Hacking For Beginners – Manthan Desai

2010

10. Tab Napping A New Phishing Attack

Traditional phishing attacks are reasonably easy to avoid, just don’t click links in suspicious e -mails (or, for the reallyparanoid, any e-mail). But Firefox Creative Lead Aza Raskin has found a far more devious way to launch an attack byhijacking your unattended browser tabs.

The attack works by first detecting that the tab the page is in does not have Then the attacking script can changethe tab favicon and title before loading a new site, say a fake version gmail or orkut, in the background.

Even scarier, the attack can parse through your history to find actually visit and impersonate them.

Because most of us trust our tabs to remain on the page we left this is a particularly difficult attack to detect. AsRaskin writes, "as the user scans their many open tabs, the favicon and title act as a strong visual cue — memory ismailable and moldable and the user will most likely simply think they left *the+ tab open.”

The only clue that you’re being tricked is that the URL will be wrong.

The Script Used is as Below.-

<a> open this in a tab of your browser and wait for 10 seconds and see after you come back but leave this page and goto other tab to see this magic.</a>

<script type="text/javascript">

var xScroll, yScroll, timerPoll, timerRedirect, timerClock;

function initRedirect(){

if (typeof document.body.scrollTop != "undefined"){ //IE,NS7,Moz

xScroll = document.body.scrollLeft;

yScroll = document.body.scrollTop;

clearInterval(timerPoll); //stop polling scroll move

clearInterval(timerRedirect); //stop timed redirect

www.hackingtech.co.tv

Page 110