Tabnapping attack baits phishing trawl <--- stay vigilant ;)

[D69]

A leading developer of Firefox has warned of a sneaky potential new form of phishing attack.

Aza Raskin, the creative lead for Firefox, explains that the approach exploits the fact that most surfers keep many tabs open during a browsing session, without really keeping track of what sites they have visited.

The so-called tabnapping attack works by using JavaScript to switch the destination page in a tab after a few seconds of inactivity. This might be done using attack script planted in an otherwise legitimate website, for example.

If a surfer has only one tab open he is likely to get suspicious if a browser seems to be pointing at Gmail or other potential target rather than a news site, for example, and double check. But this is far less likely to happen if a user has multiple tabs open and where he might easily be induced to log in again, handing over login credentials to an attacker in the process.

The potential attack might be customised using a surfer's browser history file, Raskin warns. "Using my CSS history miner you can detect which site a visitor uses and then attack that. For example, you can detect if a visitor is a Facebook user, Citibank user, Twitter user, etc, and then switch the page to the appropriate login screen and favicon on demand," he explains.

Raskin has posted an explanation of the attack in a blog post here (watch what happens after you leave the page for a few seconds) and in a video explanation uploaded to Vimeo (below).

He suggests that improving browser technology that remembers login credentials for websites is one approach to help combat the problem. At best this is a partial solution, though, since many users avoid using password management in general; and saving passwords is an extremely bad idea when using computers in libraries or even at work that are shared by multiple users. ®

src:__http://www.theregister.co.uk/2010/05/25/tabnapping_phishing_attack/

 

[Laura]

Good to know! I am guilty of having multiple tabs open though I usually stick with reliable sites.

 

[Nathan]

Shame we can't just switch off Javascript along with Java and Flash by using the NoScript plugin for Firefox. But then wouldn't most websites not load properly without javascript enabled?

 

[D69]

But then wouldn't most websites not load properly without javascript enabled?

They would , thats the main problem. So NoScript is kinda useless since majority of people will hit "Allow" button anyway.
One lil bit obscure solutions to filter out tageted attacks is using less popular browsers , like Opera for example , but still it`ll just filter out attacks against IE or FF. There is also another solution , installing dirty virtual machine. Personally i use VirtualBox by Sun , you can install almost any popular Operating System inside this virtual machine , create a snapshot of it , then browse anything you want from that box , and when you finish just delete whole system and bring back fresh copy from a snapshot - which takes only second. Doing that way , you keep all your critical data away from malicious software put on websites.
REMEMBER ! STILL this is not 100% secure - there will always be uber-hacking-ninja who will get around all obstacles and will get to your stuff anyway.

 

[Nathan]

You just reminded me of a browser Xerobank have been developing that is essentially a virtual machine itself.

I dug up some info from their forum:

Yes, it should be able to operate as a Tor node. We are working on designing this software under the GPL license, and have tentatively planned to work with the Tor Project so that they can implement this solution as well.

Firefox 3 is insecure. A new container is being designed for it.

True virtualization using real virtualization software (QEMU), not "virtualization".

It will be the most secure browser on the planet, operating as a full instant-on virtual machine, that operates fully contained in the VM, but has the visual output to the desktop like a normal application. Running it you wouldn't know the difference between it and firefox. It is a revolutionary way to run the system. It is currently being designed by Kyle Williams (xerobank) and Martin Peck, both of the original designers of the JanusVM and TorVM.

My understanding is that this browser only runs on the paid-for XB network and the free Tor network; both of which are for anonymity. Perhaps there is way to use it without anonymity if one simply desired protection from scripts and what not.

More quotes from the same discussion:

Avoid sandboxie. In general sandboxie encourages unsafe surfing activities that it cannot protect you from. To demonstrate this we wrote an active X control that a sandboxie user can download and install in sandboxed browser mode that will uninstall sandboxie and format the user's harddrive. We never released this, it was just a proof of concept :)

We developed a new type of malware to make it possible to do so. What we noticed is not only did we evade sandboxie, we also entirely evaded all rootkit, antivirus, antispyware, antimalware and security software. The OS was totally blind to what we were doing. Upon the revelation that we had built a neutron bomb for a knife fight, we decided to show it to the FBI and tell them that someone else could come up with this type of attack, and it is only a matter of time. They kindly asked us not to release it, which we will honor until we decide otherwise.

Funny to think we started out to make a proof of concept that sandboxie could be defeated, and succeeded in defeating virtually all security software. I guess we overdid it.

 

[Odysseus]

That's nasty! I use tons of tabs (around a dozen or so) and usually am also logged in at various sites/services.

I'll have to consciously switch over to a modus operandi of consequently *logging out* and close the tabs I'm not really in the progress of using (and checking for correct URLs consciously).

 

[Guardian]

Running a program like Avira with webguard (very tweakable) enabled will block a lot of malicious browser scripts too.

 

[D69]

and the free Tor network; both of which are for anonymity

Just a small suggestion to TOR <--- no it is NOT secure , it is even worse since it gives you false feeling of being more secure.
Virtually anything could be harvested from your PC if you are not careful with JavaScript , so no anonymizer is going to help anyway if you do not know what you are doing.

Here are few good readings about TOR

Is Tor more secure than ordinary internet use?
__http://www.anonymityanywhere.com/tork/index.php?option=com_content&task=view&id=42&Itemid=32

Tor Might Not Be So Secure
__http://howtosplitanatom.com/news/tor-might-not-be-so-secure/

De-anonymizing Tor and Detecting Proxies
__http://ha.ckers.org/blog/20070926/de-anonymizing-tor-and-detecting-proxies/

Tor Project servers hacked
__http://www.h-online.com/open/news/item/Tor-Project-servers-hacked-911128.html

Security expert used Tor to collect government e-mail passwords
__http://arstechnica.com/security/news/2007/09/security-expert-used-tor-to-collect-government-e-mail-passwords.ars

PS. Be careful if something nasty pops up while browsing these links , it should not but just don't click "allow" if this happens

 

[GRiM]

There is an extension to Firefox called no-script that lets you choose what scripts you want to run on any given page. You can set sites as trusted, and that way teach your script so it will not nag you after a while.
I use it and do find it fascinating how many scripts some sites have.

Here is the url https://addons.mozilla.org/firefox/addon/722+no+script+extension&cd=3&hl=en&ct=clnk
(though the addons.mozilla site seems to be down at the moment)
Here is a cached of it; _http://webcache.googleusercontent.com/search?q=cache:aGwLpuO3-RcJ:https://addons.mozilla.org/firefox/addon/722+no+script+extension&cd=3&hl=en&ct=clnk
http://noscript.net/screenshots and also alternative download.

 

[D69]

There is an extension to Firefox called no-script that lets you choose what scripts you want to run on any given page. You can set sites as trusted, and that way teach your script so it will not nag you after a while.

yup , it is good indeed , the problem is that regular inet user will still click "allow" to watch a website . If an attack is combined with simple (or worse - complicated) social engineering , than you might be in trouble. The problem is , that JavaScript is not the one and only danger that lurks out there , there also are TONS of security flaws in browsers.

Best solution is to watch only trusted sites like you said , but then again , which are "trusted" ? :P
Recently I am playing with SET , which stands for Social Engineering Toolkit combined with Metasploit Framework.
I knew it all exist and I even played with it , but i just didn't realize how automated and advanced it already is now.
For all those who are interested I suggest you to watch these few movies from infosec con.
Especially 5th one - 5 Social Engineering Toolkit - ReL1K
This will give you an idea how defenseless majority of users are.
And remember , thats just one ninja ;)

src:__http://www.irongeek.com/i.php?page=videos%2Fmetasploit-class&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+IrongeeksSecuritySite+%28Irongeek%27s+Security+Site%29

 

[D69]

Researcher warns of browser 'tabnapping'

A Mozilla user interface specialist has published proof-of-concept code for a new phishing technique, which makes use of morphing browser tabs to trick people into giving away log-in information.

Traditional phishing techniques generally lead a user directly to a malicious Web page that impersonates a trusted page, such as an online banking log-in site, which can then harvest the user's log-in information.

The new technique, called "tabnapping" or "tabjacking," demonstrated by Mozilla Firefox creative lead Aza Raskin in a blog post earlier this week, leads a user to what appears to be a genuine site that delivers the content promised.

Read more of "Phishing attack uses tricky 'tabnapping' technique" at ZDNet UK.

src:__http://news.cnet.com/8301-1009_3-20006150-83.html?tag=mncol;title