Tabnapping: A New Phishing Attack

Aza Raskin describes a new phishing attack: taking over a background tab on a browser to trick people into entering in their login credentials. Clever.

EDITED TO ADD (9/12): This is not a new attack. The link above is from 2010. Here's another article from 2010.

Posted on September 11, 2014 at 6:15 AM • 26 Comments

Comments

Graham CluleySeptember 11, 2014 6:59 AM

Aza Raskin's video demonstrating this attack is four years old.

(Once again, a blogger lets us down by not displaying the date of his post on the webpage, or even in the URL).

Clive RobinsonSeptember 11, 2014 7:11 AM

It might be old, but memories can be very short in InSecT(ec)s let alone (ab)users....

BrianSeptember 11, 2014 9:11 AM

I thought the fake Gmail login page looked old when I saw it. Is this method still actively used four years later? It seems simple enough.

Jan DoggenSeptember 11, 2014 10:13 AM

Also quoting from a 2010 article: "The latest NoScript builds have been specifically tweaked to ensure that the tabnapping exploit doesn't work"

PerseidsSeptember 11, 2014 10:55 AM

@Jan Doggen
Apparently, current NoScript releases don't have it included anymore. Once I had temporarily allowed all domains, the attack worked flawless.

B. D. JohnsonSeptember 11, 2014 11:11 AM

I actually hadn't heard this one before. Still fails the "check the URL" test and, while Google does ask me to relog from time to time, it always prompts me with my username. It seems like it might check a few but not many before it got reported for phishing and browsers that detect those site would warn you.

Mike AmlingSeptember 11, 2014 1:40 PM

Since it refers to "a bug in Chrome which has been fixed in the version 6.0.408.1", which is pretty old Chrome, I have to wonder how sure we are that "http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/" wasn't posted in 2010?

Jim SlabySeptember 11, 2014 1:49 PM

My AVG+ detected and removed a tabnapping attack when I looked at the article. Did it purposely include a demo of the attack, or has somebody with a keen sense of irony compromised the page? I didn't stick around to figure out which.

SJSeptember 11, 2014 2:04 PM

The version of Chrome I am currently using falls victim to the attack (as implemented on the Aza Raskin's blog).

It kind of scared me at first, then I realized what had happened.

Chrome tells me I am running version 37.0.2062.103.

Giorgio MaoneSeptember 11, 2014 2:49 PM

@Perseids, @Jan Doggen:
Aza's "historical" tabnapping PoC requires JavaScript, therefore it is
squashed by NoScript or any other mean to forbid scripts on the
attacking site.

However, the attack can easily be modified to succeed against a scripting-disabled
defender, by just replacing the JavaScript-based location change with a simple
scriptless refresh. That's what Aviv Raff's did in his PoC (just keep it open in a background tab for 20 seconds), cited by Brian Krebs in his excellent coverage of the issue.
In this case, NoScript provided (and still provides) a specific countermeasure by blocking
refreshes which happen in background tabs (noscript.forbidBGRefresh),
while other script blockers don't.

So, the protection is still there (provided that you don't specifically whitelist the attacker's site), and it's unique to NoScript.

Wesley ParishSeptember 11, 2014 8:14 PM

A quick jump to View Page Source trotted out these dates:

24 May '10 3:53 pm

19 March '14 9:24 pm

and the informative

Cached page generated by WP-Super-Cache on 2014-09-11 17:34:27

I've used lynx to try out new websites.

Chris AbbottSeptember 11, 2014 8:16 PM

@anonymous

They don't. People just don't look. Most people aren't checking on all the shit we're used to doing.

Even though this attack is old, it would probably still work. People aren't security conscious. Even other IT people I know aren't (I know, no excuse there). We need to be activists in terms of evangelizing security to the general public. We should all double down on these things until everything we talk about here goes into the mainstream.

We'll all be more secure when the day comes that I can talk to people about dictionary attacks and rainbow tables and crypto without getting a blank stare and a "Huh?".

name.withheld.for.obvious.reasonsSeptember 11, 2014 8:55 PM

Hasn't anyone noticed the use of GUID's to tag images? The idea is that a 201 or 301 http request will be returned when a string is passed to/back from the client. It's a passive graphic tag that uses your cached copy to track you by instance.

BobSeptember 11, 2014 11:57 PM

Giorgio,

Eitan Adler was the first one to report the Javascript-free version (http://blog.eitanadler.com/2010/05/tabnabbing-without-javascript.html)

BuckSeptember 12, 2014 9:04 PM

@name.withheld.for.obvious.reasons

Hasn't anyone noticed the use of GUID's to tag images? The idea is that a 201 or 301 http request will be returned when a string is passed to/back from the client. It's a passive graphic tag that uses your cached copy to track you by instance.
That's kinda clever... Canvas lacking, Cookie-less, Font free, IP ignorant, JS'less, UserAgent 'unavailable' session tracking!? Crap... I guess I'll have to start using similar techniques as well!
$#!+, my psychopathic self-interest is starting to bleed through!! Ignore these thoughts...

AnuraSeptember 12, 2014 10:03 PM

@Buck

I have the settings set to clear the cache every time I close Firefox for that reason. Same with cookies. Also, noscript helps.

BuckSeptember 12, 2014 10:09 PM

@Anura

Keyword is: 'session'...
Got any browsers that restrict these identifiers per-instance/tab/window?

name.withheld.for.obvious.reasonsSeptember 13, 2014 12:00 AM

@ Buck

Thanks for the comic relief--though on a more serious note...

Look at how the GUID is generated in the CDATA section of the HTML5/XML code section--using a schema it is quite possible to do data mapping. The primary engine is the XML/XLS data pairing that is associate with the GUID named image.

Look at any sites that use the addthis or have fbconnect code associated with them...

Regards,
NWFOR

name.withheld.for.obvious.reasonsSeptember 13, 2014 12:32 AM

@ Buck, @ et al

Forgot--the code often "inlines" the image as embedded mime or just an encapsulated graphic. The example URL(s) are from a fiction-made site...

The link(s) are for multiple first loads of images--to build cache entries with predefined GUIDS. The XML/XLS CSS data mappings are done with scripts or just pure XML in portions of code. As these are URL's only, I stripped the code surrounding the fake URL's.

Can't post code (there would be a debate, there is some code but a significant amount of data), but it might be possible to pull just the data and extrapolate by pseudo-coding the operational features?



<!--
http://z-ecx.images-monkey-bites.com/images/G/01/browser-scripts/search-js-general/search-js-general-3125887874._V1_.js","http://z-ecx.images-monkey-bites.com/images/G/01/browser-scripts/search-csl/search-csl-2311306540._V1_.js","http://g-ecx.images-monkey-bites.com/images/G/01/x-locale/common/transparent-pixel._CB386942464_.gif","http://z-ecx.images-monkey-bites.com/images/G/01/browser-scripts/search-ajax/search-ajax-3071200757._V1_.js","http://z-ecx.images-monkey-bites.com/images/G/01/browser-scripts/csmCELLS/csmCELLS-3612973168._V1_.js","http://g-ecx.images-monkey-bites.com/images/G/01/AUIClients/RetailSearchResultListAssets-d14bc0884eb45c3a9721ea79f0c3d84723f3f8d3.min._V2_.js","http://z-ecx.images-monkey-bites.com/images/G/01/browser-scripts/us-site-wide-css-beacon/site-wide-6800426958._V1_.css","http://z-ecx.images-monkey-bites.com/images/G/01/browser-scripts/site-wide-js-1.6.4-beacon/site-wide-8899742280._V1_.js","http://g-ecx.images-monkey-bites.com/images/G/01/AUIClients/monkey-bitesUI-3c1ed8fcebca30b928651422a7227ef841643c82.rendering_engine-not-trident.min._V2_.js","http://g-ecx.images-monkey-bites.com/images/G/01/AUIClients/RetailSearchResultListAssets-3bc4fbfc76541e02f61e2d9f4edb4baa8230b8cd.min._V2_.css","http://z-ecx.images-monkey-bites.com/images/G/01/browser-scripts/clickWithinSearchPageStatic/clickWithinSearchPageStatic-1164450723._V1_.css","http://g-ecx.images-monkey-bites.com/images/G/01/nav2/images/gui/searchSprite._CB350990386_.png","http://z-ecx.images-monkey-bites.com/images/G/01/browser-scripts/jserrors/jserrors-4214293505._V1_.js","http://g-ecx.images-monkey-bites.com/images/G/01/gno/sprites/global-sprite-32-v1._CB349056651_.png","http://z-ecx.images-monkey-bites.com/images/G/01/browser-scripts/page-ajax/page-ajax-2552032005._V1_.js","http://g-ecx.images-monkey-bites.com/images/G/01/AUIClients/RetailSearchAssets-3bfe8098028f4dd2f0e5c90c128075bc65209135.renderskin-pc.min._V2_.css","http://g-ecx.images-monkey-bites.com/images/G/01/AUIClients/monkey-bitesUI-6b965160ce624068ab421215d2f5695f2f2809ab.rendering_engine-not-trident.min._V2_.css","http://z-ecx.images-monkey-bites.com/images/G/01/browser-scripts/search-css/search-css-508812564._V1_.css","http://z-ecx.images-monkey-bites.com/images/G/01/browser-scripts/search-js-trackplayer/search-js-trackplayer-2851113861._V1_.js","http://g-ecx.images-monkey-bites.com/images/G/01/AUIClients/RetailSearchAssets-03c9b9a1298eebec1a146fcf3c18347c7decc468.renderskin-pc.min._V2_.js","http://z-ecx.images-monkey-bites.com/images/G/01/browser-scripts/forester-client/forester-client-664788115._V1_.js"];
--!>

Dave December 6, 2015 9:35 AM

This happened to me recently. I opened a link that a friend had sent me. It was fun and games until I got bored of it. I stopped the game and went to read some articles on Schneier for over 2 hours. Then I got back to the game again. I was asked to fill in my e-mail address and password. I thought that it would link the game stats to my mail and I can share with friends. I filled in the information, unaware of the consequences. Now I've lost my email account and important infos in it. Help anyone?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.