Welcome to WebmasterWorld Guest from 54.224.57.95

Forum Moderators: incrediBILL & lawman

Message Too Old, No Replies

New type of phishing attack.

Browser tab napping. Pretty scary.

     
9:32 am on May 25, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



This is a little scary, because it's so simple. I have considered myself pretty much safe from phishing attacks, but this might be the one I might fall for:

It works like this: If you have several browser tabs open, then visit a website in one tab and then switch to another tab, the website might check if it has lost the focus - then change it's contents including title tag and it's favicon.

The tab that was called "widget site" before and had the "widget site" favicon, might now be called "Gmail" or "Paypal" in the tab, display the favicon of this website in it's tab and might have replaced it's contents with the login site.

More information and a demonstration here on Aza Raskins website:

[azarask.in...]

Just open this website in a new tab, then switch to another tab and wait five seconds and see what happens.

It affects browsers differently. Most affected is Firefox. In Firefox Favicon, Title and Content is changed. In Internet Explorer it does not display a favicon at all and Opera does not display a new favicon. Chrome does not seem to be affected.
4:35 am on May 27, 2010 (gmt 0)

10+ Year Member



Clever. Many people wouldn't bother to look up at the address bar.
3:01 pm on May 27, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



wow that is slick, the web page is saying hey nobody is looking lets make a quick swtich.

The article does say Chrome is affected.
3:39 pm on May 27, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



The article does say Chrome is affected.


Haha, seems Chrome "fixed" the issue of not being affected with an update recently.
2:16 pm on May 28, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Do watch the demo video. Very clear how this is a very serious issue.
7:10 pm on May 28, 2010 (gmt 0)

WebmasterWorld Administrator mack is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



This is a worry. Anyone could fall into that trap

Mack.
7:39 pm on May 28, 2010 (gmt 0)

5+ Year Member



This is the first Phishing attack in a long time that has me worried. The evidence is mounting for me to give in and install Noscript on Firefox.
9:29 pm on May 28, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Wow .. that is very slick... and very scary!
9:48 pm on May 28, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



My strategy is still to use one browser exclusively for very secure things and never for anything else - seriously reduces the risk of things like this happening.
10:08 pm on May 28, 2010 (gmt 0)

5+ Year Member



Many people I know keep their Gmail window open all day, so I'm guessing that will be a primary target.

This is as brilliant as it is scary!
10:13 pm on May 28, 2010 (gmt 0)

5+ Year Member



Bring back IE 6 with no tabs :P
1:33 am on May 29, 2010 (gmt 0)

5+ Year Member



nice ~ wonderful
2:09 am on May 29, 2010 (gmt 0)

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Heads up for FF running NoScript... it has been updated to prevent this...
5:56 pm on May 29, 2010 (gmt 0)

5+ Year Member



Firefox users need an extension that causes the address bar to flash red if the content of the page has changed between the time they moved to a new tab and when they came back to the tab.
1:15 am on May 30, 2010 (gmt 0)

WebmasterWorld Senior Member billys is a WebmasterWorld Top Contributor of All Time 10+ Year Member



That's very cool.
6:22 am on May 30, 2010 (gmt 0)

WebmasterWorld Senior Member sgt_kickaxe is a WebmasterWorld Top Contributor of All Time 5+ Year Member



It would be more cool if tabs not in use were locked, as if someone pressed the little red x, unless that option is turned off by choice.
7:47 am on May 30, 2010 (gmt 0)

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



I am 1990s folk... I have ONE tab open at any time, and the second--when I opt for it--only open long enough to see that contents. There is a drawback to too many processes in use. Looking at this from the user side. And also seeing it from the giggle (sic) side as only small processes in use at any time expanded across multiple (x) processes (not processors) to get a job done.

Meanwhile commonsense is applied: if you only have one tab open, there's no way this newly discovered event can work against the user. Regardless of browser...

Reminded of those elder daze (sic) when multitasking was first introduced. And failures and reboots and... how cool is it that what has gone before comes back around to bite us in the arse? YMMV.
4:07 pm on May 30, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Firefox users need an extension that causes the address bar to flash red if the content of the page has changed between the time they moved to a new tab and when they came back to the tab.


They need to lock the content on the tab or something like that. A flashing tab wouldn't work on my banks site because it logs you out after x minutes of inactivity. A flashing tab would not be anything out of the ordinary.
6:16 pm on May 30, 2010 (gmt 0)

WebmasterWorld Senior Member trillianjedi is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Oh that's utterly brilliant :)

Mega-slick.
1:21 pm on May 31, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Consistent use of a good password manager, such as LastPass, should prevent this sort of attack since they would be looking at the actual URL of the page, not the appearance.
5:23 pm on Jun 4, 2010 (gmt 0)

10+ Year Member



Try NOT switching to another tab - it still refreshed/redirected after 5 secs (at least in Maxthon 1).
10:49 pm on Jun 5, 2010 (gmt 0)

10+ Year Member



My strategy is still to use one browser exclusively for very secure things and never for anything else - seriously reduces the risk of things like this happening.


That's exactly what I started doing after I first became aware of cross-site scripting attacks. I use one browser and one browser only for bank logins, PayPal, brokerage accounts, affiliate accounts -- all financial sites and other sites of all types where there's a strong need for security. I never use that browser to visit any other sites. Then there are all the other browsers I have and use -- they're never used for any important logins.

If the "wrong" browser was suddenly showing me a login page for one of those accounts, it would immediately send up red flags.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month