Tuesday, May 25, 2010

Tabnabbing: New Tabbed Browsing Phishing Attack Exploits User Trust

Aza Raskin, Creative Lead for Firefox @ Mozilla, has outlined a new type of phishing attack that takes advantage of the way that browsers handle tabbed browsing and enables an attacker to use a script running in a tab to change the content of that tab after a period of inactivity. This "behind your back" switch could trick a user into giving up important information to a malicious site.

Some media outlets has reported this to be a "cross-tab manipulation type attack", but in reality the "malicious" tab is only changing itself after a period of inactivity....thus it *is not* changing a completely different tab. This is a very important distinction.

Users that commonly open a large number of tabs could easily lose track of where that "Gmail" tab was...and thus fall victim to this type of attack.

Moral of the Story: Watch your tabs and always check URLs

Hat-tip to Threatpost.com

----------------------------------------------

Original Researcher's Blog
http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/

Video Demo of the Attack
http://threatpost.com/en_us/blogs/new-phishing-attack-exploits-tabbed-browsing-052510

No comments:

Post a Comment