Tab Napping
Concept of phishing and Tab napping :
In
previous times hackers used to create fake login pages of many popular
sites and hosted that pages to any hosting sites such as t35,110mb and
also 000webhost. Then the thing was to spread the link and to send that
link to the victim Via email spoofing or something else. ( I used to do
that by shortening a Url ) . But with the updated browsers and more
security that way is out of this world now. But in May 2010 , A mozilla
employee outlined
a sly new attack tactic dubbed "tabnapping" that can dupe users into
giving up passwords by secretly changing already-open browser tabs.
Yes
that is possible that you can change the already opened tabs in any
browser by using a small script. The is that people browse now a days by
using tabbed browsers and sometimes the open ( Me too) a lot of tabs
and then forget to go to others tab or often they don't find time to do
so. We may call it as an idle tab, So fortunately or unfortunately we
can redirect that idle tab to any phishing page. So that is a basic
concept of Tab napping.
Here, i am showing a tutorial that how hackers make it possible :
Almost all the tabbed browsers are vulnerable to this attack.
Note: All the short description shown is for educational purpose.
Now you must have a basic knowledge of creating html ( For learning html go towww.w3schools.com)
pages or if you don't have then don't worry. You may select a hot news
page or any headline or else a popular page. Just select its source
code and make a duplicate of it. Use dreamweaver or Notepad++. And you
change the headings there. and also a bit content at that page. So, We
may call it page A.
Now, We have to make that tab napping exploit and insert that in page A . I have created a one. You may download it below :
Download Exploit (On clicking this link skip the add from uper top right corner)
Now, You will have to create a B page (that is the phishing page { learn how to make a phishing page}). and you should insert the above script in page A. Now you have to send the page A link to the victim and when he opens it. He may open other tabs and when this tab of page A will become idle the victim will be redirected to your phishing page ( You will specify time in script ).
How to insert exploit in Page A or original page(May contain Hot news,Something fascinating) URL in script :
You
have to replace above highlighted portions to your own phishing page
Url or a cookie stealing Url inorder to hack his/her acount. And thats
it. Page A upon becoming idle will redirect to page B (the phishing page)
In my script i specified 10 sec to redirect on becoming idle.
So, thats the trick that hackers use.
How to prevent tab napping :
While
using tabbed browsing and going to other tabs do look at the url shown
above. Or else you will login to a facebook or orkut etc phishing page
and you will login thinking that you have opened it.
Use latest Nod 32 personal security version. You may search this blog to get it for free.
JavaScript
is used by many websites for the different purposes if you disable it
than you can avoid to infect by tab-napping. But it is not legitimate
solution to do this.
The best technique to protect your self from tab-napping is to use a script called NoScript, It is a free add-in for Firefox browser.
|
No comments:
Post a Comment