
A new type of phishing attack. Works on savvy users. - aikoto
http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/#
======
noelchurchill
Today I googled _integrate "open graph" in-house analytics_ and the first
result is actually a phishing site (still is as of this writing).

I just didn't expect the first result in google would be a phishing website
and I actually tried logging in to facebook through the site. The phishing
site actually took my info and logged me in to facebook, but facebook
immediately warned me that I had logged in from a domain that wasn't facebook
and that I needed to change my password.

~~~
there
given the hostname (iproxy) it would look to be an automatic cache, not a
malicious phishing site.

<http://iproxy.saverpigeeks.com/>

~~~
Jim_Neath
Is it just me that read that as Saver Pig Geeks?

~~~
noelchurchill
Or _Saver Pig Eeks_

I read it the same way to.

------
philfreo
This shows another benefit of always logging in using a password manager like
1Password. Even if I were fooled and tried to login on this phishing form by
pressing Cmd+|, 1Password wouldn't fill my password because the URL doesn't
match... which would lead me to think something is definitely wrong.

Also another win for Single-Site Browsers like Fluid and Prism. I wouldn't
expect to see Gmail in my main browser window.

~~~
snprbob86
I would have totally fallen for this attack. My mind is blown. My father has
been raving about 1Password forever, but I use a unique password "algorithm"
in my head which has served me well so far. Now I'm actually considering
1Password. Anyone else what to share their experience with it? Good idea? Bad
idea?

And for those, like me, who had not heard of Single-Site Browsers, here are
some links:

<http://fluidapp.com/> <http://prism.mozillalabs.com/>

~~~
Timothee
I use 1Password for pretty much everything and I love it. I have its database
on Dropbox, so it's synced and can be used from different computers. I also
have the iPhone app, so I can get my passwords anywhere if the need arises out
and about.

However, I'm at a point where I need to figure out a recovery plan, because,
you see, my Dropbox password is in 1Password as well, and my email password
too. So, I could imagine a scenario where something gets compromised and I
have a hard time getting it back…

~~~
altano
Why not use LastPass which has the syncing across devices built-in? I have
been using LastPass for the past 6 months or so and I LOVE it.

~~~
vdm
1Password being Mac only and no cloud sync doesn't work for me.

I've been using LastPass for the last week. It has Chrome extensions which on
my personal Macs and work Windows machines. The Chrome extension UX is a bit
too rough for me to recommend it to non-techies but I think the idea and
execution is sound.

Recommended. I don't use it for Gmail or banking passwords of course.

------
gvb
It _didn't work!_ Score another point for NoScript. :-)

I tried Chrome and still use it for certain things, but I refuse to use it as
my primary browser until it has NoScript or equivalent.

~~~
spokey
Also didn't work for me (Firefox on Linux. I am not using NoScript).

Clever idea. Has the demo worked for anyone? (Edit: I see below that posters
report that this worked for at least some versions of Chrome on Windows)

~~~
azim
Works for me in Firefox 3.59 on OpenSuse 11.2. OpenSuse for some reason also
seems to have more compatibility with my workplace's web-based internal tools
than other coworkers running Ubuntu or Fedora.

------
jheriko
Now I guess phishing attacks need to move to simulated password managers. :)

Its a never ending problem owing to the nature of computers being easily
programmed... its lucky phishers are so extremely bad at what they do - it
certainly within reason to abuse existing websites far beyond what we see
regularly - if you can find and use the right type of exploit then you can
actually just use google or whatever to provide the exact login page, with
correct URL etc, then just steal the input. Although saying that... it can be
done so well that I wouldn't actually know if it ever happened... maybe there
are some smart ones out there and the swarms of poor attempts are just a
distraction from a much more serious potential problem?

~~~
there
_it can be done so well that I wouldn't actually know if it ever happened_

yes, i think you're just seeing what the bad ones do and the good ones never
enter your consciousness. good bank robbers and jewel thieves have never been
caught, and i'm sure good virus writers and phishers have probably never even
been detected. think of a gmail login phishing attack that, after capturing
your information, re-posted it to google's servers so it actually logged you
in. by the time you stopped to think about what just happened, your browser is
already at mail.google.com with a green everything's-ok address bar.

~~~
jheriko
i was thinking much cleverer than that... imagine mail.google.com /the real
deal/ but there are hooks in the API to catch what you put in the login boxes
- the only give away is a miniscule extra bit of local processing - no
traceable network usage required. one attack could collect usernames/passwords
from a user for every big site they use.

the phishing site that plants the stuff could even get away with being
massively obvious - so long as people look at it they could be infected.

of course finding such exploits is non-trivial... but people are doing it with
some regularity.

(EDIT: incidentally the only way I log in to Google Mail or anything I log
into is by typing in the URL specifically, e.g."mail.google.com", so this is
pretty much the only way to hit me up with this sort of attack - if I get
"magically" logged out then I might get stung, but it seems doubtful... its
just too suspiscious)

~~~
dandelany
Hooks in _what_ API?

~~~
jheriko
windows would be the best target probably, and hooks might not be the best
idea, but you can capture all kinds of input with the apis documented on msdn.

<http://msdn.microsoft.com/en-us/library/ms997537.aspx>
[http://msdn.microsoft.com/en-
us/library/ms646293%28VS.85%29....](http://msdn.microsoft.com/en-
us/library/ms646293%28VS.85%29.aspx)

for example. although i'm not sure how good they are these days... i honestly
can't remember exactly which technique i used but i managed to make a
keylogger with excel/vba once with apis i randomly looked up on msdn - it was
just to prove a point though, i haven't really done anything more elaborate
than that.

the difficult bit is really getting code to run. that i have no idea about,
but i've heard about exploits from time to time, usually when they are fixed
:)

------
ableal
The 'personal seal', which some sites put on pages requesting login, would
help fight this 'tabnabbing' attack.

I think Yahoo does that, and so does my bank. Of course, one has to bother
creating the seal, but it's an easy one-time step.

~~~
nailer
Kudos to your bank. It's such a simple system for users and so easy for devs
to allow a quick image upload I'm surprised it's this uncommon.

~~~
ableal
I must confess I 'cheated' - I picked this bank because their web site seemed
well done (worked in FireFox with no Flash, etc). Also not too intent in
nickel-and-diming users.

Actually, besides uploading a pic, they also allow text or a doodle. In case
anyone is curious, it's here, in Portuguese:
[http://www.banif.pt/xsite/Particulares/Banifast/ServicoBanif...](http://www.banif.pt/xsite/Particulares/Banifast/ServicoBanifast.jsp?CH=4670&PCH=4022&);

Their 'password' security is pretty good, too. They have two levels of 8-digit
PINs (one to 'read' the account, then another to 'write', i.e. move money
out). They only ask for input of 4 out of those 8 digits (randomly, e.g. 3rd,
5th, 6th, 8th), using a on-screen pad (defeats key-logging).

~~~
sbierwagen
Well, it'll defeat a conventional keylogger, but not one that logs mouse
events with accompanying screenshots; or a keylogger that runs a MITM attack.

------
s3graham
Related to this, I recently was wishing I could separate some|all of my Google
services with extra or different passwords.

I'm not exactly sure what I want as far as design vs. usability but it feels
bad right now to have one password for the amount of data that it's
protecting, especially when I have to enter it occasionally for more "fluffy"
services.

~~~
lionhearted
Even worse, if you've got multiple Google accounts, you can't use them at the
same time. So if you've got a separate junk email throwaway account, you can't
be logged into there and Adwords or Docs at the same time. You can skirt this
a little bit with Google Apps and have an email + other Google services open,
but kind of a pain in the neck, especially if you manage a couple different
businesses/projects/whatever that should have their own email addresses.

~~~
vdm
+1. Google should assume that any Apps user also has a personal Google account
and design accordingly.

------
indrax
Hmm, I think I've already developed habits that offer me SOME immunity to
this. I keep my main gmail in the leftmost tab, Almost always logged in. When
I have tabs for gmail or Google docs that show me being logged-out, I hit
reload. Rarely would I log in a second time if I know I'm logged in.

Other google services like adsense require password confirmation even when
logged into gmail, but I'd be less apt to 'forget I was trying' to log in to
that, and it would be less likely that random people would be users, so it
would attract more suspicion.

Still, This is something I'll watch out for.

~~~
Wilduck
However, the article also mentioned that this could be used to immitate
services other than gmail. I still buy the idea that people don't always look
at the url when they switch back to a tab.

Do you have the same practices with facebook and your bank account as you do
with gmail?

~~~
nhebb
I go one beyond with banking, PayPal, and other financial sites. I login with
a single tab open. I log out when I'm done, and then I close the browser.

Still, it's a pretty clever phishing attack, and I bet it would fool a lot of
people. What I didn't get from the article was whether this was something Aza
Raskin has seen, or a is it something that he thought up. If the later, then
I'm not too sure about the scruples of publishing this trick while promoting
the password manager in FF.

------
terrellm
Another reason to use randomly generated passwords and a password manager like
1Password. I don't know 99.9% of my passwords and instead rely on 1Password to
fill them in.

The nice thing about a password manager with form fill is that it would
prevent this "attack" because the domain name does not match the spoofed site.
I wouldn't even have the ability to have it fill my Gmail password in for me.

------
jacquesm
My thunderbird session to my own mailserver was not affected in any way.

Phishing is so ridiculously easy that I doubt the phishers will need to
display any technical sophistication at this level for a long time to come.

As long as users will happily click on whatever lands in their inbox this is
total overkill.

~~~
thorax
but this is such a good attack, who knows how many times I've already done it?

------
jsz0
I feel totally vindicated for my tab-closing OCD now. I'd like to think the
lack of auto-filled username/password forms would have tipped me off but in a
hurry I'm not totally confident of that. It would be even more effective for
sites you expect to be logged out of after a period of inactivity.

~~~
redcap
I guess I'm OCD in the fact that my Gmail tab is always my far-left tab - I
know exactly where it is. It's the only Google feature that I really use
(apart from Reader on my phone), and I'm pretty fussy about where I type
passwords in.

------
truebosko
Nice. With a phishing site that gets a URL close to Gmails, or just makes one
of those ridiculously long sub domains to make it look like you're at
gmail.com and you've got a solid attack.

Is there any password manager for Chrome like the proposed one coming out for
Firefox?

~~~
RJF
I don't know what's the future Firefox one like, but LastPass for Chrome works
like a charm

------
BoppreH
When I click on a tab my eye is on that spot of the screen. Just above the
URL.

You'll have to get a very similar address to fool me, and good luck making the
page look _exactly_ the same as the original. The rounded buttons and
differently aliased text on the attack page were enough for my red flags be
raised.

~~~
jwegan
It is not that hard to make it looks exactly the same. Just doing a "save page
as" in most browsers will automatically store all the html, css, and images
needed to render a page to your hard drive.

The only reason you noticed the different buttons and different text is cause
the author decided to save himself some time and just replaced the page with a
screenshot of how gmail is rendered on their computer.

~~~
zavulon
And if it looks _exactly_ the same, I think the possibility of noticing the
incorrect URL is lower ..

------
metamemetics
Unlikely to fool anyone using Opera, the favicon doesn't change and the
password button doesn't light up.

~~~
dandelany
I'm not sure phishers are targeting the Opera demographic.

~~~
metamemetics
the benefits of low market share, god forbid it becomes popular

------
shalmanese
It works as advertised but I've yet to be convinced that the limiting factor
in phishing attacks is insufficient cleverness in fooling people.

------
kwamenum86
That is a really effective phishing attack that I have not seen yet...at least
I don't think...and if I see it again I am pretty sure I would not notice.
Kind of scary that this information is now in the hands of countless phishers.

------
srparish
One would hope this will cause banks and the like to rethink disabling having
the browser's password manager enter your password. On sites where the browser
normally automatically fills in my password i'd immediately be suspicious if i
got a screen without my credentials already filled in. My banks, however,
always require me to fill in the fields so i wouldn't be any the wise.

My bet though is they won't become so wise and will instead just rely on
displaying my private image and phrase on the login screen.

~~~
riobard
I really hate the stupid banks' decision to disable saving password. Luckily
there is a Chrome plugin to force autofill

[https://chrome.google.com/extensions/detail/ecpgkdflcnofdbbk...](https://chrome.google.com/extensions/detail/ecpgkdflcnofdbbkiggklcfmgbnbabhh)

------
X-Istence
I don't see how I would fall for this. My credentials are automatically filled
in by Safari on gmail, so that would be my first clue something was up, and
the URL hasn't changed and I ALWAYS double check that before entering
credentials anywhere.

However it is an extremely clever new attack vector, and I don't know how
browser manufacturers can stop this attack.

------
younata
Interesting. Doesn't work for me, because I tend to associate tab content with
where the tab is relative to other tabs.

For example, I don't normally have gmail open in a tab (I prefer to use mutt
as my email client), so, to see "Gmail: Email fro..." - as I currently see in
the tab directly left of this one - is disorienting for me. I expected the
article on phishing.

However, even without it, this attack isn't exactly mature. Different browsers
will render the javascript differently. My browser tried to execute the page-
changing javascript as it was loading the page, and I was viewing the page.
Obviously, in a few months or so, this will change, but for the first reason,
I remain firm in my stand that this attack doesn't really mean much.

~~~
pavel_lishin
It wouldn't work for me for several reasons; one, I always keep g-mail in the
left-most tab, two, I use 1Password to fill in all my passwords, which
obviously wouldn't work with the wrong URL.

But the 1Password thing is a recent thing; I could easily have fallen for one
of the bank attempts, since I usually leave them open in another tab while
it's loading, or if I get bored, so it's not unusual for me to tab over and be
surprised by a "you've been logged out!" screen.

------
daakus
I open tabs in the background all the time -- this doesn't seem any different
than one of those being a phishing site. It's pretty simple imho, don't type
in a password unless you also typed in the url or used a bookmark. That's the
advice I usually give family/friends.

------
mattmaroon
Humorously I loaded that into a tab and didn't go to it for awhile. I got
there and thought "I don't use Gmail, why the hell would I open that?"

If it weren't for Roboform this might work if it were some service I actually
used.

------
coderdude
Well thank God he provided a drag-and-drop solution to implementing this
attack.

------
dmn001
It wouldnt fool me, especially as it doesnt even load properly lol.

------
lurkinggrue
The icon didn't update on opera and looked a bit funny.

------
mkramlich
just tried it. wow. best phishing attack ever. that really does almost
hypnotize you into filling in the Gmail login form quickly and submitting,
without even thinking. Luckily I'm also one of those guys who always has my
Gmail tab in the same position. For folks that don't do that, and don't use
SSB's, etc. this could be very dangerous.

------
aitoehigie
It worked!!! Now this is aint cool

------
whakojacko
pardon my ignorance, but what am I missing? I see a 404 on a site which is
pretending to be PCWorld, but is probably not PCWorld.

------
cianestro
I wonder if there's a safe way to bookmark this...

------
Raphael
The scariest thing here is the included video pictures the very post it
appears in!

------
pkulak
I know I'm being a grammar Nazi, but "normally looking website". Really? A
website with eyes!

It's so interesting how not using an adverb was a mark of bad grammar, so now
people over use them, which is way worse to me for some reason.

------
miles
The original title of the article is "A New Type of Phishing Attack". There's
nothing about "savvy users", since a savvy user would note that the URL is
_completely wrong_. Savvy users are also likely to be running NoScript, using
form-filling password managers, etc.

~~~
thorax
I'd consider myself a savvy user. I don't run NoScript, nor do I always notice
when the auto-password feature doesn't work because I use multiple browsers
and they don't all have the same credentials. Nor do I (think I) always scan
the URL when I switch tabs-- though surely I'll do more of that now.

This won't work against most savvy users on their best days. It will probably
work against most savvy users on any given bad day.

What's interesting to me is that it'd be pretty easy for a site owner to
target very specific users who visit their site. I could easily see this being
used by a rogue employee at a web company to gather credentials/info on a
specific target VIP and then covering their tracks later.

