Radsoft
 About | Buy | News | Products | Rants | Search | Security
Home » Security

Tabnabbing

A new type of exploit.


Get It

Try It

There's a new type of exploit afoot. It affects all operating systems and it affects all browsers because it's completely JavaScript-based. It's a 'phishing' attack but it's more effective than the traditional phishing attacks because it doesn't ask you to click a link to get to a page, doesn't tell you your banking credentials need to be reset, none of that.

All that's required is you surf to the wrong kind of (or infected) website to begin with.

The discovery was made by Aza Raskin who is a project leader for Firefox. Raskin has a 'proof of concept' page online so you can test yourself. The POC is not sophisticated but actual attacks would be.

This is how it works.

  1. You surf to the 'wrong' type of site. This can also be a website (such as Microsoft IIS/ASP) that's been infected.
  2. You 'tab away' from your current tab and into a new one.
  3. After a predefined time interval (five seconds in the POC) the tab you just left magically changes into a page for one of your secure sites such as your bank's or Gmail or whatever. (The POC uses a screen dump mockup of Gmail.)
  4. The title in the old tab changes too but most likely you won't notice this. (But if you keep your eyes peeled when running the POC and count slowly to 'five' you'll see it.)
  5. The 'favicon' can also change too on several browser platforms.
  6. You'll appear (for example) to be logged out of your other site when you return to the tab.
  7. You reenter your login credentials and you're back in.

But the joke is you were never logged out in the first place. The second joke is the phishers now have your login credentials because you just gave them away.

Aviv Raff has put together an even hastier POC that shows the trick works with various FF add-ons such as NoScript. At the present time some of these tricks aren't good enough to fool everyone but given a little time they very well may be.

Mitigation

Mitigating this attack isn't easy. Avoiding sleazy sites is a start; avoiding sites that can easily be hacked (particularly Redmond's) can also be a help. And the good news is only about 30% of web servers run their software anyway.

Another precaution which should always work is restarting your browser before doing anything secure and never opening additional tabs. (The attack works by modifying only inactive tabs that you're not currently using.) A final sure-fire way is to never use JavaScript. As this attack is totally based on JavaScript. (Good luck with that.)

Other things that cannot work (and will only lull you into a false sense of security):

√ Using a live CD. Live CDs are good and prevent you from being exploited by malware already resident on your computer. But this attack has nothing to do with your computer. It's based totally on what's found on a web page. If you surf to the wrong type of site, you're still going to be hit.

This isn't to say live CDs are suddenly ineffective - they are good. But you have to use them for secure transactions and nothing else. And keep to a single tab. And have JavaScript off by default and don't turn it on unless you have to.

√ Running Windows/IE and cleaning caches. Unbelievably enough, a user claiming '14+' years experience claimed the following script was adequate in protecting Windows XP systems.

@rem Close all open programs before running

@rem %username% - applies to currently logged in user, can be replaced with specific profile username

@rem Removes Adobe Flash Player cache and cookie directories
rmdir /S /Q 'C:\Documents and Settings\%username%\Application Data\Adobe\Flash Player'
rmdir /S /Q 'C:\Documents and Settings\%username%\Application Data\Macromedia'

@rem Clears User Profile 'Temp' folder files
del /F /Q 'C:\Documents and Settings\%username%\Local Settings\Temp'

@rem Clears IE Temporary Internet Files, Cookies, History, Form Data, and Stored passwords
@rem (Applies only to IE7 and newer)
rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 255

@rem Prompts to press any key to continue (to see whether previous command finished before continuing)
pause

@rem Exits batch file
exit

The POCs

See the links below for the proofs of concept. The second one by Aviv Raff will merely show how Firefox add-ons can be circumvented. Keep your eyes on the first one: surf to the link, open a new tab but keep an eye on the old one, and count slowly to five.

'It all starts with being disciplined in not only setting up multiple layers of defense (defense in depth) but also in operating the computers in a way to ensure they remain clean. I've been doing so for 14+ years.'

See Also
Aza on Design: A New Type of Phishing Attack
Aviv Raff: Devious New Phishing Attack Targets Tabs

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.