posted by
LaminatorX
on Wednesday September 10 2014, @09:57AM
from the Rift-is-still-the-best-Phish-album dept.
from the Rift-is-still-the-best-Phish-album dept.
Most phishing attacks depend on an original deception. If you detect that you are at the wrong URL, or that something is amiss on a page, the chase is up. You’ve escaped the attackers. In fact, the time that wary people are most wary is exactly when they first navigate to a site.
What we don’t expect is that a page we’ve been looking at will change behind our backs, when we aren’t looking. That’ll catch us by surprise.
This discussion has been archived.
No new comments can be posted.
Tabnabbing: A New Type of Phishing Attack
|
Log In/Create an Account
| Top
| 22 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 2) by AlHunt on Wednesday September 10 2014, @10:24AM
I hate to call "old news", but this looks like news from 2010 ...
(Score: 3, Informative) by quadrox on Wednesday September 10 2014, @11:56AM
I was not aware of this, so I for one was quite happy to read TFA.
(Score: 2) by monster on Thursday September 11 2014, @01:00PM
Looks like Bruce Schneier wasn't also aware [schneier.com], even as the page is indeed four years old [archive.org], so don't feel too bad about it.
(Score: 2) by romlok on Wednesday September 10 2014, @02:33PM
How can you tell?
The copyright note in the page footer says 2010, but that could just be the last time the footer was updated (usually when the blog software was installed).
Why do people run blogs which don't show when posts are made? Even the comments on the blog post don't show any kind of date associated with them!
(Score: 2) by FatPhil on Wednesday September 10 2014, @03:14PM
youtubedown: downloading "A -- New Type of Phishing Attack (2010)"
I don't know where youtubedown got that date from, but it certainly wasn't from the article.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by AlHunt on Wednesday September 10 2014, @04:46PM
For one, it rang a bell. Secondly, if you follow the link to the authors project, it's been abandoned in favor of a newer project.
(Score: 0) by Anonymous Coward on Wednesday September 10 2014, @06:11PM
> Why do people run blogs which don't show when posts are made?
That is in my top 5 peeves. It is so god damn annoying to come across an article on the web and have no idea when it was written. Time is a huge part of the context for everything, if for no other reason than some turn of events might occur after it was written that completely change the situation (e.g. "No one knows where Osama bin Laden is hiding...")
What makes it worse is that so many pages are dynamically generated that you can't even check the last-modified date because each new access regenerates the page the date is nearly always 5 seconds ago.
(Score: 2) by wonkey_monkey on Wednesday September 10 2014, @10:29AM
So new, in fact, that it can time travel four years into the past to spawn its own creation.
systemd is Roko's Basilisk
(Score: 2, Insightful) by Anonymous Coward on Wednesday September 10 2014, @11:08AM
I'm beginning to see a pattern...
(Score: 3, Funny) by dyingtolive on Wednesday September 10 2014, @01:49PM
Yeah. "Holy javascript Batman!"
Don't blame me, I voted for moose wang!
(Score: 0) by Anonymous Coward on Wednesday September 10 2014, @08:19PM
> NoScript saves the day
I am worried that all of the fancy stuff in HTML5 will enable new attack vectors that NoScript doesn't address. You can do a lot of "programming" with just HTML5 and CSS. There will definitely be holes and it won't be as easy to block them as it is with javascript.
(Score: 0) by Anonymous Coward on Thursday September 11 2014, @05:37PM
Here's some nasty applications of HTML5 https://en.wikipedia.org/wiki/Evercookie [wikipedia.org]
(Score: 5, Interesting) by bzipitidoo on Wednesday September 10 2014, @11:57AM
This may not have been tabnabbing. I don't know because I didn't see how it started.. I wouldn't have fallen for it, but this was helping Dad. He was trying to do something, maybe it was making a purchase of some sort through Google Wallet, and thought he'd been logged out of his Gmail account, for inactivity, or he'd purposely logged out and forgotten. Whatever, something seemed off about him being asked to login again, but I didn't figure it out until after he'd given the fake site his login info. He already had the fake login page loaded, and that's why I didn't look at the URL bar. Only look when opening up a new page.
When the site didn't respond as expected, I realized it was a fake and we'd been had. Immediately had him change his Gmail password, and hoped that was quick enough to stop any damage. Not quite. He didn't change his password enough, and a few hours later spam was coming from his account. Had him really change his password, and that stopped it. Was a close call. What if the hijackers had changed the password themselves? I wonder why their script didn't, actually. Is the account more useful if the real owner never realizes he's been hacked?
(Score: 2) by sjames on Wednesday September 10 2014, @12:33PM
It's always a balancing act. You want enough control to do what you want, but not to assert so much control (for example by locking the legitimate user out) that they contact support (though in Google's case, that's not always much of a threat).
The sad fact is that it is sufficiently easy to get a large list of valid user/pass that losing one here and there doesn't much matter.
(Score: 2) by tempest on Wednesday September 10 2014, @12:43PM
Assuming the real owner takes no action then yes. If they'd change the password, the owner would go into the recovery process, and maybe contacted support who would look into the account and see what's happening. The owner sending a few legit emails might help mask things, and often people sometimes become upset over the suggestion that they've been compromised (even when they have) and actually defend the hacked account.
(Score: 2) by cmn32480 on Wednesday September 10 2014, @12:24PM
Stopping a Trojan Horse from the link, for what else? TABNABBING!
"It's a dog eat dog world, and I'm wearing Milkbone underwear" - Norm Peterson
(Score: 3, Funny) by Kell on Wednesday September 10 2014, @01:59PM
It's demo code as part of the article... I too was surprised that my AV picked it up. Not because I was surprised they demoed the code on the website, but because I was surprised my AV actually did anything -useful-.
Scientists ask questions. Engineers solve problems.
(Score: 2) by opinionated_science on Wednesday September 10 2014, @01:41PM
Surely if you use browsers with profiles this will no surprise you?
I only use gmail in one place. In fact I have a bout 10 browser/windows pointing to different things (soylent gets a night at the opera)...
(Score: 0) by Anonymous Coward on Wednesday September 10 2014, @02:14PM
The word "tabnabbing" makes it sound like they are hijacking the tab with the actual gmail site, but if you read the article they are not. The bad guy scripts simply redirect the tab they are already loaded in to gmail when the tab doesn't have focus, and hopes that the user won't notice that "Joes porn site" was suddenly replaces with Gmail, and suddenly feel an urge to log in to check his mail.
Sure it may work against some users, but its no more new that I'm sure it was used back when a "tab" was called a piece of paper, the first page was called a "petition", and the page it got swapped with when you look away was called a "contract".
(Score: 0) by Anonymous Coward on Wednesday September 10 2014, @04:10PM
I don't know, but it seems like the kind of thing that could potentially fool me, and I consider myself pretty savvy. I'd imagine it'd probably be pretty difficult to detect by anti-malware software. Especially true if you're only targeting certain people.
(Score: 0) by Anonymous Coward on Wednesday September 10 2014, @05:38PM
From TFA: "it’s time for the browser to take a more active role in being your smart user agent; one that knows who you are and keeps your identity, information, and credentials safe."
Regardless whether the text was from 2010: It's time for our browser to be a browser again, and not a toy virtual machine for blackhats, advertisers and the NSA to farm us with.
(Score: 1) by number6 on Wednesday September 10 2014, @09:01PM
I use Firefox addon 'DNS Flusher' [coders.com.br] and it is VERY helpul in giving feedback on the true IP address of the active browser page.
When installed, the addon will show the IP address of the page at the Status Bar. When I visit 'important' sites such as my email provider or my bank I check the IP address reported by 'DNS Flusher' at the Status Bar before proceeding to use the site.
Info by the author:
"A Mozilla Firefox add-on that provides an easy way to reload the browser DNS cache ... It's commonly used by developers who use the Hosts File to force a domain name resolution to a specific IP ... DNS Flusher is a very simple addon for Firefox to force refreshing it's DNS internal cache."