A researcher has developed a new type of phishing attack that takes advantage of the way that browsers handle tabbed browsing and enables an attacker to use a script running in one tab to completely change the content in another tab. The attack, demonstrated by Aza Raskin of Mozilla, could be used for highly targeted attacks against customers of a specific bank, Webmail service or credit-card company.
The new tabbed browsing phishing technique relies on a user visiting a site controlled by an attacker, which includes a malicious script. When the user visits the site, the attacker’s code detects which other tabs the user has open in her browser and checks to see which ones haven’t been visited in a while. The JavaScript code then changes the favicon of that tab and the content on the page to look like whatever the attacker chooses.
[See a video demonstration of the attack here: New Phishing Attack Exploits Tabbed Browsing]
In the example Raskin includes on his site, the code changes the page to the Gmail login page. However, an attacker easily could choose to design an attack using a Bank of America login page or other site that would provide high-value login credentials.
The idea is to have the victim look at the open tab, “remember” that she left a Gmail tab or Bank of America tab open and then login again. Once the credentials are entered, the attacker would simply redirect the victim to the correct site, which would display correctly because the user was never logged out to begin with.
“As the user scans their many open tabs, the favicon and title act as a
strong visual cue—memory is malleable and moldable and the user will
most likely simply think they left a Gmail tab open. When they click
back to the fake Gmail tab, they’ll see the standard Gmail login page,
assume they’ve been logged out, and provide their credentials to log in.
The attack preys on the perceived immutability of tabs,” Raskin writes in his blog post on the attack.
Raskin speculates that the technique could be used in a number of different scenarios, including in combination with other tactics such as CSS history mining to target customers of a specific service or financial institution.
“For example, you can detect if a visitor is a Facebook user, Citibank
user, Twitter user, etc., and then switch the page to the appropriate
login screen and favicon on demand,” he writes. “Even more deviously, there are various methods to know whether a user
is currently logged into a service. These methods range from timing
attacks on image loads, to seeing where errors
occur when you load an HTML webpage in a script tag*. Once you know
what services a user is currently logged in to, the attack becomes even
more effective.”
