Warnings have been made of a new phishing tactic that targets tabs and exploits user lack of attention and trust.
Security blogger Brian Krebs claimed that this was ‘likely to fool even the most security-conscious web surfers'. This is because it involves a user having six or seven tabs open, and one of the sites he has open (but not the tab currently being viewed) contains a script that waits for a few minutes or hours, and then quietly changes both the content of the page and the icon and descriptor in the tab itself so that it appears to be the login page for a webmail account.
Referencing Firefox creative lead Aza Raskin, Krebs said: “In this attack, the phisher need not even change the web address displayed in the browser's navigation toolbar. Rather, this particular phishing attack takes advantage of user trust and inattention to detail. Then, as the user scans their many open tabs, the favicon and title act as a strong visual cue, and the user will most likely simply think they left a webmail tab open.
“When they click back to the fake webmail tab, they'll see the standard webmail login page, assume they've been logged out, and provide their credentials to log in. After the user has entered their login information and sent it back your server, you redirect them to a webmail account. Because they were never logged out in the first place, it will appear as if the login was successful.”
Raskin called the new type of phishing attack ‘tabnabbing', and claimed that there were many ways to potentially improve the efficacy of this attack. This includes using a CSS history miner to detect which site a visitor uses and then attack that site, or change the copy by instead of having just a login screen, you can mention that the session has timed out and the user needs to re-authenticate.
Raskin said: “Every time you include a third-party script on your page, or a Flash widget, you leave yourself wide open for an evil doer to use your website as a staging ground for this kind of attack. If you are the evil doer, you can have this behaviour only occur once in a while, and only if the user uses a targeted service. In other words, it could be hard to detect.
“You can also use cross-site scripting vulnerabilities to force the attack to be performed by other websites. And for browsers that do not support changing the favicon, you can use a location.assign call to navigate the page to a controlled domain with the correct favicon. As long as the user wasn't looking at the tab when the refresh occurred (which they won't be), they'll have no idea what hit them. Combine this with lookalike Unicode domain names and even the most savvy user will have trouble detecting anything is amiss.”
Network Box's internet security analyst Simon Heron commented that it is now common practice for internet users to login to several websites at once using the tab method, and a recent study by Firefox found that an average of 73.3 per cent of tab switches were revisits.
“It's important to remember that when we fill out online forms and submit login details, we are entrusting our information to an organisation outside our control. It's not enough just to trust these organisations to protect our data. We need to make sure we do too.”