Re: Tabnabbing: A New Type of Phishing Attack
NoOp wrote: On 08/12/2010 12:54 PM, Beverly Howard wrote: proof of concept I assumed (and hoped) that it was innocent, but, as it would work when malicious, I got pulled off the page before I had time to read far enough to get to the full explanation of what _was_ going to happen. When I returned to the tab, there as the bogus page. imho, the user should have been offered the option of experiencing the phish rather than having it execute on the page reporting on the possibility. It was pretty disturbing, albeit educational. Beverly Howard quote Try it Out You can try it out on this very website (it works in all major browsers). Click away to another tab for at least five seconds. Flip to another tab. Do whatever. Then come back to this tab. /quote You switched away from the tab (either to a different tab, to check this newsgroup, email, whatever). Try sitting on the tab without switching away; you can read the entire article, go get coffee, do what you wish. The code won't activate until you switch away from it; that's the actual point the author is making. I was still reading the page when, before my eyes, it changed!! Daniel ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Tabnabbing: A New Type of Phishing Attack
Be aware of the fact that the first link in the op _executes_ the attack! While this page may be benevolent, it is deceptive and it does solicit a login!!! Beverly Howard ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Tabnabbing: A New Type of Phishing Attack
On 08/12/2010 08:45 AM, Beverly Howard wrote: Be aware of the fact that the first link in the op _executes_ the attack! While this page may be benevolent, it is deceptive and it does solicit a login!!! Beverly Howard It's a 'proof-of-concept'. Watch the flash video he explains exactly what he is doing how. Also: http://krebsonsecurity.com/2010/05/devious-new-phishing-tactic-targets-tabs/ quote Raskin includes a proof-of-concept at his site, which is sort of creepy when you let it run. In fact, at least once while composing this blog post in Firefox I went to click on the tab that had my Gmail inbox open, only to discover I’d accidentally clicked on Raskin’s page, which had morphed into the fake Gmail site in the interim. /quote ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Tabnabbing: A New Type of Phishing Attack
proof of concept I assumed (and hoped) that it was innocent, but, as it would work when malicious, I got pulled off the page before I had time to read far enough to get to the full explanation of what _was_ going to happen. When I returned to the tab, there as the bogus page. imho, the user should have been offered the option of experiencing the phish rather than having it execute on the page reporting on the possibility. It was pretty disturbing, albeit educational. Beverly Howard ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Tabnabbing: A New Type of Phishing Attack
On 08/12/2010 12:54 PM, Beverly Howard wrote: proof of concept I assumed (and hoped) that it was innocent, but, as it would work when malicious, I got pulled off the page before I had time to read far enough to get to the full explanation of what _was_ going to happen. When I returned to the tab, there as the bogus page. imho, the user should have been offered the option of experiencing the phish rather than having it execute on the page reporting on the possibility. It was pretty disturbing, albeit educational. Beverly Howard quote Try it Out You can try it out on this very website (it works in all major browsers). Click away to another tab for at least five seconds. Flip to another tab. Do whatever. Then come back to this tab. /quote You switched away from the tab (either to a different tab, to check this newsgroup, email, whatever). Try sitting on the tab without switching away; you can read the entire article, go get coffee, do what you wish. The code won't activate until you switch away from it; that's the actual point the author is making. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Tabnabbing: A New Type of Phishing Attack
The code won't activate until you switch away from it; that's the actual point the author is making. An excellent point... but, they way it happened to me was sort of like getting stabbed in order to learn not to go down dark alleyways ;-) Beverly Howard ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Tabnabbing: A New Type of Phishing Attack
Rather interesting read: http://www.azarask.in/blog/post/a-new-type-of-phishing-attack http://hacks.mozilla.org/2010/04/account-manager-coming-to-firefox/ Works on: Build identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100701 Lightning/1.0b1 SeaMonkey/2.0.6 ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Tabnabbing: A New Type of Phishing Attack
On 08/11/2010 05:28 PM, Phillip Jones wrote: NoOp wrote: Rather interesting read: http://www.azarask.in/blog/post/a-new-type-of-phishing-attack http://hacks.mozilla.org/2010/04/account-manager-coming-to-firefox/ Works on: Build identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100701 Lightning/1.0b1 SeaMonkey/2.0.6 The first website is one reason I don't use tabs, never have and never will. I switch from page to page (like viewing a slideshow). Were that true, I suspect that you would have brought up this, or similar, previously. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey