In many of my post I have pointed out the concept of "Phishing" in Email hacking,where the attacker sends a fake/spoof login page to the victim having manipulated the url to create some sort of illusion.Few months back "Aza Raskin" the Creative Lead of Mozilla Firefox describes a new form of Phishing attack called "Tabnabbing" which manipulates the Tab browsing of the users.
What is Tabnabbing?
I feel you can guess the work it does from its name,Tab means "the different windows attached to the same browser" and Nabbing means "to seize something forcefully".In the same way for Tabnabbing ,when the user has opened up multiple tabs in the browser and after sometime comes back to one of the earlier opened tab then he/she finds that the content,title,favicon of that tab has changed to a login page of any email account or bank login page....lol.Apart from manipulating the tabs of the browser the attacker manipulates the memory of the victim because if the user does not remember what website he/she had open in that tab then he/she would login to that fake page thinking that it was open by him/her.....lol.
Check out the video to see the demo.
A New Type of Phishing Attack from Aza Raskin on Vimeo.
How does it works?
The main concept behind this is that the attacker puts a Javascript in the pagesource code which waits for a certain period of delay and then changes its favicon,title and content.It is more evil if it the script is intelligent enough which means it detect which sites the user visits normally and then accordingly switch to that site using tabnabbing.
Why is online banking is more vulnerable to this?
In online banking you must have noticed that if you have logged in to the official page and left it idle for few minutes then it is automatically logged out.Due to this feature Tabnabbing is very handy in attacking users of online banking beacause the users feel that he/she would have logged in to the bank account and the session has expired.
CounterMeasures:
I would recommend Mozilla Firefox browser for web access because it has many security addons which are very handy and easy to use.
1.WOT:Marks the websites with colour and warns the users.(Download)
2.NoScript:This addon protects from XSS,IFrames,ClickJacking,stops Javascript.(Download)
3.Safe:Makes SSL and extended SSL moree visible to user.(Download)
4.Secure Login:It has a feature to enable or disable Javascript and manages the password manger of Mozilla.(Download)
5.PhishTankSiteChecker:It warns the user about a phish attack.(Download)
6.Close all the browser tabs and web based applications that uses browser cache when using online banking.
7. You can also use some Linux Live CD to access internet while using online banking.
Source:http://www.azarask.in/
If you find this post worthy to read do post a comment , it will be appreciated.
What is Tabnabbing?
I feel you can guess the work it does from its name,Tab means "the different windows attached to the same browser" and Nabbing means "to seize something forcefully".In the same way for Tabnabbing ,when the user has opened up multiple tabs in the browser and after sometime comes back to one of the earlier opened tab then he/she finds that the content,title,favicon of that tab has changed to a login page of any email account or bank login page....lol.Apart from manipulating the tabs of the browser the attacker manipulates the memory of the victim because if the user does not remember what website he/she had open in that tab then he/she would login to that fake page thinking that it was open by him/her.....lol.Check out the video to see the demo.
A New Type of Phishing Attack from Aza Raskin on Vimeo.
How does it works?
The main concept behind this is that the attacker puts a Javascript in the pagesource code which waits for a certain period of delay and then changes its favicon,title and content.It is more evil if it the script is intelligent enough which means it detect which sites the user visits normally and then accordingly switch to that site using tabnabbing.
Why is online banking is more vulnerable to this?
In online banking you must have noticed that if you have logged in to the official page and left it idle for few minutes then it is automatically logged out.Due to this feature Tabnabbing is very handy in attacking users of online banking beacause the users feel that he/she would have logged in to the bank account and the session has expired.
CounterMeasures:
I would recommend Mozilla Firefox browser for web access because it has many security addons which are very handy and easy to use.
1.WOT:Marks the websites with colour and warns the users.(Download)
2.NoScript:This addon protects from XSS,IFrames,ClickJacking,stops Javascript.(Download)
3.Safe:Makes SSL and extended SSL moree visible to user.(Download)
4.Secure Login:It has a feature to enable or disable Javascript and manages the password manger of Mozilla.(Download)
5.PhishTankSiteChecker:It warns the user about a phish attack.(Download)
6.Close all the browser tabs and web based applications that uses browser cache when using online banking.
7. You can also use some Linux Live CD to access internet while using online banking.
Source:http://www.azarask.in/
If you find this post worthy to read do post a comment , it will be appreciated.
IF YOU FIND THIS BLOG WORTH READING THEN DO "VOTE" FOR IT........
Tabnabbing:Email & Online Banking Vulnerabilities and Countermeasures
Reviewed by Satyajit (Admins,a.k.a Satosys)
on
Tuesday, July 20, 2010
Rating:
Reviewed by Satyajit (Admins,a.k.a Satosys)
on
Tuesday, July 20, 2010
Rating:
7 comments:
I will be more alert while accessing online banking.
I use FF do i still need to fear about phishing attacks :)
@Shabnam actually mozilla firefox is the safest browser due to the addons it has....but it is does not make you hack proof.....your privacy can still can be manipulated....but you can avoid that to some extent by staying vigilant....while accessing net....thnks for visiting.... :)
you are paying good efforts to your blog, Please take my suggestion, without any loss of time get a domain name soon.
@Shekhar thanks for your suggestion...i was also thinking that......anyways thanks for visiting..... :)
wow man..good info about tab nabbing..!! tnx a lot
Hey Suresh thanks for visiting....
Grt info keep sharing...