
Tabnabbing: A New Type of Phishing Attack (2010) - gkop
http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/
======
rip747
Man did that fool me.

I clicked on the link and started to read the story, but then had to look up
an IIS error in a new tab. After my search I closed the current tab and I'm
face to face with an old gmail login page. I'm sitting there like "WTF?". I
refresh the page and the blog post comes back?!?!?

I finish reading the post and realized what had just happened. Kudos to the
author. That really is a brilliant attack.

~~~
jcampbell1
One solution I have seen, is you select a custom image during the account
signup process, and it appears on the login page. That way, if there is no
cartoon elephant on the login page, then it is not right.

My chinese bank account does this. I am not sure how effective it is, and it
requires a two step login, so it is terrible from a usability standpoint.

~~~
morgante
It's basically useless. Any decent attacker should be able to proxy your info
through, retrieve your image, and show it to you in the expected time frame.

~~~
phpnode
how would that work? How would the attacker "proxy your info through"?

~~~
philh
Suppose that to log in to friendface, you enter your username, then it shows
you the cartoon elephant that you selected beforehand, and you enter your
password.

When fake-friendface wants to phish you, they get your username, then they
give that username to friendface and receive your cartoon elephant in
exchange. They show you the cartoon elephant, and you decide that this must be
friendface.

~~~
imaginenore
And how do they "get your username" before you entered it?

~~~
emidln
How does friendface show your cartoon elephant before you enter your username?
(hint: it won't)

The way this works looking at banking websites is that the user enters a
username. Then they get some secret image + description that they previously
wrote and can enter their password.

~~~
Bognar
Most of the banking websites that do this also remember information about your
browser and IP. If it's a new computer, you're required to verify the computer
before they show you the image.

------
slantyyz
Fortunately, if you're using a password manager (and you don't have your
password memorized), your password manager plugin will probably say "no logins
saved for this site" which will clue you in on the attack.

~~~
_pmf_
> which will clue you in on the attack.

I would just assume that this is due to browser lag (since at my machine using
Chrome, I've usually written my credentials before the browser's delay for
notifying me about saved logins pops up.

~~~
morgante
No, most password managers (1Password, for example) will only fill in the
passwords if the domain matches.

Truth be told, I don't think this hack would work on anyone who is
sophisticated enough to use a password manager though. Who enters login info
without inspecting the URL?

~~~
alandarev
Another truth, is that phishing attacks are targeting the masses. If
unsophisticated people will be facing difficulties, it is going to be
enormously successful attack vector. Despite of the fact, that it completely
fails in deceiving IT people.

~~~
_pmf_
This is analogous to the Nigerian scams that are engineered on purpose to be
very crude in order to single out the most gullible persons.

------
biot
Another thing that's bitten me from time to time is what might be called
FocusNabbing: where you're entering a password into one site and something
else steals the focus, so now you're potentially typing part of your
credentials there. It could be some other application running in your OS
showing a modal alert or some other tab suddenly stealing focus (looking at
you, Google Calendar).

While this attack vector is far more difficult to exploit, there should be
protection against this kind of focus stealing. If your browser detects that
you currently have the focus in a password field, it should block any attempt
to switch the focus away to something else. The same should apply to the OS
itself.

~~~
gizmo686
Focusnabbing is (currently) a non-issue at the OS level because of keyloggers.
At least on X11, it is possible for a program to capture the key events of any
other program (in the same session), even if the other program is running as a
different user (including root).

I do not know if other systems are simmilarly vulnerable.

------
wlesieutre
Favicon isn't changing for me in Firefox 33. Also worth noting that it still
triggers when it's the frontmost tab in an unfocused window. I'd pulled up a
smaller window on top of it, so the change to Gmail was hard to miss.

Despite that, I can imagine people falling for this even if the favicon
doesn't match. They'll just say "Oh, Gmail's favicon is wrong. Silly web
browser." If they notice the favicon at all.

~~~
rschuetzler
Even with those things, most phishing is a matter of trying to get one out of
thousands to respond. So a few people may notice the change, but that doesn't
help the hundreds who may not.

------
gingerlime
I think this was published in 2010, so not really new - but probably still a
possible attack vector.

~~~
gkop
I didn't realize how old this post was when I submitted it :/

For as much as Aza brags about his UX expertise, not dating his technical blog
posts is inexcusable.

~~~
ritchiea
Some view it as a best practice:
[https://training.kalzumeus.com/newsletters/archive/content-m...](https://training.kalzumeus.com/newsletters/archive/content-
marketing-strategy)

~~~
npsimons
And some would argue that truly timeless writing will transcend any timestamp
you put on it, but the timestamp still has immense value.

 _You can, and should, make the strategic decision that you 'll primarily
write things which retain their value._

With this, I heartily agree; leaving off a date, though, that's just rude. If
there are those who would judge your writing by the date it was written,
there's either something wrong with them, or something wrong with the writing.
As for the former, you can't do much about them, and probably don't want much
to do with them. As for the latter, well, keep aiming higher! The date can be
handy, though. Consider it a nod towards transparency and openness, and in
more technical pieces with specific instructions, a great boon to those
dealing with a version of the software a few years removed.

~~~
vertex-four
Additionally... how are we supposed to figure out when things fall out of
copyright if nobody puts dates on anything? You might not think your blog post
will be worth anything to anyone by then, but otoh, we're absolutely terrible
at predicting what'll be valuable even 5 years down the line.

------
Terr_
Aaaand that's why I always have JS disabled by default.

Hardly foolproof, but 95% of the time it truly doesn't improve my web
experience.

~~~
bmmayer1
> 95% of the time it truly doesn't improve my web experience

Really? I find that hard to believe. Do most sites that use extensive JS
(Facebook, Mint, etc) have non-JS supported versions?

~~~
bshimmin
No. Facebook is only vaguely usable without JavaScript (and actually has a
banner telling you to turn JS on or use their mobile site), but most sites are
not. For one of my projects we use Invision, Slack, and Trello for
collaboration, and none of them work at all without JavaScript (though the
latter two do at least prompt you to enable it). Google, in its primary
function at least, _does_ work perfectly without JS.

Periodically on here, and elsewhere, you hear people banging the "I browse the
web with JS disabled and it's fine" drum, but I can only imagine that their
use of the web is limited to a certain set of fairly static sites. RMS gets by
just fine with web pages being emailed to him, but, you know, RMS isn't like
most people.

~~~
deciplex
I use NoScript which can whitelist domains where JS is allowed. Often, sites
will degrade without JS but if you're only reading something or whatever, it
doesn't really matter. And if it's totally broken, you can temporarily allow
JS.

Mainly, it's that I don't want my PC executing code that I don't know about,
if I can help it. If I notice a site is e.g. requesting to run JS from twenty
or thirty different domains I can be more cautious.

Overall, turning Flash off by default (but still having it installed), using
NoScript, Ghostery, and AdBlock, have really improved the web for me.

------
georgemcbay
Nice spoof, hadn't seen this before. It would have gone really well with the
RTL address bar spoof (CVE-2014-1723) I reported in Chrome back in February
(since fixed in Chrome 34), it would have made the tab very close to
indistinguishable from the real thing.

~~~
expose
Do you have a screenshot of this exploit in action before it was patched?

~~~
georgemcbay
Looks like the issue is marked public now in the chromium bug tracker and it
has been fixed for a while now in release, so I assume it is ok to link that.
The ruse is not perfect due to bolding and coloring, but good enough to fool
most people not expecting it, I think, if you look at the bottom part of the
second attached screenshot it gives you a good idea of what it looked like:

[https://code.google.com/p/chromium/issues/detail?id=337746](https://code.google.com/p/chromium/issues/detail?id=337746)

------
fragsworth
For a really sophisticated attacker, even 2-factor authentication isn't secure
from this.

They can ask you for the 2-factor authentication code the same way Google
does. You would type it into the phishing site.

~~~
hughw
Oooh.

------
hayksaakian
The favicon and title change work on mobile, but the URL is clearly wrong.

[http://www.imgur.com/qn3pUIL.png](http://www.imgur.com/qn3pUIL.png)

I suppose this is another use for typo domains.

~~~
phpnode
You can combine this with a redirect to something like
`[http://mail.googlemaillogin.com/`](http://mail.googlemaillogin.com/`) which
will fool a lot of people

------
jonathonf
It appears to be entirely foiled NoScript (i.e. Javascript whitelisting).

~~~
blauwbilgorgel
The proof of concept is foiled. But how about something similar like:

    
    
      <noscript>
        <meta http-equiv="refresh" content="600" 
        url="phish.php"> 
      </noscript>

~~~
githulhu
I believe NoScript will pop up a message asking if you want to take the
redirect, in that case.

~~~
blauwbilgorgel
I think you are right:

 _" Forbid META redirections inside <noscript> elements"_

but then I immediately wondered, what about META redirections outside
<noscript> elements? I tested this with a fresh install of Firefox and latest
NoScript, and those still work. Also: To forbid meta redirections inside
noscript elements you have to toggle an option, it's not standard for non-
trusted sites.

~~~
wtallis
Did you test the META redirection with a background tab? I'm pretty sure
NoScript added an unconditional block of background redirects within a week or
so of this attack being publicized.

------
eadler
When this came out I posted about a no-Javascript version of this:
[http://blog.eitanadler.com/2010/05/tabnabbing-without-
javasc...](http://blog.eitanadler.com/2010/05/tabnabbing-without-
javascript.html)

------
Navarr
An impressive sort of attack, I would never have thought twice about it.

------
u124556
Is there any valid use case for the onblur event on the window object?

~~~
munificent
Stopping animation or other CPU-costly visual processing that won't be seen?
Stopping sound playing? Pausing a game?

------
eyeareque
Still works in Chrome 37. Not sure how you could fix this though..

------
cousin_it
Browsers or browser add-ons can mitigate this attack by blocking the use of
the same password on two different sites. That might also be helpful for other
reasons.

------
amolgupta
Tried opening the video. It didnt play. Tried full screen mode..still no luck.
But when I returned back to the page, it turned out this page implements
Tabnabbing!

------
teekert
This would certainly fool me. Another reason for 2 step authentication...
which could also be cheated from you with this trick by the way.

------
npsimons
1) It didn't work for me; probably because I'm using NoScript.

2) Also, I don't use GMail; say what you will, it's another defense against
this.

3) Never, ever enter important credentials to a site you didn't open from a
bookmark.

EDIT: Downvotes for effective strategies against this attack? Stay classy, HN.
Stay classy.

~~~
jarrettch
_2) Also, I don 't use GMail; say what you will, it's another defense against
this._

As the article states, you can use this to replicate any website. It's not
just isolated to GMail.

~~~
npsimons
Part of my comment on GMail was an implicit jab at the monoculture it
engenders. It was crystal clear to me that this attack isn't limited to GMail.
I would like others to consider what other service could be spoofed like this
with anywhere near as good return on investment, precisely because other
services aren't as widely used.

