Tabnabbing is a computer exploit and phishing attack, which persuades
users to submittheir login details and passwords to popular websites
by impersonating those sites and convincing the user that the site is
genuine. The attack's name was coined in early 2010 by
Aza Raskin, a security researcher and design expert.
The attack takes advantage of user trust and inattention to detail in regard
to tabs, and the ability of modern web pages to rewrite tabs and their
contents a long time after the page is loaded. Tabnabbing operates in
reverse of most phishing attacks in that it doesn’t ask users to click
on a obfuscated link but instead loads a fake page in one of the open tabs
in your browser.
The exploit employs scripts to rewrite a page of average interest with
an impersonation of a well-known website, when left unattended for some
time. A user who returns after a while and sees the rewritten page may
be induced to believe the page is legitimate and enter their login, password
and other details that will be used for improper purposes. The attack can
be made more likely to succeed if the script checks for well known
Websites the user has loaded in the past or in other tabs, and loads a
simulation of the same sites. This attack can be done even if JavaScript is
disabled, using the "meta refresh" meta element, an HTML attribute used
for page redirection that causes a reload of a specified new page after a
given time interval.
The NoScript extension for Mozilla Firefox defends both from the JavaScript-
based and from the scriptless attack, based on meta refresh, by preventing
inactive tabs from changing the location of the page.
source
users to submittheir login details and passwords to popular websites
by impersonating those sites and convincing the user that the site is
genuine. The attack's name was coined in early 2010 by
Aza Raskin, a security researcher and design expert.
The attack takes advantage of user trust and inattention to detail in regard
to tabs, and the ability of modern web pages to rewrite tabs and their
contents a long time after the page is loaded. Tabnabbing operates in
reverse of most phishing attacks in that it doesn’t ask users to click
on a obfuscated link but instead loads a fake page in one of the open tabs
in your browser.
The exploit employs scripts to rewrite a page of average interest with
an impersonation of a well-known website, when left unattended for some
time. A user who returns after a while and sees the rewritten page may
be induced to believe the page is legitimate and enter their login, password
and other details that will be used for improper purposes. The attack can
be made more likely to succeed if the script checks for well known
Websites the user has loaded in the past or in other tabs, and loads a
simulation of the same sites. This attack can be done even if JavaScript is
disabled, using the "meta refresh" meta element, an HTML attribute used
for page redirection that causes a reload of a specified new page after a
given time interval.
The NoScript extension for Mozilla Firefox defends both from the JavaScript-
based and from the scriptless attack, based on meta refresh, by preventing
inactive tabs from changing the location of the page.
source
Comments
Post a Comment