Tuesday, June 22, 2010

Tabnapping

Aza Raskin, a leading developer of Firefox has warned of a potential new form of phishing attack he calls "tabnapping", a portmanteau of tab and kidnapping.



How tabnapping attack works
A Javascript replaces the contents and label of a tab while the user switches to check on another tab. A fake gmail page, for example may be displayed requiring the user to "log-in" with his username and password thus enabling the tabnappers to steal the user's log in credentials. See the video below for more information on tabgrabbing:






Tabs and Browser attacks

Tabnapping browser attacks are believed to work best against firefox. Other browsers including Chrome, Safari and Internet Explorer may be vulnerable as well.

Tabnapping Fix and Account Manager Firefox
As of May 2009, the Firefox Noscript plugin made an update that can block tabnabbing attacks. However, this is a no fool proof protection tool against tabnapping since the "tabnappers" may improve the efficacy of the tab napping attacks. Firefox is also working on the Account Manager add on to keep their users safe against identify theft perpetrated via firefox browser attacks.

sources: http://krebsonsecurity.com/2010/05/devious-new-phishing-tactic-targets-tabs/
http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/

0 comments:

 
design by suckmylolly.com