Tabnapping phishing attack

Networking/Security Forums -> Exploits // System Weaknesses

Author: IgnatiusLocation: Leeds, UK PostPosted: Tue May 25, 2010 9:30 pm    Post subject: Tabnapping phishing attack
    ----
I just came across this example of a new attack: http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/

I don't know if anyone will find it interesting.

Author: Apoll0 PostPosted: Fri May 28, 2010 4:23 am    Post subject:
    ----
I saw this earlier this week. Crazy stuff. The good news is unless it is a targeted attack that knows the sites you access, it relies on chance. The attacker will open a tab in your browser with a fake site login, and hope that you go to that tab, see a familiar login, and enter your credentials. Still something to be wary of of course...

Author: capiLocation: Portugal PostPosted: Fri May 28, 2010 4:34 am    Post subject:
    ----
Apoll0 wrote:
The good news is unless it is a targeted attack that knows the sites you access, it relies on chance. The attacker will open a tab in your browser with a fake site login, and hope that you go to that tab, see a familiar login, and enter your credentials.

The problem is there are ways the attacker can find out whether or not you are logged in on any of a given number of sites:
Raskin wrote:
Using my CSS history miner you can detect which site a visitor uses and then attack that site (although this is no longer possible in Firefox betas). For example, you can detect if a visitor is a Facebook user, Citibank user, Twitter user, etc., and then switch the page to the appropriate login screen and favicon on demand.

Even more deviously, there are various methods to know whether a user is currently logged into a service. These methods range from timing attacks on image loads, to seeing where errors occur when you load an HTML webpage in a script tag*. Once you know what services a user is currently logged in to, the attack becomes even more effective.

Author: Apoll0 PostPosted: Fri May 28, 2010 6:18 am    Post subject:
    ----
Oh wow, true. I guess combining this with MITM or MITB efforts could also result in more success...just depends on the sophistication of the attacker. I think though that a majority will just go for the easy ones (facebook, email accts, major creditors, etc)...actually any active monitoring and real time exploit could be bad...eesh...



Networking/Security Forums -> Exploits // System Weaknesses


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group