Hackers are getting smarter, and now they are using
sophisticated hacking schemes to break into our accounts. Recent news on
Iranian hackers innovative way to fool Gmail's two-step verification
– a security process that requires a security code (generally sent via
SMS) along with the password in order to log into Gmail account.
These incident shows that phishing is still
very relevant when it comes to compromise the user acoounts,just it needs proper
execution plan with innovative approcah.one of such phishing attempt or better
say method "tabnapping."
What is it, and what are the best defences against
it?
Tabnapping came to scene in 2010. It allows an
attacker to open a browser tab in the background using JavaScript; the tab that
looks like a login page for any number of commonly used websites like Facebook
or Gmail, banking websites or corporate Web portals, and is used to capture
login credentials. Tabnapping relies on users having multiple browser tabs open
at the same time, logging into a service, then either logging out of that
service or being logged out automatically after a period of inactivity. The
idea is that the user would want to log in again, and attempt to log in using
the false Web page, which would then steal the user's credentials.
How it works?
- A user browse to your normal looking site.
- You detect when the page has lost its focus and hasn’t been interacted with for a while.
- Replace the favicon with the phishing page favicon, the title with “suitable to phishing page”, this can all be done with just a little bit of JavaScript that takes place instantly.
- As the user scans their many open tabs, the favicon and title act as a strong visual cue. The entire attack preys on the perceived immutability of tabs.
How can we protect against tab napping?
Here are five simple ways you can prevent yourself from falling victim:
Here are five simple ways you can prevent yourself from falling victim:
•
Make sure you always check the URL in the browser address page is correct
before you enter any login details. A fake tabbed page will have a different
URL to the website you think you’re using.
• Always check the URL has a secure https:// address even if you don’t have tabs open on the browser.
• Always check the URL has a secure https:// address even if you don’t have tabs open on the browser.
• If the
URL looks suspicious in any way, close the tab and reopen it by entering the
correct URL again.
• Avoid
leaving tabs open which require you to type in secure login details. Don't open
any tabs while doing online banking - open new windows instead (CTRL + N).
Demo Video
Demo Video
0 comments:
Post a Comment