May 24, 2010

Most Internet users know to watch for the telltale signs of a traditional phishing attack: An e-mail that asks you to click on a link and enter your e-mail or banking credentials at the resulting Web site. But a new phishing concept that exploits user inattention and trust in browser tabs is likely to fool even the most security-conscious Web surfers.

As Mozilla Firefox creative lead Aza Raskin describes it, the attack is as elegant as it is simple: A user has multiple tabs open, and surfs to a site that uses special javacript code to silently alter the contents of a tabbed page along with the information displayed on the tab itself, so that when the user switches back to that tab it appears to be the login page for a site the user normally visits.

Consider the following scenario: Bob has six or seven tabs open, and one of the sites he has open (but not the tab currently being viewed) contains a script that waits for a few minutes or hours, and then quietly changes both the content of the page and the icon and descriptor in the tab itself so that it appears to be the login page for Gmail.

In this attack, the phisher need not even change the Web address displayed in the browser’s navigation toolbar. Rather, this particular phishing attack takes advantage of user trust and inattention to detail, or what Raskin calls “the perceived immutability of tabs.” Then, as the user scans their many open tabs, the favicon and title act as a strong visual cue, and the user will most likely simply think they left a Gmail tab open.

“When they click back to the fake Gmail tab, theyโ€™ll see the standard Gmail login page, assume theyโ€™ve been logged out, and provide their credentials to log in,” Raskin explained. “After the user has enter they have entered their login information and sent it back your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.”

Raskin includes a proof-of-concept at his site, which is sort of creepy when you let it run. In fact, at least once while composing this blog post in Firefox I went to click on the tab that had my Gmail inbox open, only to discover I’d accidentally clicked on Raskin’s page, which had morphed into the fake Gmail site in the interim.

It’s important to keep in mind that this attack could be used against any site, not just Gmail. Also, Raskin includes a few suggestions about how this attack could be made far sneakier — such as taking advantage of CSS history attacks.

Of course, if you are browsing with the excellent “Noscript” add-on and this is a site you have not allowed to run javascript, the proof-of-concept won’t work until you allow javascript on the page. It did not work completely against the Safari browser on my Mac (no favicon), and the test page failed completely against Google Chrome. [Update: As several readers have correctly pointed out, this attack does in fact work against Chrome, although it doesn’t seem to change the favicon in Chrome tabs].

I’m left wondering what this new form of phishing will be called if it is ever adopted by the bad guys. Tabnabbing? Tabgrabbing? See if you can coin a better phrase in the comments below.

Update, May 25, 7:55 p.m. ET: Researcher Aviv Raff has posted an interesting proof-of-concept of his own that shows how this attack can work against Firefox even when users have the Noscript add-on installed and in full paranoid mode. Raff crafted his page, which is a mock up of this blog post, to morph into an image of the Gmail login page, and it will reload every 20 seconds but will only change to the sample phish page if you move to another tab with your mouse, or after 10 reloads (in case you moved with the keyboard). So it will change only after 3 minutes or so, unless you move to another tab with your mouse.

“I was trying to find a way to work around the javascript need for the [proof-of-concept],” Raff said in an instant message. “First I was able to do this without knowing if the user moved to a new tab. Now I can almost be sure of that.”

Update, May 27, 11:41 p.m. ET: For Firefox users with the Noscript plugin, there is an update to the program that can block these types of tabnabbing attacks.


141 thoughts on “Devious New Phishing Tactic Targets Tabs

  1. Fiona

    My boyfriend sent this* to me. I haven’t time to read it immediately and when I find a time, just a login screen was in tab. I knew immediately something is wrong cause of Colourfull tabs. The tab has different color than I am used to see on google site. It would never ever came to my mind that this simple plug-in can be useful in security :).

    *http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/

  2. dale orkus

    suggestion for naming this type of Phishing Attack:
    Tabbelganger (as in Doppelgangering of Tabs)

  3. JimP

    Very interesting attack and very well described. This is certainly one I might fall for myself if I didn’t use KeePass and always use it for launching the tab and doing credentials.

    In the interest of not redefining what “nabbing” means, I’ll throw in my vote for the above mentioned “Tabfoolery” and “Tabfuscating” as well as throw in my own:

    Tabmorphing (General attack class)

    – or more specifically –

    TabMorphishing (Morphing a tab with the intent of phishing)

  4. AlphaCentauri

    Does it need to be multiple tabs, or can it be multiple open windows? The web-based software at the hospital where I work opens a jumble of windows and requests the same password twice in the course of accomplishing a single patient data lookup, with the menu window remaining on top of the window it opens to report the data. It’s common for the staff to be browsing the web to view medical literature websites while checking lab and xray results in one program and writing progress notes in another — lots of open windows. And in the name of security, the software logs people out after a very brief interval of inactivity (usually shorter than it would take a staff person to complete a progress note in the other window before returning to look up data on the next patient), so no one would question a log in page at all. It’s in-house software, but someone taught these people to design web pages this way — it can’t be the only institution with software like this.

    So people having multiple secure windows open is not an unlikely scenario. What’s more of a stretch is how to get them to also open a compromised web page and how to anticipate what kind of log in screen they will be expecting to see when it morphs. But since you can easily purchase a list of email addresses for doctors based on the hospital where they work, if you knew what their log in screen looked like, you could send out an email purporting to be from a well-known information source like the NIH, announce some ground-breaking research that people would be sure to discuss at morning rounds, and provide a link to the compromised page that spoofed that organization’s website while morphing into that hospital’s log in page.

    Tabamorphosis?

  5. kingpin

    @BrianKerbs

    Well I did try opening the below following link in a new tab of Opera 10.53 and just as suggested after a minute it changed to a screenshot of Gmail page from the actual link-

    http://avivraff.com/research/phish/article.php

    But the address bar wasn’t changed and missing was the SSL certificate lock symbol on the address bar as well!

    BTW,I always use Private Browsing when I am always surfing the net.

    So is it safe to say that Opera 10.53 latest version on Windows XP Pro isn’t affected by “Tabnapping”,correct me if I am wrong.What about without Javascript enabled?

    Nice Post and Thanks for the post,much appreciated. ๐Ÿ™‚

    Well I will call it TabPhishing or TabMasking or TabSpoofing. ๐Ÿ˜‰

    1. Karl

      It didn’t work for me in Opera 10.53…
      The page doesn’t switch, it only reloads, nothing else happens.

    2. Anon

      The point is that most people only check that stuff when they first open a page.

  6. scamdetect

    It appears that I owe Rick and apology.

    I submitted the story to slashdot that credited Mr Raskin with the name “tabnapping”

    Apologies!

    Scamdetect

  7. QQ

    I’m glad to be aware of this evil tabjacking!

    While this is a devious way to steal a couple of passwords this is not going to become main stream attack IMO.

    I haven’t read any good statistics on the subject but I don’t think most people use tabs, and lets consider that work places for example usually have IE6(Citibank in Poland have windows 2000….) installed anyway so the phisher doesn’t need new exploits to get backdoor which is much more valuable than passwords.

    So in order to be a victim to this sort of phishing the target needs a browser with tabs(and even today most aren’t), using tabs while logged into at least 1 exploited web page, ignoring address row, not running anything like Noscript(even if it bypass Noscript it surely lowers the success rate of the attacks).

    Bottom line it is scary but Rogue AVs and Adobe exploits are still scarier and for the hackers it is still better statistically to just go for IE6 stuff.

  8. BigMonkey

    I always have (the same) three sites open for research purposes, GMAIL being one of them. Regardless of how many tabs I have open eventually, I keep these same three tabs in the left-most positions and always in the same order. I can’t recall whether I’ve seen this attack since, should the offending GMAIL tab-nab appear in any other tab that the one I’ve “assigned”, I simply close the tab and verify the GMAIL session in my GMAIL tab. The only reason that GMAIL would appear in multiple links to begin with is when I specifically open an item from my GMAIL in another tab.

    Creepy attack all the same. If they can do it with GMAIL, they can do it with any site. Wouldn’t seem that difficult to harvest the sitenames to which current sessions are open. Of course, I’m no programmer.

  9. Cian

    I find myself wondering if this would be enough to trick browser / plugin based password programs into providing the credentials without even user intervention. I myself use lastpass.com, however I have it setup pretty strict such that I need to enter my master password each time, however there is a feature that would allow one to “autologin” to sites that the plugin detects have been logged out of. If this were the case, then when the javascript modified the page, I wonder if lastpass (or whatever) would detect the modification and try to login – even without the user on the page!?

  10. Lance Ito

    It seems the issue happens on this page too.
    With Firefox, it happens even with NoScript that doesn’t allow to run scripts.

    By the way, I can see this page correctly formatted only with Opera. Firefox and Chrome show me a bad formatted page in the comments section.

  11. Eric

    It does not work with the latest version of No Script, 1.9.9.81. You have to download that version from the No Script website. Hopefully Mozilla will get it added to the Add-ons site soon.

  12. dward

    I’m running 1.9.9.80 Noscript which I think is current but it doesn’t block the proof of concept? What version is upto date against this ….

  13. Christopher

    It sounds like browsers need to be re-written to DISALLOW automatic refreshing of pages.

    Seriously, when was the last time that anyone had a page that needed to automatically refresh?

    Oh wait….. that’s common. Website owners need to get on this and stop using that function in browsers, and it needs to be taken out of browsers.

    1. JBV

      Lots of sites refresh automatically, as you note. The Washington Post does, for example. Easy solution to this latest threat – just don’t open other tabs when visiting sites that refresh automatically. Another possible solution – don’t use Gmail.

    2. AlphaCentauri

      Whatever Google does to make you wait 5 seconds for their page to load before you can type something different into the browser address bar, they need to reconsider it. It’s visually impressive the first time. It’s damn annoying if Google is your home page.

    3. Russ

      The “refresh” tag is used too often to consider disabling it entirely. If scripting is enabled, it’s easy enough to replace a tab’s contents without a full page refresh.

      Potential countermeasures could include stalling refreshes on hidden tabs and windows until a few seconds after they’re exposed, or alerting the user to unusual refresh/redirect activity in a window when it gains focus.

  14. Anon

    The no-javascript link can be blocked if you tell FF in the preferences to “Warn me when sites try to redirect or load the page” under Advanced; if you do then it displays a banner at the top “Firefox prevented this page from automatically redirecting to another page (Allow)” and it will change when you click (Allow) no sooner or later.

  15. Stardance

    This sounds suspiciously like tabphishing, to me!

  16. Barbara

    I am glad I read about tabnapping. I normally have more than one tab open for convenient. Some name I come up with is Tabsnatching, Tab seizure,

    Barbara

  17. Cycron

    But it doesn’t change the URL, and saved passwords won’t show up, this is easy to spot then.

    …and Tabimitator would what I would call it, Tabnapper sounds like it takes over other tabs, when really it just changes itself, it’s not really hacking at all, the webpage just changes, nothing really happens to your browser.

  18. rgtek

    this is scary! you will never be safe in info world so be prepared. Seems like we would all go back to the dark ages (time before internet came) pretty soon.

    I would call this “tMorph” attack – morphing the tab.

    1. Ian

      Even with firefox I’ve even tried it without changing tabs and it also does it – so it’s doubly dangerous.

      If you select a different window on the desktop (but NOT change tabs in the browser) the script still detect this and does the page-switch.

      Very intruiging. So simple as well.

      It’s a concern how the less savvy are going to treat (or be treated by tabnabbing)

      Ian

  19. Sam

    Am so glad that when I clicked on the proof link my AVG Free immediately threw up a tabnapping alert…

    1. BrianKrebs Post author

      Hi Sam, welcome. Just curious: Did AVG actually call it tabnabbing in the alert?

    2. Amelia

      I was also quite thrilled to have AVG pop up and warn me of a tabnabbing attempt. AVG and NoScript are my best friends in this wild, wild internet.

  20. Jake

    what about gmail not logging us out once every 2 weeks?

    if I saw the login page popup in some random tab, I’d curse the fates and say “what, it logged me out again!?!?”

    eBay is the worst for this. A logout every single day. There is no option to set for “this computer is trusted. If anyone has unauthorized access to it, I have much more serious problems than my eBay password. Therefore, log me out only when the unix clock wraps around.”.

  21. kabo0m

    I was reading about this on techwub.com as a friend was warning me about this. Thanks for this write up.

Comments are closed.