Home > All, Security Issues > Tabnabbing: a brand new threat coming to a computer near you soon

Tabnabbing: a brand new threat coming to a computer near you soon

Here’s an experiment. How many tabs have you got open in your browser? I’ve got nine, and that’s less than usual. Now run your eye across them. How many do you actually remember opening? You’ve probably got a Gmail or a hotmail tab – or both in my case. So you’re not surprised they’re there – but do you actually remember opening them?

Exactly who created this tab?

Enter tabnabbing. It’s a new phishing technique that has the potential to be very effective. It is discussed in some detail, along with other new and current threats, in PandaLab’s latest Quarterly Report. This is always worth reading.

Tabnabbing is, as far as we know, currently just a proof of concept. It was discovered and named by Aza Raskin in May of this year. But bear in mind that Wolfgang Kandek, CTO of Qualys, says he works on the basis of 90 days from discovery to active exploitation. That means that by the end of this month or early next month, we can expect active use of this new technique on the internet. Forewarned is forearmed; so I would also recommend reading Raskin’s initial discussion, which includes a live – but safe – demonstration.

Sebastian Zabala, Panda Security

I went to Sebastian Zabala, senior project manager and security expert at Panda Security, for more information. “Tabnabbing,” he explained, “is a really smart way to socially engineer users into giving a malicious website their personal details. What happens is that the attacker entices the user to visit a compromised site, usually with something like black hat SEO, and then waits until the user moves on to a different site.”

Most users do not close down a page when they move on; they just open a new tab for the new page. So while visiting an infected page, the injected malware (JavaScript) does nothing. The user is given nothing to suspect there may be a problem. The malware isn’t activated until after focus has been lost; that is, after the user has opened a new tab and the infected page is hidden and invisible under a different page.

“When the infected tab is inactive,” continues Zabala, “a malicious JavaScript on the compromised site recognises that focus has been lost, and that the user is not currently viewing this tab. After 5 or 10 seconds or whatever of inactivity the JavaScript changes the website.”

Two things happen. Firstly, the website is changed to, for example, a fake Gmail login page; and secondly the appearance of the tab is changed to look like the Gmail tab. While the tab changes, the user’s attention is on the new page he is visiting – and it is unlikely that he will notice this very small alteration to the screen.

“Later on the user might decide to check his or her mail, see that there is already a Gmail tab, and click it. But it’s not Gmail, it’s now a phishing site made to look like the Gmail logon page. The user doesn’t expect anything malicious and just logs on – and loses his or her credentials to the phisher. That’s tabnabbing – a clever new method of phishing.”

It could be Gmail, Facebook, or internet banking – whatever the attacker wants it to be. And it’s not just the naive user at risk. “Think of this scenario,” warns Zabala. “Let’s say we are dealing with a very computer-savvy user, who considers himself very safe – perhaps using a virtual machine, running Linux and Firefox from a bootable CD whenever he does internet banking. Injecting malicious code in the form of a standard trojan will not be successful against this user, who believes he has a safe environment for his online banking. His system is not rewritable and next time he boots up his system will be as clean as ever again – you cannot have any persistent malicious code on such a system.”

Believing himself to be safe, this user may well let his guard down. It is not inconceivable that he might check his bank, do some surfing, and then decide to come back to his bank. Will he remember whether he did or did not close down the bank page? But the tab’s there, so probably he didn’t close it. It’s just that it has now timed out and he must log in again. Hey presto, this super safe user who cannot be compromised has just lost his bank details.

So what can we do about tabnabbing? Well, Firefox is working on a new project called Account Manager that should help – but that’s for the future. Right now, our main defence is awareness. They can change the tab, but they can’t disguise the URL. The problem is that few of us look at the URL, which is frequently gobbledygook anyway; we go by the tab. We have to train ourselves to visually check the URL whenever we go back to an existing tab. And if we’re really careful we could manually reorder the tabs so that they are always in alphabetic order, left to right; and any change to that would be a clue to a problem.

But none of this is very satisfactory. Which means we’re left with Old Faithful, NoScript on Firefox. “NoScript?” says Zabala. “Yeah, that’s pretty good. If you’re using NoScript or anything else that disables JavaScript, this attack won’t be able to work.”

Categories: All, Security Issues
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s