Tabnabbing: extravagant phishing

The last three days are notable for the fact that three large databases of Yandex , Mail.ru and Gmail mail user accounts have fallen into the network.

Many users of Habr, as well as other thematic resources on security issues, agree that accounts most likely got into the databases either as a result of infecting users' computers with “Trojans” or as a result of phishing attacks.

In the wake of these hot discussions, I would like to tell you about one of the beautiful ways to steal user data, which is quite old, but still relevant, which I haven’t written about in any way.
')
In 2010, Aza Raskin , the son of Jeff Raskin , shared on his blog a very interesting, I think, phishing method, which he called Tabnabbing.

Its essence is as follows:

1. The attacker draws the user to the page of his site, which looks absolutely normal and what the user expects to see it.
2. The attacker determines that the user has not interacted with the page for a long time, or has switched to another tab altogether.
3. While the page is inactive - its favicon is replaced with the site icon, under which it will be disguised.
4. The content of the page is changed to the content of the fake login form of the site, under which it is disguised.
5. With a certain rather high probability, the user, returning to the tab, will automatically enter his login and password without hesitation.
6. After intercepting the authorization data - the user can simply be redirected to the site being attacked, because most likely he is already authorized on it and he will expect exactly this behavior.

Implementation

A prototype of the code that tracks user behavior may look something like this:

window.onblur = function(){ TIMER = setTimeout(time_to_change, 5000); } window.onfocus = function(){ if(TIMER) clearTimeout(TIMER); } function time_to_change() { if( HAS_SWITCHED == false ){ change_content(); change_title( "Gmail: Email from Google"); set_favicon("https://mail.google.com/favicon.ico"); HAS_SWITCHED = true; } } 

That is, the interception of user behavior itself is quite trivial, and not intricate. Further, the function change_content () is responsible for creating new elements of the DOM tree, which will be displayed on top of the original page content.

And if you like to be nostalgic:

In her post dedicated to this topic, Aza Raskin implemented an example of this behavior, and if you switch a tab with a post, you’ll get a screenshot of the Gmail authorization page of 2010 sample.

In any case, I would like to remind you - be extremely careful, this is the basis of your online security.