New method for phishing discovered by Aza Raskin “creative” lead for firefox. |
donald 206 Posts May 25th 2010 |
Thread locked Subscribe |
May 25th 2010 1 decade ago |
I am not discounting the validity of this attack but it seems somewhat unlikely you're going to get someone to let a phishing page sit idle while they go surf another tab. I mean a hacker is generally trying to get someone to go to a site and DO something there for a phishing attack...now you have to hope they just lose interest in your phishing site and open a new tab to browse somewhere else? just doesn't seem like a very viable means of phishing.
not only that...I am pretty sure I am gonna notice if one of my tab fav icons changes suddenly while i'm sitting there. now if i have walked away from my PC....that's a possibility I guess... am I just missing something that would make this seem more prolific that it appears it would be? |
Blagarswinth 23 Posts |
Quote |
May 25th 2010 1 decade ago |
While the reach of such attack might seem very low when thinking about phising, it take it full strength when added in those popular website infection kit, defacing official website without changing the visual aspect of them.
Add some automation like using reference URL, search term used to reach website and you already got clue what can be 'tab-jacked'. Email account would probably be the highest successful one. |
Blagarswinth 4 Posts |
Quote |
May 25th 2010 1 decade ago |
I'm a regular visitor of security.nl (and I'm Dutch).
However, instead of translating the page, you can read a similar English writeup at "the H" here: http://www.h-online.com/open/news/item/New-phishing-attack-exploits-tabbed-browsing-1006386.html (and in German here: http://www.heise.de/security/meldung/Phishing-per-Browser-Tabs-1006281.html) Note that all pages refer to the following (English) blog page: http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/ |
Erik van Straten 129 Posts |
Quote |
May 25th 2010 1 decade ago |
A.Champ is right, the dutch article also refers to the attack as found by 'Aza Raskin'.
I see this happening: set up some innocent looking page, make sure it loads really slowly (or better, fake it with javascript to be sure), and then put the attack on that. However, the url shown isn't changed, so that gives it away easily. Still, they only have to get a few users to make it worth their time if the site target has enough value per account. Defenses... why does javascript need to be allowed to change the favicon? |
Arnt 4 Posts |
Quote |
May 25th 2010 1 decade ago |
While the automated use of this exploit might get more success with hotmail/gmail/twitter/facebook phish, there are other targeted use that could probably be very efficient.
Injecting JS to vulnerable forums/website related to a specific subject, without defacing it or hindering the user ability to use it to stay under the radar. Example: Adding the JS sample to website related to a game, then faking that game official page or forum, with the JS when the user is tabbed elsewhere. Even better, simply push the JS script ads in a ads network and 'aim' specific website category. On the corporate side, it could even be used when a partner or official website get injected/compromised. Even if that website doesn't require credential, if the JS fake some internal web-based tools, the success-rate might be interesting for the bad guy. |
Arnt 4 Posts |
Quote |
May 26th 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!