Tab + Kidnapping = 'Tabnabbing"
in [Anti-Virus]
|
From: ~BD~ on 1 Jul 2010 19:00 "The Real Truth MVP" <trt(a)void.com> wrote in message news:i0j55q$tm8$1(a)leythos.motzarella.org... >A Firefox developer is warning of a new kind of phishing attack that >preys on users' inattention to which tabs they have open in their >browsers. The attack is perpetrated by JavaScript code in a >specially-crafted page. When users have several tabs open and are not >viewing the site with the malicious code, the code surreptitiously >changes the destination page after several minutes of inactivity; the >favicon and title of the page are changed as well. The attack can be >made more personal by perusing users' browsing histories and making the >page appear to be one that the user frequents, such as Facebook or a >banking login page. When the user goes back to the tab, there is a >sign-on screen asking for login credentials. The vulnerability affects >all major browsers that run on Mac OS X and Windows. > > How the Attack Works > > 1.A user navigates to your normal looking site. > > 2.You detect when the page has lost its focus and hasn't been > interacted with for a while. > > 3.Replace the favicon with the Gmail favicon, the title with "Gmail: > Email from Google", and the page with a Gmail login look-a-like. This > can all be done with just a little bit of Javascript that takes place > instantly. > > 4.As the user scans their many open tabs, the favicon and title act as > a strong visual cue-memory is malleable and moldable and the user will > most likely simply think they left a Gmail tab open. When they click > back to the fake Gmail tab, they'll see the standard Gmail login page, > assume they've been logged out, and provide their credentials to log > in. The attack preys on the perceived immutability of tabs. > > 5.After the user has entered their login information and you've sent > it back to your server, you redirect them to Gmail. Because they were > never logged out in the first place, it will appear as if the login > was successful. > > > > The referenced article below gives more details and methods of > avoiding being tabnabbed. Primarily, if an open tab requests a login > when you return to it close the tab and go directly to the site. > > http://www.computerworld.com/s/article/9177398/How_to_foil_Web_browser_tabnapping_?taxonomyId=85 > Thank you for advising of same TRT If you have time, would you please post to my pals in alt.politics.scorched-earth? Cheers Dave
From: Peter Foldes on 2 Jul 2010 00:26 BD You stupid stupid little man. You now proved for the umpteenth time that you have no brains or a backbone. You friggin 2 faced thief,liar and Troll -- Peter Please Reply to Newsgroup for the benefit of others Requests for assistance by email can not and will not be acknowledged. http://www.microsoft.com/protect "~BD~" <Boater_Dave(a)hotmail.co.uk> wrote in message news:i0j6n5$cfc$1(a)news.eternal-september.org... > > "The Real Truth MVP" <trt(a)void.com> wrote in message > news:i0j55q$tm8$1(a)leythos.motzarella.org... >>A Firefox developer is warning of a new kind of phishing attack that preys on >>users' inattention to which tabs they have open in their browsers. The attack is >>perpetrated by JavaScript code in a specially-crafted page. When users have >>several tabs open and are not viewing the site with the malicious code, the code >>surreptitiously changes the destination page after several minutes of inactivity; >>the favicon and title of the page are changed as well. The attack can be made more >>personal by perusing users' browsing histories and making the page appear to be >>one that the user frequents, such as Facebook or a banking login page. When the >>user goes back to the tab, there is a sign-on screen asking for login credentials. >>The vulnerability affects all major browsers that run on Mac OS X and Windows. >> >> How the Attack Works >> >> 1.A user navigates to your normal looking site. >> >> 2.You detect when the page has lost its focus and hasn't been interacted with for >> a while. >> >> 3.Replace the favicon with the Gmail favicon, the title with "Gmail: Email from >> Google", and the page with a Gmail login look-a-like. This can all be done with >> just a little bit of Javascript that takes place instantly. >> >> 4.As the user scans their many open tabs, the favicon and title act as a strong >> visual cue-memory is malleable and moldable and the user will most likely simply >> think they left a Gmail tab open. When they click back to the fake Gmail tab, >> they'll see the standard Gmail login page, assume they've been logged out, and >> provide their credentials to log in. The attack preys on the perceived >> immutability of tabs. >> >> 5.After the user has entered their login information and you've sent it back to >> your server, you redirect them to Gmail. Because they were never logged out in >> the first place, it will appear as if the login was successful. >> >> >> >> The referenced article below gives more details and methods of avoiding being >> tabnabbed. Primarily, if an open tab requests a login when you return to it close >> the tab and go directly to the site. >> >> http://www.computerworld.com/s/article/9177398/How_to_foil_Web_browser_tabnapping_?taxonomyId=85 >> > > Thank you for advising of same TRT > > If you have time, would you please post to my pals in alt.politics.scorched-earth? > > Cheers > > Dave
|
Pages: 1 Prev: Malware threats on legit web sites Next: Immunet Protect |