“Tabnabbing”: a new Phishing technique

Introduction

Phishing is one of the most common and classic attacks on the Internet. In a conventional attack scenario, an email is sent to some victims, which entices them thanks to varied reasons to click a malicious link embedded in this email. The success rate of this attack is mainly based on the level of persuasion of the mail content and on the credulity of the victim. These factors are difficult to measure by hackers and such attacks often require complementary techniques such as "social engineering" and knowledge of victims to succeed. Moreover, malicious links are now "well" detected by anti-phishing mechanisms embedded in browsers, and the awareness of users makes classic Phishing attacks difficult to succeed.

Starting from this observation, several security researchers have tried for several years to show that, even if hours of glory of the conventional Phishing are not over, this conventional Phishing is not the only way to entice users into entering sensitive information on a website controlled by malicious people. In particular, we have already shown in 2009 in an article entitled “A new attack technique: The In-Session Phishing", that a Phishing attack can only involve the use of a web browser and does not necessarily require that the victim clicks on a link embedded in an email. The Tabnabbing belongs to this new family of Phishing techniques.

What is “Tabnabbing”?

The “Tabnabbing” or “Tabjacking” is a new Phishing technique demonstrated by Aza Raskin, a leading developer of the Mozilla Firefox web browser. This attack is particularly interesting since it does not rely on any security vulnerability. Actually, it just relies on the widespread use of tabs in web browser and on the excessive trust from the user once a web page has been opened for a while in the browser application. In fact, most phishing attacks depend on an original deception, a deception that the victim user may detect once he understands the URL he is about to click on seems to be amiss. The author of the attack insists on the fact that the time that people are most wary is exactly when they first navigate to a site. In particular, what we don’t expect is that a page we’ve been looking at will change behind our backs, when we are e.g. looking at another tab.

How does the attack work?

Let’s imagine the following attack scenario, which could be used in order to steal Gmail credentials:

1. A user inadvertently browses to a web page controlled by an attacker, a normal-looking page at first sight. It could also be a legitimate web page that the attacker was able to alter.
2. In the context of the use of his web browser, this victim will open other web pages and consequently other tabs.
3. Thanks to a small embedded JavaScript code, the attacker-controlled web page detects when the page has lost its focus (the user has switched to another tab) and hasn’t been interacted with for a while. This same JavaScript code then takes advantage of this momentary laps of inattention (the attention of the user is drawn by another tab) to change the Favicon of the page (the icon that represents the web page in the tab bar) and to replace it with the Gmail one. In addition, it also changes the title of the page (thus the title of the tab) and finally replaces the entire body of the page by an exact copy of the Gmail login page.
4. As the user scans his many open tabs, the Favicon and title act as a strong visual cue, and the presence of a Gmail tab will likely let the user think he left a Gmail tab open. When he will click back on the fake Gmail tab and will see the rogue Gmail login page, he will assume he has been logged out and will logically provide his credentials in order to reconnect. As we can see, this attack relies on the perceived immutability of tabs (users generally assume that the content of a tab can not be “automatically” modified once the tab is open).
5. Once the victim has entered its login information into the malicious web page, the page effectively steals the credentials and then redirects the victim to the true Gmail web site.  Because the victim has never really been logged out in the first place, it will appear as if the login to the Gmail service was successful.

Several key points have to be mentioned here:

• The attack may target any online service: banking websites, social networks etc.
• Regarding the first step of the attack, the victim does not necessarily need to open a website controlled by malicious people. The attacker can e.g. use a Cross-Site Scripting vulnerability (JavaScript code injection) so that the attack is actually performed through a legitimate website.
• The attack can be improved and more targeted. For example, the JavaScript code can attempt to connect to various online services in order to detect if the victim already has opened sessions on these services. The hacker can also use URLs composed of Unicode characters to abuse the user and let him think he is really on a legitimate website.
• All web browsers that support tabbed browsing are potentially affected (Safari, Opera, Chrome, Firefox, Internet Explorer etc.).

How to protect users from the threat?

Because this attack does not rely on a security vulnerability, only best practices in terms of security allow to protect users from this attack:

• Disable by default the automatic interpretation of dynamic code such as JavaScript, Flash and ActiveX controls. With Firefox, these protections can be achieved with the use of the NoScript extension (see the Cert-IST’s article entitled “NoScript, a must have Firefox security extension”).
• Before entering sensitive information into an online service, it is recommended to systematically check that the URL of the web page presented in the address bar corresponds to the legitimate URL of this online service.
• It is also strongly advised to check the consistency of the certificate of the website on which you are browsing (this check requires to always use the secured versions of the various websites to which you are browsing, which in particular implies to verify that the URL of the website starts with https://”).

Finally, according to the discoverer of this Phishing technique Aza Raskin, these attacks could be more easily avoided if the web browser played a more active role regarding the handling of users’ identities on websites. The user would just have to enter its credentials one time in the browser’s interface, the browser’s engine being actually in charge of performing all the consistency verifications mentioned in the previous paragraph, before submitting the credential data to the websites. A project currently in development called “Firefox Account Manager” aims at introducing this kind of functionalities in the future versions of this browser.

For more information:

• Tabnabbing: A New Type of Phishing Attack (Aza Raskin)