is a new type of vulnerability I want to help spread the word about. I feel that being educated on these types of phishing tactics is the only real way to prevent them from effecting you. And, while this type of scam is still not heavily exploited... the way in which it operates is ingenious, and could potentially cause massive amounts of trouble for PC users.
This new type of phishing tactic is being referred to as TagJacking. With the newest generations of browsers (IE 8, FireFox, Opera, Chrome) the new tab button is being used heavily as an easy alternative to opening new windows and increasing multitasking capabilities. By having so many open tabs this exploit is banking on the fact that a user may not remember that they have opened, for example, their bank account in another tab.
The site hosting the exploit has the ability to change the 'favicon' (the little picture by the site's name that helps users identify it, like a Bank of America logo), the site's title (to something like "Bank of America | Home | Personal"), and the site's contents... to look almost identical to a Bank of America log on page. White this would be one hard to pull off phishing attempt (considering the amount of security, and visual pass-phrases banks including BoA use to protect their clients) there are other examples that would cause just as much trouble for users.
Lets look at this example to see how nasty this variant of phishing could be:
Imagine logging into your web based e-mail account. Over the course of 10 minutes it is possibly you may have opened 5 separate tabs for individual messages, or links you've encountered in an email from a friend. Unfortunately, one of the pages you went to while checking your email contains code that will attempt to fool you. When you're not looking, and busy with another tab, the page will instantly transform without notice to look like your e-mail's log on screen. You were already in your email... so it is realistic that perhaps your session was timed out, and you do in fact need to re-log in. It is this feeling of security between tabs that makes this attack so dangerous.
There is a proof of concept located at: http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/
This page will transform after you look away from it into a picture of the gmail log in screen (to help show how the attack works, not to try to solicit information).
While this attack mode is still in it's infancy, it is good to recognize that it could cause problems in the future, and should be on the look out.
-Steve, for TTC
Archives
- November 2011 (1)
- July 2011 (1)
- August 2010 (1)
- July 2010 (2)
- June 2010 (2)
- May 2010 (12)
- April 2010 (5)
Categories
- Computing Hardware (5)
- Mobile Technology (1)
- Networking Software (1)
- Reviews (1)
- Security (6)
- Social Networking (3)
- Tips & Tricks (4)
- Uncategorized (3)
- Web Browsing News (1)
- Website Updates (5)
Links
Share Website