Skip to main content

Advanced Tabnabbing -Phishing Attack simplified

By
What is Tabnabbing ?  Tabnabbing is Phishing attack that simplifies the phishing.The attack's name was coined in early 2010 by Aza Raskin, a security researcher and design expert.  This will reload the inactive tabs with fake page

How The Attack Works ?
  • A user navigates to your normal looking site.
  • A malicious code detect when the page has lost its focus and hasn’t been interacted with for a while.
  • Replace the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.
  • As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.
  • After the user has entered their login information and you’ve sent it back to your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.

Targeted Attacks:
Using my CSS history miner you can detect which site a visitor uses and then attack that site (although this is no longer possible in Firefox betas). For example, you can detect if a visitor is a Facebook user, Citibank user, Twitter user, etc., and then switch the page to the appropriate login screen and favicon on demand. 

Even more deviously, there are various methods to know whether a user is currently logged into a service. These methods range from timing attacks on image loads, to seeing where errors occur when you load an HTML webpage in a script tag*. Once you know what services a user is currently logged in to, the attack becomes even more effective.

You can make this attack even more effective by changing the copy: Instead of having just a login screen, you can mention that the session has timed out and the user needs to re-authenticate. This happens often on bank websites, which makes them even more susceptible to this kind of attack.

You can get this code from here:
http://www.azarask.in/projects/bgattack.js
How to protect yourself from this hack?
  • You can use a safe browser that uses anti-javascript plugins (Firefox with noscript). Note: Advanced Tabnabbing will work even javascript is not enabled. 
  • Check the url in the address bar.
  • If you got link in emails, enter the url in address bar instead of clickin it.
  • You can use some Anit Phishing add ons like(Don't Phish me,Netcraft,FirePhish) .

Labels:

Comments

Post a Comment

Popular posts from this blog

Place Files Inside EXE and Execute them using Gamemaker

By
I am fond of creating games in Gamemaker and Mugen. However I found an interesting way to create executable files that may contain anything inside them (may be a whole cracked Program) and may act as extractors or copy protectors Tools required  GameMaker 7 or above Procedure  1) Download and Install Gamemaker and start a Game Project by going to File -> New.  2) Every game consists of a Room in which all objects shall act and interact with each other.So Create a new room by either clicking on the icon on Standard toolbar or by going to Resources Menu -> Create Room.Name it anything you want.In my case ROOM0  3)Every Game consists of Objects which are responsible for all interactions. So create a new object by either clicking on the icon on Standard toolbar or by going to Resources Menu -> Create Object.Name it anything you want.In my case VIRUS  4)Now create a new script (Press CTRL+ALT+C or Resources Menu -> Create Script),Name it SCRIPT0...
Post a Comment
Read more

How to Hack a Twitter Account

By
Twitter is one of the topmost widely running social networking sites,Its alexa ranking is 14(As per now).So therefore it is largely becoming target of hackers,Many requests keep coming to me ,please tell us a way to Hack twitter accounts or How to hack twitter accounts,so therefore i today i have written a post on How to hack twitter accounts Well for this purpose i will tell you the most used method to hack twitter accounts i.e phishing How to hack twitter accounts - Phishing First of all download:   Twitter fake login page ( Latest Version ) Click Here To Download : NOTE : You will be asked to enter a password while extracting the Documents. Please Insert the password as : IHA Step 1 First extract the contents into a folder Step 2 Then edit login.php .(right click and then select edit) In that ,find (CTRL+F) ‘http://rafayhackingarticles.blogspot.com’ then change it to your destined URL but don’t forget ‘'. Now rename the script to pass....
Post a Comment
Read more

How to use Keyloggers – Detailed Tutorial and FAQs

By
Here is a DETAILED tutorial which contains every possible information that you need to know about keyloggers which includes how to use it, how it works etc. WARNING: I highly recommend that you read this post completely since every single piece of information is important. I know most of you are new to the concept of keyloggers. For some of you, this might be the first time you heard about the term “keylogger”. So to give you a clear picture and make you understand better I would like to take up this post in the form of FAQs (Frequently Asked Questions). Here we go… 1. What is a Keylogger? A keylogger (also called as spy software) is a small program that monitors each and every keystroke a user types on a specific computer’s keyboard. A keylogger program can be installed just in a few seconds and once installed you are only a step away from getting the victim’s password. 2. How Keylogger works? Once the keylogger is installed on a PC, it starts operating in the backgrou...
Post a Comment
Read more