We have a belief that we are highly secure and comfortable with new and updated technologies.May be your secure for a while (a short of period of time). Well i agree, The developers are developing the applications with the full of security and a good design.As developers are became strong , the hackers also became stronger than developers with the exponential speed
the hacker came back with the UPDATED VERSION OF PHISHING that is named as TABNABBING
WHAT IS TABNABBING?
Tabnabbing is a modern type of phishing method used to hack websites passwords. As we all know normal Phishing attack is easily detectable on Facebook because Facebook has implemented an extra code that validates the previous arriving URL and some basic functions. If it founds that page from which you arrived is a Facebook Phish or fake page, it displays a warning message to user that You have been arrived from fraudulent or fake page. So please change you Facebook account password immediately. So user easily came to know that was made lol by someone and he changes his password again. So overall the hacking attempt is failed.
WORKING SCENARIO ---the basic idea
the only difference between them is Phishing redirects you to particular page while Tabnabbing uses the meta refresh feature of web browsers to refresh the page after particular delay (delay is set by user). Meta refresh is just a meta tag that is used in header part of web pages for sending traffic from a source to destination website after few seconds delay depending upon scripting. Since its a meta tag so its only processed but no data in cookies is stored. Here the advantage lies, when Facebook checks for the previous page or source from which we are arriving at Facebook, it founds none as we are dynamically refreshing the page which acts similar like we are opening a Facebook page in new tab. Now Facebook recognizes this as user intentionally opened Facebook and he hasn't arrived there through an script or automatic program. So we tab nabbed Facebook from the back end using the meta refresh tag.
WORKING SCENARIO ? - the advanced technique
Lets consider a attack scenario:
1. A hacker say customizes current webpage by editing/adding some new parameters and variables.( check the code below for details)
2. I (the hacker) sends a copy of this web page to victim whose account or whatever i want to hack.
3. Now when user opens that link, a webpage similar to this one will open in iframe containing the real page with the help of java script.
4. The user will be able to browse the website like the original one, like forward backward and can navigate through pages.
5. Now if victim left the new webpage open for certain period of time, the tab or website will change to Phish Page or simply called fake page which will look absolutely similarly to original one.
6. Now when user enter his/her credentials (username/password), he is entering that in Fake page and got trapped in our net that i have laid down to hack him.
Here end's the attack scenario for advanced tabnabbing.
Note: This tutorial is only for Educational Purposes, I did not take any responsibility of any misuse, you will be solely responsible for any misuse that you do. Hacking email accounts is criminal activity and is punishable under cyber crime and you may get upto 10 years of imprisonment, if got caught in doing so.
Follow below measure to protect yourself from Tabnabbing:
1. Always use anti-java script plugin's in your web browser that stops execution of malicious javascripts. For example: Noscript for Firefox etc.
2. If you notice any suspicious things happening, then first of all verify the URL in the address bar.
3. If you receive any link in the Email or chat message, never directly click on it. Always prefer to type it manually in address bar to open it, this may cost you some manual work or time but it will protect you from hidden malicious URL's.
4. Best way is to use any good web security toolbar like AVG web toolbar or Norton web security toolbar to protect yourself from such attacks.
5. If you use ideveloper or Firebug, then verify the headers by yourself if you find something suspicious.
That ends our security Part. Here ends my ethical hacker duty to notify all users about the attack. the next post will be the practicle approach of tabnabbing
feel free to leave the comments
